The AP1000 provides multiple levels of defense for accident mitigation (defense-in-depth), resulting in extremely low core-damage probabilities while minimizing the occurrences of containment flooding, pressurization, and heat-up. Defense-in-depth is integral to the AP1000 design, with a multitude of individual plant features including the selection of appropriate materials; quality assurance during design and construction; well-trained operators; and an advanced control system and plant design that provide substantial margins for plant operation before approaching safety limits. In addition to these protections, the following features contribute to defense-in-depth of the AP1000:

  • Non-safety Systems. The non-safety-related systems respond to the day-to-day plant transients, or fluctuations in plant conditions. For events that could lead to overheating of the core, these highly reliable non-safety systems actuate automatically to provide a first level of defense to reduce the likelihood of unnecessary actuation and operation of the safety-related systems.
  • Passive Safety-Related Systems. The AP1000 safety-related passive systems and equipment are sufficient to automatically establish and maintain core cooling and containment integrity indefinitely following design-basis events, assuming the most limiting single failure, with no operator action, and no on-site or off-site ac power sources. An additional level of defense is provided through diverse mitigation functions that are included within the passive safety related systems.
  • In-vessel Retention of Core Damage. The AP1000 is designed to drain the high capacity in-containment refueling water storage tank (IRWST) water into the reactor cavity in the event that the core has overheated. This provides cooling on the outside of the reactor vessel preventing reactor vessel failure and subsequent spilling of molten core debris into the containment. Retention of debris in the vessel significantly reduces uncertainty in the assessment of containment failure and radioactive release to the environment due to ex-vessel severe accident phenomena such as the interaction of molten core material with concrete.
  • Fission Product Release. Fuel cladding provides the first barrier to the release of radiation in the highly unlikely event of an accident. The reactor coolant pressure boundary, in particular the reactor pressure vessel and the reactor coolant piping, provide independent barriers to prevent the release of radiation. Furthermore, in conjunction with the surrounding shield building, the steel containment vessel provides additional protection by establishing a third barrier and by providing natural convection air currents to cool the steel containment. The natural convection cooling can be enhanced with evaporative cooling by allowing water to drain from a large tank located at the top of the shield building on to the steel containment. 

The AP1000 passive safety systems require no operator actions to mitigate design-basis accidents.

These systems use only natural forces such as gravity, natural circulation and compressed gas to achieve their safety function. No pumps, fans, diesels, chillers or other active machinery are used, except for a few simple valves that automatically align and actuate the passive safety systems. To provide high reliability, these valves are designed to move to their safeguard positions upon loss of power or upon receipt of a safeguard actuation signal- a single move powered by multiple, reliable Class 1E dc power batteries. The passive safety systems do not require the large network of active safety support systems (ac power, diesels, HVAC, pumped cooling water) that are needed in typical nuclear plants. As a result, in the case of the AP1000, those active support systems no longer must be safety class, and they are either simplified or eliminated. With less safety-grade equipment, the seismic Category 1 building volumes needed to house safety-grade equipment are greatly reduced. In fact, most of the safety equipment can now be located within containment, resulting in fewer containment penetrations. 

The AP1000 passive safety systems include:

  • Passive core cooling system (PXS)
  • Containment isolation
  • Passive containment cooling system (PCS)
  • Main control room emergency habitability system

Passive Core Cooling System


The AP1000 passive core cooling system (PXS) performs two major functions:

1. Safety injection and reactor coolant makeup from the following sources:

  • Core makeup tanks (CMTs)
  • Accumulators
  • In-containment refueling water storage tank (IRWST)
  • In-containment passive long-term recirculation 

2. Passive residual heat removal (PRHR) utilizing:

  • Passive residual heat removal heat exchanger (PRHR HX)
  • IRWST 

Safety injection sources are connected directly to two nozzles dedicated for this purpose on the reactor vessel. These connections, which have been used before on two-loop plants, reduce the possibility of spilling part of the injection flow in a large break loss-of-coolant accident.

High Pressure Safety Injection with CMTs

Core makeup tanks (CMTs) are called upon following transients where the normal makeup system is inadequate or is unavailable. Two core makeup tanks (CMTs) filled with borated water in two parallel trains are designed to function at any reactor coolant system (RCS) pressure using only gravity, and the temperature and height differences from the reactor coolant system cold leg as the motivating forces. These tanks are designed for full RCS pressure and are located above the RCS loop piping. If the water level or pressure in the pressurizer reaches a set low level, the reactor, as well as the reactor coolant pumps, are tripped and the CMT discharge isolation valves open automatically. The water from the CMTs recirculates then flows by gravity through the reactor vessel.

Medium Pressure Safety Injection with Accumulators

As with current pressurized water reactors, accumulators are required for large loss-of-coolant accidents (LOCAs) to meet the immediate need for higher initial makeup flows to refill the reactor vessel lower plenum and downcomer following RCS blowdown. The accumulators are pressurized to 700 psig with nitrogen gas. The pressure differential between the pressurized accumulators and the dropping RCS pressure ultimately forces open check valves that normally isolate the accumulators from the RCS. Two accumulators in two parallel trains are sized to respond to the complete severance of the largest RCS pipe by rapidly refilling the vessel downcomer and lower plenum. The accumulators continue delivery to supplement the CMTs in maintaining water coverage of the core.

Low Pressure Reactor Coolant Makeup from the IRWST

Long-term injection water is supplied by gravity from the large IRWST, which is located inside the containment at a height above the RCS loops. This tank is at atmospheric pressure and, as a result, the RCS must be depressurized before injection can occur. The AP1000 automatically controls depressurization of the RCS to reduce its pressure to near atmospheric pressure, at which point the gravity head in the IRWST is sufficient to overcome the small RCS pressure and the pressure loss in the injection lines to provide IRWST water to the reactor.

Passive Residual Heat Removal

The AP1000 has a passive residual heat removal (PRHR) subsystem that protects the plant against transients that upset the normal heat removal from the primary system by the steam generator feedwater and steam systems. The passive RHR subsystem satisfies the U.S. NRC safety criteria for loss of feedwater, feedwater-line breaks, and steam-line breaks with a single failure.


The system includes the passive RHR heat exchanger consisting of a 100-percent capacity bank of tubes located within the IRWST. This heat exchanger is connected to the reactor coolant system in a natural circulation loop. The loop is isolated from the RCS by valves that are normally closed, but will open if power is lost or upon other signals from the instrumentation and control protection system. The difference in temperature and the elevation difference between the hot inlet water and the cold outlet water of the heat exchanger drives the natural circulation loop. If the reactor coolant pumps are running, the passive RHR heat exchange flow will be increased. 

The IRWST is the heat sink for the passive RHR heat exchanger. The IRWST water volume is sufficient to absorb decay heat for about two hours before the water starts to boil. After that, the steam from the boiling IRWST condenses on the steel containment vessel walls and then drains back into the IRWST by specially designed gutters.

Automatic Depressurization System

The automatic depressurization system (ADS) depressurizes the reactor coolant system (RCS) and enables lower pressure safety injection water to enter the reactor vessel and the core. It is activated by a level setpoint in the core makeup tank (CMT). The ADS is comprised of three stages of motor-operated valves (MOVs) located above the pressurizer, and a fourth stage connected to the RCS hot legs and controlled by a squib valve, which opens by the actuation of an explosive charge. The first three stages of MOVs are arranged in six parallel sets (two normally closed valves in series). These MOV valves are activated on two-out-of-four actuation signals. The fourth stage of this system consists of four large valves, in two pairs that open off the hot legs, reducing the pressure to atmospheric, allowing gravity injection from the IRWST. This eventually evolves into a long-term cooling mode with containment sump recirculation.

The ADS valves are arranged to open in a prescribed sequence determined by the core makeup tank (CMT) level and a sequence timer.

The automatic RCS depressurization feature meets the following criteria:

  • The reliability (redundancy and diversity) of the ADS valves and controls satisfies the single failure criterion as well as the failure tolerance called for by the low core-damage frequency goals.
  • The design provides for both real demands (i.e., RCS leaks and failure of the CVS makeup pumps) and spurious instrumentation signals. The probability of significant flooding of the containment due to the use of the ADS is less than once in 600 years. The design is such that for small-break loss-of-coolant accident (LOCA) up to eight inches (20.32 cm) in diameter, the core remains covered.