The AP1000 provides multiple levels of defense for accident mitigation (defense-in-depth), resulting in extremely low core-damage probabilities while minimizing the occurrences of containment flooding, pressurization, and heat-up. Defense-in-depth is integral to the AP1000 design, with a multitude of individual plant features including the selection of appropriate materials; quality assurance during design and construction; well-trained operators; and an advanced control system and plant design that provide substantial margins for plant operation before approaching safety limits. In addition to these protections, the following features contribute to defense-in-depth of the AP1000:
The AP1000 passive safety systems require no operator actions to mitigate design-basis accidents.
These systems use only natural forces such as gravity, natural circulation and compressed gas to achieve their safety function. No pumps, fans, diesels, chillers or other active machinery are used, except for a few simple valves that automatically align and actuate the passive safety systems. To provide high reliability, these valves are designed to move to their safeguard positions upon loss of power or upon receipt of a safeguard actuation signal- a single move powered by multiple, reliable Class 1E dc power batteries. The passive safety systems do not require the large network of active safety support systems (ac power, diesels, HVAC, pumped cooling water) that are needed in typical nuclear plants. As a result, in the case of the AP1000, those active support systems no longer must be safety class, and they are either simplified or eliminated. With less safety-grade equipment, the seismic Category 1 building volumes needed to house safety-grade equipment are greatly reduced. In fact, most of the safety equipment can now be located within containment, resulting in fewer containment penetrations.
The AP1000 passive safety systems include:
Passive Core Cooling System
The AP1000 passive core cooling system (PXS) performs two major functions:
1. Safety injection and reactor coolant makeup from the following sources:
2. Passive residual heat removal (PRHR) utilizing:
Safety injection sources are connected directly to two nozzles dedicated for this purpose on the reactor vessel. These connections, which have been used before on two-loop plants, reduce the possibility of spilling part of the injection flow in a large break loss-of-coolant accident.
High Pressure Safety Injection with CMTs
Core makeup tanks (CMTs) are called upon following transients where the normal makeup system is inadequate or is unavailable. Two core makeup tanks (CMTs) filled with borated water in two parallel trains are designed to function at any reactor coolant system (RCS) pressure using only gravity, and the temperature and height differences from the reactor coolant system cold leg as the motivating forces. These tanks are designed for full RCS pressure and are located above the RCS loop piping. If the water level or pressure in the pressurizer reaches a set low level, the reactor, as well as the reactor coolant pumps, are tripped and the CMT discharge isolation valves open automatically. The water from the CMTs recirculates then flows by gravity through the reactor vessel.
Medium Pressure Safety Injection with Accumulators
As with current pressurized water reactors, accumulators are required for large loss-of-coolant accidents (LOCAs) to meet the immediate need for higher initial makeup flows to refill the reactor vessel lower plenum and downcomer following RCS blowdown. The accumulators are pressurized to 700 psig with nitrogen gas. The pressure differential between the pressurized accumulators and the dropping RCS pressure ultimately forces open check valves that normally isolate the accumulators from the RCS. Two accumulators in two parallel trains are sized to respond to the complete severance of the largest RCS pipe by rapidly refilling the vessel downcomer and lower plenum. The accumulators continue delivery to supplement the CMTs in maintaining water coverage of the core.
Low Pressure Reactor Coolant Makeup from the IRWST
Long-term injection water is supplied by gravity from the large IRWST, which is located inside the containment at a height above the RCS loops. This tank is at atmospheric pressure and, as a result, the RCS must be depressurized before injection can occur. The AP1000 automatically controls depressurization of the RCS to reduce its pressure to near atmospheric pressure, at which point the gravity head in the IRWST is sufficient to overcome the small RCS pressure and the pressure loss in the injection lines to provide IRWST water to the reactor.
Passive Residual Heat Removal
The AP1000 has a passive residual heat removal (PRHR) subsystem that protects the plant against transients that upset the normal heat removal from the primary system by the steam generator feedwater and steam systems. The passive RHR subsystem satisfies the U.S. NRC safety criteria for loss of feedwater, feedwater-line breaks, and steam-line breaks with a single failure.
The system includes the passive RHR heat exchanger consisting of a 100-percent capacity bank of tubes located within the IRWST. This heat exchanger is connected to the reactor coolant system in a natural circulation loop. The loop is isolated from the RCS by valves that are normally closed, but will open if power is lost or upon other signals from the instrumentation and control protection system. The difference in temperature and the elevation difference between the hot inlet water and the cold outlet water of the heat exchanger drives the natural circulation loop. If the reactor coolant pumps are running, the passive RHR heat exchange flow will be increased.
The IRWST is the heat sink for the passive RHR heat exchanger. The IRWST water volume is sufficient to absorb decay heat for about two hours before the water starts to boil. After that, the steam from the boiling IRWST condenses on the steel containment vessel walls and then drains back into the IRWST by specially designed gutters.
Automatic Depressurization System
The automatic depressurization system (ADS) depressurizes the reactor coolant system (RCS) and enables lower pressure safety injection water to enter the reactor vessel and the core. It is activated by a level setpoint in the core makeup tank (CMT). The ADS is comprised of three stages of motor-operated valves (MOVs) located above the pressurizer, and a fourth stage connected to the RCS hot legs and controlled by a squib valve, which opens by the actuation of an explosive charge. The first three stages of MOVs are arranged in six parallel sets (two normally closed valves in series). These MOV valves are activated on two-out-of-four actuation signals. The fourth stage of this system consists of four large valves, in two pairs that open off the hot legs, reducing the pressure to atmospheric, allowing gravity injection from the IRWST. This eventually evolves into a long-term cooling mode with containment sump recirculation.
The ADS valves are arranged to open in a prescribed sequence determined by the core makeup tank (CMT) level and a sequence timer.
The automatic RCS depressurization feature meets the following criteria:
