Training of NPPA

Personnel

Safety Systems overview

Localization and Control Safety
Systems

Prepared for NPPA

Author: Worley team
2024
Agenda

1. Training objectives

2. Localizing Safety Systems

• Purpose & Functions
3. Control Safety Systems
• Purpose & Functions
• Design Principles
• Configuration
• Operation modes and Défense in Dept (DID)
• Reliability

2
Training Objectives

(TO.1) To describe the philosophy of localizing safety systems.

MO.1-1 To understand specific functions of localizing safety
systems.
MO.1-2 To list the most important localizing safety systems.

(TO.2) To get acquainted with general information and

composition of the Control safety systems:
MO.2-1 To understand the purpose and functions of RTS and ESFAS
MO.2-2 To understand the design principles of RTS and ESFAS
MO.2-3 To describe the EP-ESFAS structure

3
LOCALIZING SAFETY SYSTEMS

•The localizing safety systems shall be provided

to confine radioactive substances and ionizing
radiation within the design-specific boundaries in
case of accidents.
•The localizing safety systems shall be provided
for each NPP unit and shall perform specified
functions under the design basis and beyond
design basis accidents
NP-001-15, “GENERAL REGULATIONS ON ENSURING SAFETY OF NUCLEAR POWER PLANTS”
4
LOCALIZING SAFETY SYSTEMS

5
 LOCALIZING SAFETY SYSTEMS
CONTAINMENT HYDROGEN REMOVAL SYSTEM

Prevention of explosive mix

formation in accident
localizing area by
supporting volumetric
hydrogen concentration in
the mix below the criteria,
set for design basis
accident and beyond design
basis accident.
The hydrogen removal system equipment includes a set of passive autocatalytic hydrogen recombiners and a stand for inspection
sampling tests.
6
 LOCALIZING SAFETY SYSTEMS
SPRAY SYSTEM
• Reducing pressure and temperature
inside the containment in case of LOCA
by injecting boron solution into the
containment air with a concentration of
16 g/kg.
• Pressure decrease time down to
atmospheric pressure < 24 h.
• Binding of radioiodine contained in the
steam and air of the sealed volume.

7
 LOCALIZING SAFETY SYSTEMS

MAIN STEAMLINE ISOLATION SYSTEM

Main steamline isolation system is designed for
quick and reliable steam generator isolation
from a leaky section:
▪At pipeline breaks downstream of the SGs as
far as the turbine stop valves in the pipeline
sections that either can be isolated or cannot be
isolated from the SG;
▪At feedwater pipeline breaks downstream of
the SGs as far as the check valves;
▪At primary-to-secondary leak;

8
 LOCALIZING SAFETY SYSTEMS CORE CATCHER
The corium localization system (or core catcher) is one of the technical means specially envisaged to
manage severe beyond design basis accidents at the off-vessel stage. The core catcher performs
intake, placement and cooldown of the molten materials of the core, reactor internals and reactor
pressure vessel up to complete crystallization.
Placed below the reactor vessel to protect the containment structures against impact of
molten core
• Retains and cools core melt and solid fragments of the core, parts of the vessel and reactor
internals resulting from core damage
• Transfers passively the heat to cooling water surrounding the “core melt pot” and thus ensures
long term cooling and solidification of the molten core
▪Molten core is mixed with neutron absorbing material placed inside the “core melt pot” to ensure that
no chain reaction can start in the mixed materials inside the core catcher.
▪In no accident scenario there is water inside the “core melt pot”. This eliminates the risk of steam
explosion.
▪Core catcher decreases significantly the hydrogen generation (typically by factor 4) because the hot
metal captures oxygen from the aluminum oxide in the pot and not from water.
▪Crust formed on the top stops release of radionuclides into the containment. 9
TOPIC QUESTIONS

CONTROL QUESTIONS TO TERMINAL OBJECTIVE 1

1. What are specific functions of localizing safety systems?

2. List the most important localizing safety systems.
3. What localizing safety system is passive:
a) Spray system
b) Containment hydrogen removal system
c) Main steamline isolation system

10
Control Safety Systems: RTS and ESFAS
• Reactor Trip System Initiating part (EP IP) purpose

• EP IP is designed to initiate the fall down of all control rod groups and shutdown of the reactor

• Engineered Safety Features Actuation System purpose

• The System is designed to monitor and control all protective, localizing, and support safety
systems when they perform their functions in all design basis conditions.

Safety Functions category A (IEC 61226)

▪ Reactor trip system (RTS)
▪ Reactivity control by emergency reactor shutdown and maintenance of subcritical state thereof
▪ Engineered Safety Features Actuation System (ESFAS)
▪ assurance of integrity of the primary circuit
▪ heat removal from the reactor core
▪ heat removal from the primary circuit and its cooldown
▪ radiation confinement within the established boundaries
(Ch. 7.3 of PSAR) 11
Control Safety Systems: RTS and ESFAS

12
Control Safety Systems: RTS and ESFAS
Classifications

Systems (elements) of Function Safety class Safety class Seismic

APCS hardware category as per as per resistance
as per NP-001-15 IEC 61513 category
IEC 61226 as per
NP-031-01
EP-ESFAS initiating part A 2 1 I
EP actuating part A 2 1 I
ESFAS actuating part A 2 1 I
Diverse protection system B 3 2 I
(DPS)

(Ch. 7.3 of PSAR) 13

Control Safety Systems: RTS and ESFAS
EP-ESFAS control functions performed in automated mode (by the operator using MCR
remote control facilities)

• setting operation modes for redundant pieces of equipment and regulators,

• exercising remote control of SS actuators,

• acknowledging process alarm signals.

EP-ESFAS information functions

• collection and provision to the operator of information for:

• controlled parameters;

• actuators condition;

• failure to observe the limits and conditions of safe operation;

• status of the technical means

(Ch. 7.3 of PSAR) 14
Control Safety Systems: RTS and ESFAS - Desing
EP-ESFAS design principles ensure their reliability and failure
tolerance
Redundancy principle – resistance against single failure
application of multi-train systems:
▪ Four (4) independent software and hardware complexes
▪ With four-channel structure a single safety train may be always out of service to
be repaired long time during NPP unit operation at power
▪ component and equipment redundancy within system trains: sub-
trains A and B
Independence and separation principle
▪ physical and functional separation of trains
▪ functional independence – if one train/component fails, this does not
cause a failure of a function in another train/component
15
(Ch. 7.3 of PSAR)
Control Safety Systems: RTS and ESFAS - Desing

Safety systems design principles ensure their reliability and

failure tolerance (cont.)
Diversity principle
▪ application of means based on different principles of operation
against common-cause failure (CCF) of software: hardwired
Diversity Protection System (DPS)
▪ different physical variables:
▪ at least two initiating parameters based on different principles of measurement
are defined in the design for each initial event of an accident
▪ To exclude false/wrong signals two different principles of initiating parameter
signal handling are used
▪ different equipment manufacturers
Protection from the operator errors
16
(Ch. 7.3 of PSAR)
Control Safety Systems: RTS and ESFAS - Desing

Safety systems design principles ensure their reliability and

failure tolerance (cont.)
Protection from the operator errors
Fail-safe design
▪ if a system/component fails, plant systems shall be designed to
pass into a safe state with no necessity for any action to be
initiated
▪ output modules de-energization
Equipment qualification:
▪ Seismic
▪ Environment

17
(Ch. 7.3 of PSAR)
Control Safety Systems: RTS and ESFAS - Configuration
Reactor Trip System configuration

• Mechanical/actuator parts:

• absorbing/control rods (CR)

• drive mechanisms (actuators) of the CR

• Initiating part of the safety control system that generates reactor protection signals
Emergency Protection (EP IP)

Engineered Safety Features Actuation System (ESFAS)

• Initiative part - intended for formation of signals for ESFAS actuators providing
issue of commands for control of the safety system actuators

• Actuating part - Priority Control; Local protections; monitoring and control of

ventilation and air conditioning of SS rooms; local control panels of safety systems

18
(Ch.7 of PSAR and Ch.2.11 of Safety Concept)
Control Safety Systems: RTS and ESFAS - Configuration

19
Control Safety Systems: RTS and ESFAS - Configuration
EP-ESFAS includes the following

• Four independent trains physically and electrically separated from each other (placed in
four rooms of the CSS trains)

• Implemented at the software and hardware means

• Each train is equipped with its own set of primary transducers located in separate room

• The design determines that primary transducers for EP functions, and startup of safety
systems (ESFAS) are common if the same parameters are used

• For the purposes of protection from the operator errors, the automatic system is utilized
to initiate protection actions and to inhibit the operator control actions that prevent
safety operations from executing during a limited time period

• The systems are designed so that operator’s intervention into control of the system is
not required during the first 30 min since the beginning of the accident

20
Ch.7.3 of PSAR
Control Safety Systems: RTS and ESFAS - Configuration

Safety system train Normal operation system

Measurement

Measurement

EP&ESFAS
algorithms processing
Project algorithms
processing

Priority control

Function
Binary output
of actuator
Function control
of actuator
control

Control Rods ~ ~

21
 Control Safety Systems: RTS and ESFAS - DiD
DBC1 (DiD level 1)
• The safety systems performing, normal operation functions are in operation
through the ESFAS actuating part – Priority control

• EP-ESFAS perform information and diagnostic functions

DBC2 (DiD level 2)

• The EP actuation upon ESFAS signals will only occur in case several RCPS
are deenergized. This is required for reactor scram and preventing the
actuation of PRZ PORV

• The safety systems performing, normal operation functions are in operation

through the ESFAS actuating part – Priority control

• EP-ESFAS perform information and diagnostic functions

22
Safety Concept
Control Safety Systems: RTS and ESFAS - DiD
DBC3 and DBC4 (DiD level 3)
• In emergency modes EP signals are generated and actuate the insertion of
control rods in the core by gravity for reactor shut-down

• ESFAS provides automatic start-up of the safety systems

DEC (DiD level 4)

• EP signals are generated and actuate the insertion of control rods in the
core by gravity for reactor shut-down.

• ESFAS provides automatic start-up of the safety systems as in modes of

DBC 3&4.

• When EP-ESFAS are not working, Safety systems are actuated by the
Diverse Protection System
23
Safety Concept
Control Safety Systems: RTS and ESFAS - operation
ESFAS actuation signals are formed when the controlled parameters
achieve levels that require protective measures when the following
situations occur:
• primary coolant losses;

• failure of heat removal from the secondary circuit;

• excess of pressure setpoints in the primary and secondary circuits;

• failure of containment integrity;

• rising of conditions requiring actuation of emergency feedwater system;

containment's spray system; isolation of live steam pipeline;

• LOOP (loss of offsite power) of unit requiring startup of emergency diesel-

generators and step by step loading of them.
24
Ch. 7 PSAR
Control Safety Systems: RTS and ESFAS - operation
Engineered Safety Features Actuation System (ESFAS) perform
• isolation of steam generators;

• provision of integrity of containment;

• emergency boron injection system actuation;

• protection against overpressure in the primary and secondary circuits;

• switching on of high and low pressure emergency injection systems;

• provision of steam generators with feedwater supply (activation of

emergency feedwater system);

• activation of emergency diesel-generator;

• activation of BRU-A
25
Ch.7.3 of PSAR
Control Safety Systems: RTS and ESFAS - reliability

EP-ESFAS reliability indicators

EP function and safety systems startup (without taking in account actuators) -

a possibility of the function non-execution at request shall not exceed 5.10-6
for a period of one year

Frequency of spurious actuations of EP functions and safety system startups

shall not exceed 0.01 per one year

A mean time to recovery for hardware of EP-ESFAS without any influence on

the process shall not exceed one hour

(I&C Concept)

26
TOPIC QUESTIONS

CONTROL QUESTIONS TO TERMINAL OBJECTIVE 2

1. What are the functions of RTS and ESFAS?

2. What basic principles are used in the systems
design?
4. What is EP-ESFAS Configuration?
5. How EP-ESFAS work in different NPP Operation
modes and Defense in Dept (DID) levels?

27
Thanks for your participation
and attention!
‫شكرا لمشاركتكم واهتمامكم‬
&

29
worley.com
Disclaimer
This presentation has been prepared
by a representative of Worley.

The presentation contains the professional and personal opinions of the

presenter, which are given in good faith. As such, opinions presented
herein may not always necessarily reflect the position of Worley as a
whole, its officers or executive.

Any forward-looking statements included in this presentation will involve

subjective judgment and analysis and are subject to uncertainties, risks
and contingencies—many of which are outside the control of, and may be
unknown to, Worley.

Worley and all associated entities and representatives make no

representation or warranty as to the accuracy, reliability or completeness
of information in this document and do not take responsibility for updating
any information or correcting any error or omission that may become
apparent after this document has been issued.

To the extent permitted by law, Worley and its officers, employees, related
bodies and agents disclaim all liability—direct, indirect or consequential
(and whether or not arising out of the negligence, default or lack of care
of Worley and/or any of its agents)—for any loss or damage suffered by a
recipient or other persons arising out of, or in connection with, any use or
reliance on this presentation or information.