Training of NPPA

Personnel

Safety Systems overview

Protective safety systems

Prepared for NPPA

Author: Worley team
2024
Agenda

1. Training Objectives

2. Definitions.

3. Operational modes of NPP. Safety systems.

4. Protective safety systems. General provisions

5. Description of the designs of the protective safety systems

2
Training Objectives

Terminal Objective 1 (TO-1) To get acquainted with

general information and composition of the Protective
safety systems
▪ MO.1-1 to understand each protective safety systems purpose
▪ MO.1-2 To describe basic principles of the systems design
▪ MO.1-3 To provide requirements to structure and functions of the
systems
▪ MO.1-4 To list of protective safety systems
Terminal Objective 2 (TO-2) To know and understand
the designs of the Protective safety systems
▪ MO.2-1 Design basis
▪ MO.2-2 Design of system
▪ MO.2-3 Modes of operation

3
 Definitions
✓ NORMAL OPERATION SYSTEMS (ELEMENTS) - systems (elements) designed to assure
normal operation.

✓ SAFETY SYSTEMS (ELEMENTS) - systems (elements) designed for fulfilling safety

functions under design-basis accidents. They are provided to assure safe shutdown of a
reactor or residual heat removal from a core, or to limit the design-basis accidents
consequences.

✓ Anticipated operational occurrences, or transients (AOO) – Conditions of normal operation that are expected
to occur one or more times during the life of the plant.

✓ Postulated accidents (PA) – Events which are postulated, but are not expected to occur.

✓ Design Basis Category 1 Conditions (DBC 1) - Normal Operation Conditions which are
expected frequently in the course of power operation, refuelling, maintenance or
manoeuvring of the plant. As such, Design Basis Category 1 Conditions are
accommodated with margin between any plant parameter and the value of that parameter
which would require either automatic or manual protective action.
4
 Definitions

✓ Design Basis Category 2 Conditions (DBC 2) -Incident Conditions Conditions which may
occur once or more in the life of the plant (f>10-2). These conditions, at worst, result in
a reactor trip with the plant being capable of returning to operation. These conditions do
not propagate to cause a more serious fault, i.e. Design Basis Category 3 or 4 Conditions

✓ Design Basis Category 3 Conditions (DBC3) - Accident Conditions Conditions which may
occur very infrequently (10-2>f>10-4). These conditions may result in the failure of only
a small fraction of the fuel rods. A Design Basis Category 3 Condition* does not, by itself,
generate a Design Basis Category 4 Condition* or result in a consequential loss of
function of the Reactor Coolant System* or Containment System*.

✓ Design Basis Category 4 Conditions (DBC4) - Accident Conditions which are not expected
to take place (10-4 > f > 10-6) but are postulated because their consequences would
include the potential release of significant amounts of radioactive material. They are the
most extreme Design Basis Conditions* which must be designed against and represent
limiting cases.

5
 Definitions
✓ Design Extension Conditions (DEC) - A specific set of accident sequences that goes beyond
DBC, to be selected on deterministic and probabilistic basis and including:
• Complex Sequences,
• Severe Accidents.
Appropriate design rules and criteria are set for DEC, in general different from those for DBC.
✓ Complex Sequences - Certain unlikely sequences which go beyond those in the
deterministic design basis in terms of failure of equipment or operator errors and have the
potential to lead to significant releases but do not involve core melt, are identified as
Complex Sequences. An example is simultaneous failure of redundant functions.
✓ Severe Accidents - certain unlikely event sequences beyond Accident Conditions
involving significant Core Damage which have the potential to lead to significant releases.

Design Base Conditions Design Extension Condition

Normal Accidents Accidents - very Complex
Incidents Severe accidents
operation low frequency low frequency sequences
- f > 10-2 10-2 ÷10-4 10-4 ÷ 10-6 Less than 10-6
DBC-1 DBC-2 DBC-3 DBC-4 - -
6
 Safety systems - Operational Modes of NPP and DID
✓ Classification of NPP
System by their purpose
Normal operation systems
Safety systems
Systems of special-purpose
hardware for DEC and accidents
management
(EPC Contract, PSAR Ch.1, 7, 12 and NP-001-15)
✓ Classification of the
✓ Controlling – Triggering of
safety systems by Reactor Emergency Protection
function performed and all remaining active and
passive safety systems;
Protective ✓ Protective – Provides reactor
subcriticality, heat removal from
the fuel, protection of primary
Localizing and secondary loop boundaries;
✓ Localizing – Provides protection
of Containment and retention of
Supporting radioactive fission products.
✓ Supporting - Provision of
Controlling working condition for the safety
systems, emergency electrical
supply (diesel generators and
UPS, cooling and etc.)
7
 Protective safety systems- General provisions
Intention and basic principles of the systems design
✓ According to definition in Russian safety standard NP-001-15 General
provision for safety assurance of nuclear power plants Protective safety
systems are systems, intended for prevention or limitation of damage of
nuclear fuel, fuel component cladding, equipment and pipelines, containing
radioactive products
✓ The following basic principles are used in the protective safety systems
design:
• Resistance against single failure
• Multi-channeling
• Physical separation of channels
• Passivity
• Diversity

8
Protective safety systems- Requirements to structure and functions of systems

Protective safety systems should meet the following requirements :

• Each active safety system is multi-channeled - four trains of each safety
systems
• The number of trains is selected considering single failure of any active
component of a train, or a human caused error as well as dependent from
initiating events failure one channel. With four-channel structure a single safety
channel may be always out of service to be repaired long time during NPP unit
operation at power
• Safety systems operation designed to cool the reactor core is based on active
and passive principles
• For the purposes of protection from the operator errors, the automatic systems
is utilized to initiate protection actions and to inhibit the operator control actions
that prevent safety operations from executing during a limited time period. The
operator’s intervention into the system is not required during the first 30 min
since the beginning of the accident
• Safety systems are subject of additional tests in case of a train unavailability till
its repair. If not repaired within defined time, unit power should be decreased,
or unit should be shut down.
9
 Protective safety systems- List of protective safety systems
• High pressure emergency
injection system (JND)
• Low pressure emergency injection
system (JNG10)
• Emergency boron injection
system (JDH)
• Emergency gas removal system
(KTP)
• Residual heat removal system
(JNA)
• Secondary circuit overpressure
protection system
▪ Emergency feedwater system
(LAR/LAS)
▪ Reactor trip system (control and
protection system actuator set)
▪ Borated water storage system
(JNK)
▪ Emergency core cooling system,
passive part (JNG50)
▪ Primary circuit overpressure
protection system
10
TOPIC QUESTIONS

CONTROL QUESTIONS

1. How many types of Safety systems

are there based on its functions?
2. What are the basic principles of
the safety systems design?
3. How many protective systems you
know?

11
 High pressure safety injection system (JND)
The system purpose
✓ High pressure safety injection system (JND) is designed for injection of boric
acid solution from containment sumps (two tanks of total volume 2300 m3 of
boron water with concentration 16 g Н3ВО3/kg Н2О) to reactor coolant system at
accidents with loss of coolant (LOCA)
The system functions
✓ The system is intended for performance of the following functions:
• The primary circuit coolant inventory maintenance
• Reactor plant (RP) cooldown to the cold state, and
• Residual heat removal from the core
During Unit operation at power the system does not operate and is in standby mode
In DBA the system performs its functions. When the primary circuit parameters for
connecting the low-pressure injection system JNG reached, the operation of the JND can
be stopped by Operator.
12
High pressure safety injection system (JND)

Protective safety systems

✓ Heat removal from primary circuit:

• JND / High pressure safety injection

• JNG 10 / Low pressure safety injection

• JNG 50 / Passive emergency core cooling

• JNK / Borated water storage system

(containment sump)

✓ Heat removal through secondary circuit:

▪ LAR / Emergency feed water system;

▪ LCU / Demineralized water storage tanks of

the make-up water system.

▪ BRU-A, SG PORV / Steam dump to

atmosphere, SG relief valve
13
TOPIC QUESTIONS

CONTROL QUESTIONS TO JND system

1. What is the system purpose?
2. What is the system functions?

14
 Low pressure safety injection system (JNG10)
The system purpose
✓ The system is designed to supply the solution of boric acid in the reactor coolant system during a loss of coolant
accident, when the pressure in the coolant system drops below the operating parameters of the system JNG10
The system functions
✓ The JNG system performs the following functions:
• Reactor plant cooldown during normal shutdown of the plant, in anticipated operational occurrences and in
design basis accidents on the condition of maintenance of the primary circuit integrity (jointly with the JNA
system)
• Residual heat removal from the core and keeping the temperature in primary circuit during reactor core
refueling and in repair cooldown mode.
System operation
✓ The capacity of each train is 100 %, so system capacity is 4x100%.
✓ Each train includes a pump, two heat-exchangers, valves and instrumentation
✓ The suction pipelines of each train are connected to the containment sump tanks for the storage of borated
water of low concentration 16 g Н3ВО3/kg Н2О
✓ The pressure pipelines of the two JNG trains are connected to the two loops of the primary circuit coolant
system so that half of the flow is directed to the cold leg and the other half to the hot leg. The other two trains
are connected to the pipelines from Emergency core cooling system, passive part hydro accumulators to the
reactor (see slide above)

15
 Low pressure safety injection system (JNG10)
Anticipated operational occurrences - DBC 2
✓ In anticipated operational occurrences, requiring RP cooldown to cold state, the system provides
residual heat removal and RP cooldown in the temperature range from 130 °C to 60 °C at a rate of
30 °C/h together with the JNA system.In case of LOOP, the system is operable since it is energized
from the emergency power supply system.
Design basis accidents - DBC 3&4
✓ In design basis accidents the system provides reactor plant cooldown on the condition of
maintenance of the primary circuit integrity (jointly with the JNA system) and residual heat
removal from the core
✓ The emergency process signals start the JNG10 system pumps. When the JNG10 pumps start by
emergency signals and the primary circuit pressure exceeds 2.5 MPa the pumps operate in the
recirculation line. When the pressure in the primary circuit is reduced below 2.45 MPa, and the
required flow rate in the discharge line is achieved the recirculation line valves are closed and the
pumps begin feeding the boric solution from the sump tank to the reactor
System functioning under external impacts
✓ The system is able to perform all its functions under all design external impacts. The system is
protected from impact of external natural and man-made events: earthquakes, hurricanes,
extreme temperatures, shock waves and aircraft crash. 16
TOPIC QUESTIONS

CONTROL QUESTIONS TO JNG10 system

1. What is the system intention?

2. How the system function in external impact?

17
 Emergency boron injection system (JDH)
The system purpose and functions
✓ The emergency boron injection system is intended for performance of the following functions:
• Injection of boric acid solution to the pressurizer steam volume at primary-to-secondary leak accident
(PRISE)
• Supply of boric acid high-concentrated solution (40 g Н3ВО3/kg Н2О) into the primary circuit for quick
transfer of the reactor plant into subcritical condition under anticipated operational occurrences in
case of reactor trip failure.

The system operation

✓ The system consists of four identical and fully independent trains. Each train includes emergency boron
injection plunger pump (Q=14.5 m3/h; P=0.098 ÷ 24.5 MPa), valves and instrumentation
✓ Efficiency of each train corresponds to 50 % i.e. in all emergency modes two trains maintain their
operating capacity - the system capacity structure is 4x50 %
✓ Suction pipelines of JDH system trains are connected to two high-concentration borated water storage
tanks (40 g Н3ВО3/kg Н2О). Pressure pipelines connected to the cold legs of the main circulation loops
and to the steam part of the pressurizer.
✓ The emergency boron injection system can perform all its functions under external impacts accepted for
this design. The system is protected from impact of external natural and man-made events:
earthquakes, hurricanes, extreme temperatures, shock waves and aircraft crash.
18
Emergency boron injection system (JDH)

Layout of safety devices and

systems injecting a medium
into the pressurizer steam
space
1) High-concentration boric
acid solution storage tank
2) Pump of the Emergency
boron injection system (JDH)
3) Valves on the PRZR
injection line (JDH pump)
8) Valves on the PRZR
injection line (MCP)
9) Valves on the PRZR
injection line (make-up pump)
19
 Emergency boron injection system (JDH)
Normal operation - DBC 1
✓ During unit operation at power, the emergency boron injection system does not operate and is in
the standby mode, undergoing regular tests and inspections according to the technical
specifications
Anticipated operational occurrences (DBC 2)
✓ Functioning of the system is not required in case of a violation of normal operation conditions. In
case of a blackout signal, the pumps of the JDH system are started in accordance with the diesel-
generator step-by-step load follow start-up program only in case of an emergency signal.
Design basis accidents (DBC 3&4)
✓ In design basis accidents the system performs a given functions. In case of an accident with a
primary-to-secondary leakage, the system provides for injection to the steam volume of the
pressurizer of boric acid solution with the purpose of decreasing the pressure in the primary circuit
and consequently limiting the release of radioactivity.
Beyond Design Basis Accidents (DEC)
✓ In case of BDBA the system performs function of supplying the high concentration boric acid
solution (40 g Н3ВО3/kg Н2О) into the primary circuit of the reactor plant to provide subcritical
condition in case of anticipated operational occurrences, accompanied with failure of Reactor trip
(ATWS accidents) 20
TOPIC QUESTIONS

CONTROL QUESTIONS TO JDH system

1. What the system functions are?

2. What is the system capacity ?

21
 Emergency gas removal system (KTP)
The system purpose
Emergency gas removal system (EGRS - KTP) is intended for steam-gas mix
removal from RP primary circuit (reactor and SG collectors) and primary pressure
decrease during the operation of safety systems, to reduce consequences of
design basic accidents (DBA) and beyond design basis accidents (BDBA)
✓ During the design basis accident:
• The system shall provide for mitigation of consequences of beyond design
basis accidents by means of removal of steam-gas mixture from RP primary
circuit (reactor and SG collectors)
• Under DBA and BDBA without the core melting conditions the system shall
provide, if necessary, for removal of team-gas mixture from RP primary
circuit (reactor and SG collectors) into containment or relief tank for creation
of the closed circuit of coolant circulation in Reactor Coolant System (RCS)

22
 Emergency gas removal system (KTP)
✓ During unit operation at power the system operation is not necessary. In RP
planned cooldown mode, the EGRS (KTP) is used by operator (when
appropriate) for cooldown of reactor upper unit and SG headers, by opening of
respective paths to relief tank. In case main coolant pumps are switched off,
Reactor pressure vessel head cooling is controlled by system operation.
✓ In case of DBA (DBC 3&4), the EGRS can be used by operator from upper
points of primary circuit (Reactor, SG headers)
✓ In case of BDBA (DEC), related to core melting, the system, in pursuance of
BDBA management instruction (SAMG), is used for primary pressure decrease
to 1 MPa jointly with PRZ relief valves and/or Emergency Pressure Reduction
System by medium discharge into the containment in order to avoid rupture
of the reactor vessel at high pressure.

23
TOPIC QUESTIONS

CONTROL QUESTIONS TO KTP system

1. What is the system purpose?

2. What is the function of the system in BDBA
(Severe Accidents)?

24
 System of residual heat removal (JNA)
• System of residual heat removal (JNA) is designed for the removal of
residual heat and reactor plant cooldown during normal shut down of the
plant, during anticipated operational occurrences and during design basis
accidents on the condition of preserving the integrity of the primary circuit
jointly with Low Pressure Safety Injection System JNG10
• Residual heat removal system JNA is also designed for primary circuit
protection against overpressure in cooldown and residual heat removal
modes at low temperatures of the primary circuit
• The residual heat removal system has the structure 4x50% of the trains
• Two safety valves are designed for overpressure protection of the reactor
at low temperature (below 130 °C ) under brittle strength conditions
• The pumps and heat exchangers of low-pressure safety injection system
JNG10 are used for organizing coolant circulation in the JNA system and for
heat removal from the reactor core
25
 System of residual heat removal (JNA)
Normal operation – DBC 1
• When the reactor is in power operation, functioning of the JNA system is not required. The system is
disconnected from the primary circuit.
✓ Scheduled cooldown
• The system provide the reactor plant cool down at the primary circuit temperature from 130 °C to 60 °at
the of 30 °C/h С (in the initial period of cooldown) ) with operating Main Coolant Pumps (MCP) and 15
°C/h under natural circulation. The difference of coolant temperature and temperature of water feed to the
primary circuit shall be maximum 50 °C
• The work for connection of the residual heat removal system, jointly with the low pressure injection system
begin at the primary circuit temperature about 150°С for primary circuit cooldown function
• After the temperature in the primary circuit reaches 60 °C , MCPs are switched off and cooldown controller
task is changed. It is set for constant temperature maintenance mode at outlet from the reactor core
✓ Reactor plant repair cooldown (condition with decreased coolant level in the reactor pressure vessel)
• The system is used also for removal of heat from the cooled down reactor during repairs of the reactor plant
main equipment. In this case, the level in the reactor vessel needs to be reduced below the level of the hot
legs of primary circuit loops. The coolant flow opposite to the normal direction - it is taken from the lower
chamber of reactor and returned to the upper mixing chamber of the reactor.
• In case of a design basis accident not associated with a primary circuit leak, system JNA together with
system JNG10 ensure switching of the Unit into cold state

26
System of residual heat removal (JNA)

Layout of the main equipment which cools

the RP down from 130ºC to 60ºC and
maintain it in the cold state
1) Pump of the Essential service water
system (PE)
2) Heat exchanger of Intermediate cooling
circuit for essential consumers (KAA)
3) Pump of the Intermediate cooling
circuit for essential consumers (KAA)
4) JNG10 system heat exchanger
5) Valve regulating RP cooldown rate of
JNA system
6) Pump of the Low-pressure safety
injection system (JNG10)
7) SG

27
TOPIC QUESTIONS

CONTROL QUESTIONS TO JNA system

1. What is the system intention?

2. At which mode of operation of power unit the
system is not required?

28
 Secondary circuit overpressure protection system

The system purpose

✓ The secondary circuit overpressure protection system is designed to prevent
overpressure in steam generators and main steam lines under design basis
conditions and beyond design basis accident
The system functions
✓ The system performs the following functions:
• To ensure the pressure in the SGs in emergency conditions does not exceed
the design value more than by 15 %
• Can be used for residual heat removal from the reactor plant trough SGs by
discharging steam into the atmosphere through the BRU-A and feeding SGs
by emergency feedwater system.

29
 Secondary circuit overpressure protection system
✓ The secondary circuit overpressure protection system components are included into
the main steam valve units installed one per each steam line. Each main steam valve
unit includes two pulse safety devices for steam generators (SG PORV), one steam
dump valve to atmosphere (BRUA) and one shut-off valve upstream the BRU-A
✓ SG PORVs consist of a main valve operating from its own environment and two pulse
valves which can operate as an electromagnetic in accordance with the signals from
the protection system and as a direct-action valve when there is no power supply
✓ The BRU-A is an electrically-driven control valve. Normally is in an intermediate
position. The control is provided by two and control electrically-driven valves
mounted on the main valve body. Shut-off valve installed upstream is a piston
operated valve operating from its own environment. Normally closed
✓ The design stipulates automatic activation of the system, without intervention of the
operator. The automatic system activation takes place when the pressure in the
secondary circuit increases up to the valves actuation set point
30
Secondary circuit overpressure protection system

Protective safety systems

✓ Over pressure protection:
• BRUA / Steam relieve
valves to the atmosphere;
• SG PORVs / Pilot operated
relief valves of the steam
generators;
• PRZ PORVs / Pilot operated
relief valves on the
Pressurizer. 31
Secondary circuit overpressure protection system

✓ The secondary circuit overpressure

protection system components are
included into the Main steam valve
units installed one per each steam
line. Each main steam valve unit
includes:
• Оne steam dump valve to
atmosphere (BRU-A) with a shut-
off valve upstream;
• Two Steam generator Pilot operated
release valves (SG PORV) - One
Control SG PORV and one
Operating SG PORV.
32
 Secondary circuit overpressure protection system
✓ In normal operation conditions the secondary circuit overpressure protection system is
in the standby mode and undergoes regular checks.
✓ Under anticipated operational occurrences and in the emergency conditions, when
pressure increases in the secondary circuit up to the set points of the overpressure, the
corresponding system components are opened.
✓ Under LOOP, the system is operable, because its components are related to first group
reliability consumers and the system is connected to emergency power supply system.
✓ SG PORV operation: When the pressure increases in the secondary circuit up to the SG
PORV tripping set points, they are opened. When the pressure reaches 8.8 MPa, the
control SG SV opens, and at a pressure of 9.0 MPa the operating SG SV opens. Both
valves are closed when pressure in the secondary circuit decreases to 7.95 MPa.
✓ BRU-A operation: The shut-off valve of BRU-A opens when the pressure increase in the
steam pipeline up to 7.8 MPa. Then BRU-A is switched to 7.4 MPa pressure maintenance
mode. When the pressure is reduced to 7.05 MPa, the shut-off valve closes, and the
BRU-A returns to its original position.
33
TOPIC QUESTIONS

CONTROL QUESTIONS to Secondary circuit

overpressure protection system system
1. What is the system purpose?
2. What does mean BRU-A?

34
 Emergency Feedwater System (LAR/LAS)
The emergency feedwater system is designed to provide feedwater supply to SGs
when the feedwater supply from the main and auxiliary feedwater systems is
impossible.
• Emergency feedwater supply to the steam generators in case of LOOP
• Can be used for residual heat removal from the reactor plant trough SGs by
discharging steam into the atmosphere through the BRU-A (open loop) or in
a close loop through BRU-K
• The system consists of four identical trains fully independent from each other
with a capacity of 100% each. Each train provides for one emergency feed
pump, valves and pipelines
• Provides for water supply from each train of the system to one steam
generator
• Four make-up water system (LCU) tanks with a capacity of 700 m3 each are
used for demineralized water storage
• The total capacity of tanks enough for unit maintaining in "hot" standby
mode for at least 24 hour
35
Emergency Feedwater System (LAR/LAS)

Protective safety systems

✓ Heat removal through secondary
circuit:
▪ LAR / Emergency feed water
system;
▪ LCU / Demineralized water
storage tanks of the make-up
water system.
▪ BRU-A, SG PORV / Steam
dump to atmosphere, SG relief
valve
36
 Emergency Feedwater System (LAR/LAS)
✓ System will start-up automatically in case of modes of DBC 2 which are leading to decrease of water
level in one or more SG. When the process signals "SG level is 900 mm bellow the nominal value" and
"temperature of primary circuit is more than 150 0С“ are generated for one or more SG then emergency
feedwater pumps are started, gate valves on pumps discharge side opens and feedwater is supplied to
the affected steam generators from the demineralized water storage tanks of the LCU system. LAR/LAS
is maintaining the nominal values of the levels in SG.
✓ In case of design basis accidents by coincidence of process signals Lnom minus 900 mm with
temperature of primary circuit of TIk>150 С the emergency feedwater pumps are started, gate valves
open at the feed pump discharge, and feedwater is fed to steam generator from the demineralized water
storage tanks of the LCU system.
✓ In the event of a LOOP signal, system pumps are switched to the emergency power supply system.
✓ In case of accidents involving the steam and feedwater pipeline rupture in the section not isolated from
steam generators, with the coincidence of signals pressure in steam line is less than 5.14 Mpa,
difference in saturation temperatures of the primary and secondary circuits (the same steam pipeline)
above 70 °C and temperature in the primary circuit is more than 150 С, emergency feedwater pump
stops, gate valves close on the feedwater supply line to damaged steam generator and the feedwater
can only be supplied to intact steam generators.

37
TOPIC QUESTIONS

CONTROL QUESTIONS TO LAR/LAS

system
1. What is the system purpose?
2. What is the system functions?
3. What is the system capacity?

38
 Reactor trip system (control and protection system actuator set)

The system purpose

✓ Control and Protection System (CPS) actuator set present a mechanical control
and protection system of the reactor and shall provide:
• emergency reactor shutdown and maintaining the subcritical state
• reliably controlling reactivity changes so that specified fuel design limits are
not exceeded
The system functions
✓ The system performs the following functions:
• Quick termination of nuclear reaction in the core (reactor trip/scram)
• Reactor power maintaining at the assigned level and switching from one level
to another
• Axial power flattening and prevention and suppression of xenon instability

39
 Reactor trip system (control and protection system actuator set)

System design
✓ Control and Protection System (CPS) actuator set consists
of 121 Rod Cluster Control Assemblies (RCCA) engaged
with extension shafts of Control Rod Drive Mechanisms
(CRDM).
✓ RCCA consists of 18 individual neutron absorbing rods
connected (by springs and nuts) at one end to a common
hub (head) and positioned within fuel assembly guide
thimbles by a dedicated drive mechanism.
✓ The absorbing rod is a cladding sealed with the end pieces
by welding from both ends: from the bottom - by a cone,
from the top - by a tip. The cladding internal space is filled
with the absorbing material B4C. 40
 Reactor trip system (control and protection system actuator set)

System design
The RCCAs drives mechanisms are located on
the reactor top head. All RCCAs are divided into
12 groups, each comprising from six to 12
RCCAs.
Groups with numbers 12, 11, 10 and 9,
containing six, seven, nine and twelve RCCAs,
respectively, are referred to the control groups.
Group No 12 is the CPS CR working group.

41
 Reactor trip system (control and protection system actuator set)
✓ In normal operation conditions all RCCAs are above the core except for control grope No. 12.
Anticipated operational occurrences - DBC 2
✓ To fulfill the reactor preventive protection (PP) function the system according to the
preventive protection initiation criteria together with the drives and CR shall ensure a
decrease in the power or prohibition of increasing the power to prevent the reactor scram
and/or violations of the limits and conditions of safe operation. To fulfill this function it is
provided for:
• Preventive protection PP-2 when the monitored parameters reach respective setpoints,
• The accelerated preventive protection (APP) comes in action when malfunctions in
operation of main equipment of the power unit occur (for example switching off main
coolant pumps. APP is realized by either dropping certain CPS CRs group or from the MCR
operator’s switch.
System functioning in case of design basis accidents - DBC 3 and 4
✓ To fulfill the reactor emergency protection function the system according to the initiation
criteria shall quickly shutdown the reactor bringing it to the subcritical state.

42
Reactor trip system (control and protection system actuator set)
System functioning in case of design basis accidents - DBC 3 and 4
✓ In accident conditions in response to a signal of emergency protection all
electromagnets are deenergized, the latches are open and the extension shafts with the
RCCAs drop downwards by gravity for less than 4s.
System functioning in case of design extension conditions (DEC)
✓ Complex sequences (without fuel melting) / The system fulfill the same function as in
the modes of DBC 3 and 4 except for ATWS accidents (Anticipated transients without
scram).
✓ Severe accidents / Control rods are melted.
System functioning under external impacts
✓ The reactor trip system is able to perform all its functions with external impacts
accepted for this design.
✓ The system is protected against external impacts, natural disasters: earthquakes,
hurricanes, extreme temperatures.

43
TOPIC QUESTIONS

CONTROL QUESTIONS TO REACTOR TRIP SYSTEM

(CONTROL AND PROTECTION SYSTEM ACTUATOR SET)
1. What are the purpose of the system?
2. What are the functions of the system?
3. What happens when all RCCAs are inserted in the
reactor core?

44
 Borated water storage system (JNK)
The system purpose and functions
✓ JNK system is intended for storage of low concentration (16-20 g H3BO3 / kg
Н2O) and high concentration (39,5-44,5 g H3BO3/dm3 Н2O) borated water for
NPP operation in all operation modes for:
▪ emergency core cooling during Loss of Coolant Accidents(LOCA) or into the
containment during Break of The Steam Line inside the containment
▪ supply of borated water for the initial filling of the Core Catcher heat-exchanger at a
Severe Accident (SA)
▪ primary circuit boron concentration control under Normal Operation Conditions
(NOC) and Anticipated Operational Occurrences(AOO) – modes of DBC 2;
▪ borated water injection into the pressurizer at Primary-to-Secondary Circuit
Leakage - mode of DBC 3&4;
▪ borated water injection into the reactor during ATWS - modes of Complex
sequences at DEC.
45
 Borated water storage system (JNK)

The system is composed of two identical and completely independent trains:

✓ The system includes two tank sumps for low concentration borated water
JNK10(40)BB001 and two tanks of high concentration JNK10(40)ВB002 (16-
20 g/kg and 39-5-44,5g/kg respectively):
✓ Sump tanks JNK10(40)BB001 are located inside containment UJA and connected
with the following systems:
• low pressure emergency injection system (JNG-1) and;
• through pipelines of this system with the high pressure emergency injection system
(JND) and containment spray system (JMN) and supply borated water for the initial
filling of the core catcher heat-exchanger at a severe accident
• Two independent trains of JNG-1, JND, JMN system are connected to each sump tank.
✓ Tanks JNK10(40)BB002 are located in Safety Building UKD and connected with the
emergency boron injection system (JDH)
46
Borated water storage system (JNK)

Design basis accidents, the system ensures

boron solution supply to the safety systems pumps
for:
✓ Emergency core cooling during LOCA
✓ Injection into the containment during LOCA
or Break of the Steam Line Inside The
Containment
✓ borated water injection into the pressurizer at
Primary-to-Secondary Circuit Leakage

47
Borated water storage system (JNK)

Design basis accidents (cont.)

✓ Supply of water for the sprinkler system
which is localizing safety system with the
following functions:
• protection of the inner containment against
high pressure and temperature;
• Binding of volatile radioactive iodine in the
atmosphere of inner containment

48
Borated water storage system (JNK)
Design Extension Conditions
Complex sequences
✓ borated water injection into
the reactor during
Anticipated Transients
Without Scram (ATWS)
from high concentration
borated water sump tanks

Severe accident
✓ supply of borated water for
the initial filling of the Core
Catcher heat-exchanger
from low concentration
borated water tanks

49
TOPIC QUESTIONS

CONTROL QUESTIONS TO the system JNK

1. What is the concentration of the of borated water

stored in the system (g H3BO3 / kgН2O)?
2. Where are located the sump tanks for low
concentration borated water JNK10(40)BB001?
3. During what type of accidents, the system sprays
borated water for injection into the containment?

50
 Emergency Core Cooling System (ECCS) Passive part
The system purpose and functions
✓ ECCS Passive part is intended for quick boric acid solution supply into the Reactor Vessel (RV) for
core cooling and its flooding in case of Loss of coolant accident (LOCA)

✓ At LOCA the system providing supply of borated water to reactor core when the primary pressure
below 5,9 MPa without operator action passive way.
✓ The system shall provide pressure of 5.9MPa inside the tanks of hydro accumulators by nitrogen
(N2) blanket and 50 m3 of borated water in each tank.
✓ On the connecting pipes from the hydro accumulators are placed two quick acting cut-off valves
which are intended to close automatically when the level inside a hydro accumulators becomes
critically low. The objective of these cut-off valves is to prevent entry of nitrogen in primary circuit.

✓ The means are provided for monitoring and control of system during normal operation, accidents
and post accident period.
✓ The system equipment is powered from normal and emergency electric supply systems
(batteries).
51
Emergency Core Cooling System (ECCS-JNG), Passive part

The capacity of the system capacity (4x50%).

Two Check Valves installed in each pipeline are intended for isolation the
accumulator from reactor during normal operation.
Emergency Boron Injection System(JDH) channels are connected to ECCS
Passive part channels through the „Т- pieces“ connector on the pipeline
between the Check Valves.
Tanks of the hydro accumulators are equipped with protective relief valves in
JNG 20,40 case of fails in the system for support of nitrogen blanket in the tanks or in
case of loss of the system for removal of technological heat from the
JNG 20,40
JND 20,40
equipment (ventilation systems).
System capacity is sized for assurance of heat removal from the reactor core
in case of LB LOCA during the time period which corresponds of the
technological time to activate and start-up of safety systems for long-time
cooling of the core (systems without usage of passive principles of operation).
RPC
Each channel is connected to the reactor by a separate pipe line: two
channels are connected to the reactor inlet chamber and two other channels
are connected to the reactor outlet chamber. 52
Emergency Core Cooling System (ECCS-JNG), Passive part
P accumulators – 5,9MPa

Normal operation on power level - DBC 1

✓ The system ensures:
open
▪ Resource of borated water for quick injection
close to reactor if happened the accident;
▪ The system is in stand-by mode:
o quick –acting isolation gate valves are open
o each accumulator is isolated from the
reactor by two check valves
P reactor –
16,2MPa

53
Emergency Core Cooling System (ECCS-JNG), Passive part

Scheduled cooldown - DBC 1

✓ The system is disconnected from the
close
reactor at the pressure into reactor
decreases in the 8,83÷9,81MPa range
close

✓ In case of loss-of-coolant in this mode

and reaching the set point for connection
of the system, its automatically
transferred into the operable state
Anticipated Operational Occurrence -
DBC 2
54
✓ System operation is not required
 Emergency Core Cooling System (ECCS-JNG),
Passive part
Design base accidents - DBC 3&4
✓ At the loss-of- coolant when the pressure is below 5,9 MPa check valves open in passive way
(due to pressure differential) and the borated water is provided from accumulators into the
reactor vessel.

✓ At decrease in the accumulators level down to 1250 mm quick-acting isolation gate valves are
closing automatically to prevent entry of nitrogen into the reactor.
✓ No operator’s intervention in control of the system is required during 30 min after the beginning
of the accident.
Design extension condition - DEC
✓ The water storage in the system could be used if primary circuit of the nuclear unit to remains
intact. Such option are usually considered as alternative operator actions in EOP or strategy in
SAMG for prevention of severe accident.
* EOP – Emergency operator procedures, SAMG – Severe accident management guidelines
55
 CONTROL QUESTIONS to ECCS-JNG), Passive part
How many independent channels are included into
system design?
1. What medium are provided pressure into the
hydro accumulators?
2. In what Design condition the operator may
activate the system?

56
 Primary Circuit Overpressure Protection System

✓ The number (three sets) of the PORVs is determined :

• By the principle “n+1” (“n” is the number of PORVs to ensure the discharged
medium flowrate required for pressure decrease) ensuring no more 15%
overpressures in case of failure of one PORV valve.
• To ensure the pressure in the Primary circuit in emergency conditions does
not exceed the design value more than by 15 % take into account the time
of actuation and transient dynamic
• At the DBC2,3,4 for determination of PORV flow capacity the conditions of
closing the turbine stop valves are chosen accompanying with maximum
increase in the Primary Circuit Pressure
Criterion for PORV functioning under DEC1 type ATWS is that the primary
pressure is not exceeding 135% of the design pressure value. 57
 Primary Circuit Overpressure Protection System
• Primary Circuit Overpressure Protection System, being part of pressurizing
system, is intended for protection of the primary equipment and pipeline against
overpressure under DBC 2,3,4 and DEC.
• For the low temperature conditions the primary pressure shall not exceeded the
allowable pressure determined by the results of strength calculation for brittle
fracture resistance of equipment and pipelines.
• The first set of PORV, control PORV opens at the I circuit pressure setpoint of 17.7
MPa
• The other two opens at the I circuit pressure setpoint of 18.0 MPa
• PORV are qualified for discharge of steam, steam-water mixture and water when
there is increasing of primary coolant volume and/or pressure.
• PORV could be used for discharge of steam-gas mixture in case of severe accident
(DEC).
58
 Primary Circuit Overpressure Protection System

Each Pressurizer PORV includes:

✓ Main Valve (1) / Discharge steam, steam-water and water
flow the Pressurizer to relief tank.
✓ Pilot valves(2) / MV and PV are connected by impulse
lines. PV are activated by impulse (solenoid) or as direct
acting valve from the dampers when pressure increases.
✓ Additional control line (5, 6) for opening of the MV with
remotely controlled from MCR/ECR solenoid valve and
isolation valve.
✓ Shut-off valve (3) / The shut-off valve provides the
following options:
▪ forced closing of the MV in case of PV failure or its
accidental opening
▪ Locking the MV into close state during Hydrotests of
Primery circuit(P- 24MPa) and PV spring adjusted and
tests without MV activation (4). 59
 TOPIC QUESTIONS

CONTROL QUESTIONS TO Primary Circuit

Overpressure Protection System
1. Which are the main “Primary Circuit Overpressure
Protection Systems” safety components?
2. What happen when the pressure in I circuit
reached 17, 7 MPa ?
3. What happen when the pressure in I circuit
reached 18, 0 MPa?

60
 REFERENCES

Editorial note
This presentation may contain information from public open sources and external Internet web sites referred hereto.
The author does not guarantee that the content of such sources will remain actual, accurate or appropriate.

1. El Dabaa NPP Unit 1 PRELIMINARY SAFETY ANALYSIS REPORT Chapter

12 Safety systems Package 1 Revision B01
ED.B.P000.1.12&&&&&&&&&&.022.HE.0001.E
2. El Dabaa NPP CONCEPTUAL DESIGN Section 1 Safety concept Revision
B03 ED.C.P000.&.&&&&&&01&&&&.000.TJ.0001.E
&

62
Disclaimer
This presentation has been prepared
by a representative of Worley.

The presentation contains the professional and personal opinions of the

presenter, which are given in good faith. As such, opinions presented
herein may not always necessarily reflect the position of Worley as a
whole, its officers or executive.

Any forward-looking statements included in this presentation will involve

subjective judgment and analysis and are subject to uncertainties, risks
and contingencies—many of which are outside the control of, and may be
unknown to, Worley.

Worley and all associated entities and representatives make no

representation or warranty as to the accuracy, reliability or completeness
of information in this document and do not take responsibility for updating
any information or correcting any error or omission that may become
apparent after this document has been issued.

To the extent permitted by law, Worley and its officers, employees, related
bodies and agents disclaim all liability—direct, indirect or consequential
(and whether or not arising out of the negligence, default or lack of care
of Worley and/or any of its agents)—for any loss or damage suffered by a
recipient or other persons arising out of, or in connection with, any use or
reliance on this presentation or information.