Pre Construction Safety Report

Transcription

HPC-NNBOSL-U0-000-RES-000076 Version 1.0
Hinkley Point C Pre-Construction Safety Report 2012
Head Document
NOT PROTECTIVELY MARKED
NNB GENERATION COMPANY LTD
HINKLEY POINT C PRE-CONSTRUCTION SAFETY REPORT
2012
HEAD DOCUMENT
1.0
Version
Date of Issue
December 2012
Document No.
HPC-NNBOSL-U0-000-RES-000076
Next Review Date
Produced by
(Company/Organisation)
NNB GenCo
© 2012 Published in the United Kingdom by NNB Generation Company Limited (NNB GenCo), 90 Whitfield Street - London, W1T
4EZ. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including
photocopying and recording, without the written permission of the copyright holder NNB GenCo, application for which should be
addressed to the publisher. Such written permission must also be obtained before any part of this publication is stored in a retrieval
system of any nature. Requests for copies of this document should be referred to Head of Management Arrangements, NNB
Generation Company Limited (NNB GenCo), 90 Whitfield Street - London, W1T 4EZ. The electronic copy is the current issue and
printing renders this document uncontrolled. Controlled copy-holders will continue to receive updates as usual.
UNCONTROLLED WHEN PRINTED
Page 1 of 230
Head Document
{ PI removed }
Text within this document that is enclosed within curly brackets “{…}” is AREVA or EDF
Commercially Confidential Information (CCI) or Personal Information (PI) and has been removed.
Page 2 of 230
Head Document
{ PI removed }
Page 3 of 230
Head Document
TABLE OF CONTENTS
PREFACE ..................................................................................................................................... 12
0
EXECUTIVE SUMMARY ................................................................................................... 16
0.1
Purpose and Scope of HPC PCSR2 ................................................................................ 16
0.2
HPC PCSR2 and the Generic Design Assessment ........................................................ 17
0.3
Structure of HPC PCSR2 .................................................................................................. 18
0.4
Governance and Review Processes ............................................................................... 20
0.5
Key Site-Specific Sections of HPC PCSR2 ..................................................................... 21
0.6
HPC PCSR2 and the HPC Reference Design ................................................................. 23
0.7
Design Substantiation to Support Construction ........................................................... 24
0.8
Nuclear Safety Design Assessment Principles ............................................................. 24
0.9
Safety Functions ............................................................................................................... 25
0.10
Design Basis Analysis ..................................................................................................... 26
0.11
Hazards Protection ........................................................................................................... 27
0.12
Contributors to Risk ......................................................................................................... 28
0.13
Design Extension Condition Analysis ............................................................................ 30
0.14
Severe Accident Analysis ................................................................................................ 30
0.15
Human Factors.................................................................................................................. 31
0.16
Radiological Protection.................................................................................................... 32
0.17
Reduction of Risk to an ALARP Level ............................................................................ 32
0.18
Future Development of the HPC Safety Case ................................................................ 33
0.19
Fukushima Recommendations........................................................................................ 34
0.20
Forward Work Activities................................................................................................... 35
0.21
Conclusions ...................................................................................................................... 36
1
INTRODUCTION AND GENERAL DESCRIPTION ........................................................... 38
1.1
Summary ........................................................................................................................... 38
1.1.1 Generic Design Features ................................................................................................. 38
1.1.2 Site-Specific Features (HPC) ........................................................................................... 39
1.2
Source Information and Applicability of GDA ................................................................ 41
1.2.1 Status of Sub-chapters .................................................................................................... 41
1.2.2 Boundary and Scope of GDA .......................................................................................... 42
1.3
Route Map ......................................................................................................................... 42
1.4
Conclusions ...................................................................................................................... 42
1.5
References ........................................................................................................................ 43
2
SITE DATA AND BOUNDING CHARACTER OF GDA SITE ENVELOPE ....................... 44
Page 4 of 230
Head Document
2.1
2.1.1
2.1.2
2.1.3
Summary ........................................................................................................................... 44
Bounding character of the GDA site envelope ............................................................. 44
Site Data Out-of-scope of GDA ....................................................................................... 46
Justification that the Site is of a Sufficient Size ........................................................... 48
2.2
Source Information and Applicability of GDA ............................................................... 48
2.2.1 Status of Sub-chapters.................................................................................................... 48
2.2.2 Boundary and Scope of GDA.......................................................................................... 49
2.3
Route Map ......................................................................................................................... 50
2.4
Conclusions ...................................................................................................................... 50
2.5
References ........................................................................................................................ 50
3
GENERAL DESIGN AND SAFETY ASPECTS................................................................. 51
3.1
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
Summary ........................................................................................................................... 51
General Safety Principles................................................................................................ 51
Classification of Structures, Systems and Components ............................................. 54
Design of Safety Related Civil Structures ..................................................................... 55
Mechanical Systems and Components ......................................................................... 56
Safety Related Interfaces ................................................................................................ 56
Qualification of Electrical and Mechanical Equipment for Accident Conditions ....... 56
Codes and Standards used in the design of the EPR .................................................. 57
Summary of Computer Codes Used in Chapter 3......................................................... 58
3.2
Summary of the process for learning from Fukushima and the stress tests ............. 58
3.3
3.4
Route Map ......................................................................................................................... 60
3.5
Conclusions ...................................................................................................................... 60
3.6
References ........................................................................................................................ 61
4
REACTOR AND CORE DESIGN ...................................................................................... 63
4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
Summary ........................................................................................................................... 63
Safety Functions .............................................................................................................. 63
Summary Description of the Core and the Fuel Assemblies....................................... 63
Summary Description of the Reactivity Control Methods ........................................... 64
Objectives of the Nuclear and Thermal-Hydraulic Design Analyses .......................... 65
Other Items Presented in the Consolidated GDA PCSR 2011 ..................................... 65
4.2
4.3
Route Map ......................................................................................................................... 66
4.4
Conclusions ...................................................................................................................... 66
4.5
References ........................................................................................................................ 67
5
REACTOR COOLANT SYSTEM AND ASSOCIATED SYSTEMS ................................... 68
5.1
Summary ........................................................................................................................... 68
Page 5 of 230
Head Document
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
Safety Functions ..............................................................................................................68
Components of the Reactor Coolant System ................................................................ 68
RCP [RCS] Fluid Characteristics .................................................................................... 69
Integrity of Reactor Coolant Pressure Boundary .......................................................... 69
Primary Circuit Chemistry ............................................................................................... 72
5.2
5.3
Route Map ......................................................................................................................... 74
5.4
Conclusions ...................................................................................................................... 75
5.5
References ........................................................................................................................ 75
6
CONTAINMENT AND SAFEGUARD SYSTEMS .............................................................. 76
6.1
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
Summary ........................................................................................................................... 76
Containment Systems ...................................................................................................... 76
Safeguard Systems .......................................................................................................... 77
Integrity of the Containment Systems ............................................................................ 78
Habitability of the Control Room .................................................................................... 79
Chemistry and Radiochemistry ...................................................................................... 79
6.2
6.3
Route Map ......................................................................................................................... 80
6.4
Conclusions ...................................................................................................................... 81
6.5
References ........................................................................................................................ 82
7
INSTRUMENTATION AND CONTROL ............................................................................. 83
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
Summary ........................................................................................................................... 83
Level 0: Process Interfaces ............................................................................................. 83
Level 1: Automation Systems ......................................................................................... 84
Level 2: Monitoring and Control of the Unit .................................................................. 86
Substantiation .................................................................................................................. 87
7.2
7.3
Route Map ......................................................................................................................... 88
7.4
Conclusions ...................................................................................................................... 89
7.5
References ........................................................................................................................ 89
8
ELECTRICAL SUPPLY AND LAYOUT ............................................................................. 90
8.1
Summary ........................................................................................................................... 90
8.1.1 Safety Functions ..............................................................................................................91
8.2
Page 6 of 230
Head Document
8.3
Route Map ......................................................................................................................... 92
8.4
Conclusions ...................................................................................................................... 94
8.5
References ........................................................................................................................ 94
9
AUXILIARY SYSTEMS ..................................................................................................... 96
9.1
9.1.1
9.1.2
9.1.3
9.1.4
Summary ........................................................................................................................... 96
Safety Functions .............................................................................................................. 96
Other Supporting Systems ............................................................................................. 99
Chemistry Control ......................................................................................................... 100
Construction Design Code............................................................................................ 100
9.2
9.2.1
9.2.2
9.2.3
Source Information and Applicability of GDA ............................................................. 101
Status of Sub-chapters.................................................................................................. 101
Boundary and Scope of GDA........................................................................................ 103
Classification of systems .............................................................................................. 103
9.3
Route Map ....................................................................................................................... 103
9.4
Conclusions .................................................................................................................... 104
9.5
References ...................................................................................................................... 105
10
STEAM AND POWER CONVERSION SYSTEMS.......................................................... 106
10.1 Summary ......................................................................................................................... 106
10.1.1 Safety Functions ............................................................................................................ 106
10.1.2 Turbine Generator ......................................................................................................... 106
10.1.3 Steam Systems .............................................................................................................. 107
10.1.4 Feedwater Systems ....................................................................................................... 107
10.1.5 Tertiary Cooling Systems.............................................................................................. 108
10.1.6 Break Preclusion Concept ............................................................................................ 108
10.1.7 Chemistry ....................................................................................................................... 108
10.1.8 Design Code ................................................................................................................... 109
10.2 Source Information and Applicability of GDA ............................................................. 110
10.2.1 Status of Sub-chapters.................................................................................................. 110
10.2.2 Boundary and Scope of GDA........................................................................................ 110
10.3
Route Map ....................................................................................................................... 112
10.4
Conclusions .................................................................................................................... 113
10.5
References ...................................................................................................................... 113
11
DISCHARGES AND WASTE/SPENT FUEL ................................................................... 114
11.1 Summary ......................................................................................................................... 114
11.1.1 Safety Functions ............................................................................................................ 114
11.1.2 Discharges and Disposals ............................................................................................ 114
11.1.3 Overview of Facilities and Systems ............................................................................. 115
Page 7 of 230
Head Document
11.3
Route Map ....................................................................................................................... 121
11.4
Conclusions .................................................................................................................... 122
11.5
References ...................................................................................................................... 122
12
RADIOLOGICAL PROTECTION ..................................................................................... 124
12.1
Summary ......................................................................................................................... 124
12.2 Source Information and Applicability of GDA .............................................................. 124
12.2.1 Status of Sub-chapters .................................................................................................. 124
12.2.2 Boundary and Scope of GDA ........................................................................................ 125
12.3
Route Map ....................................................................................................................... 126
12.4
Conclusions .................................................................................................................... 127
12.5
References ...................................................................................................................... 127
13
HAZARDS PROTECTION ............................................................................................... 129
13.1 Summary ......................................................................................................................... 129
13.1.1 HPC External Hazards List ............................................................................................ 132
13.1.2 HPC Internal Hazards List ............................................................................................. 133
13.3 Route Map ....................................................................................................................... 135
13.3.1 External Hazards ............................................................................................................ 135
13.3.2 Internal Hazards ............................................................................................................. 135
13.4
Conclusions .................................................................................................................... 136
13.5
References ...................................................................................................................... 137
14
DESIGN BASIS ANALYSIS ............................................................................................ 138
14.1
Summary ......................................................................................................................... 138
14.3
Route Map ....................................................................................................................... 145
14.4
Conclusions .................................................................................................................... 147
14.5
References ...................................................................................................................... 147
15
PROBABILISTIC SAFETY ASSESSMENT .................................................................... 149
15.1 Summary ......................................................................................................................... 149
15.1.1 Level 1 PSA ..................................................................................................................... 150
15.1.2 Level 2 PSA ..................................................................................................................... 152
15.1.3 Level 3 PSA ..................................................................................................................... 152
15.1.4 Risk Informed Design .................................................................................................... 153
15.1.5 PSA Model Limitations .................................................................................................. 153
Page 8 of 230
Head Document
15.3
Route Map ....................................................................................................................... 155
15.4
Conclusions .................................................................................................................... 156
15.5
References ...................................................................................................................... 157
Figure 15.1: Frequency Dose ‘Staircase’ for Results against SDO-5................................... 159
Figure 15.2: Comparison of the Individual Risk Assessment Results to SDO-7 ................ 160
16
RISK REDUCTION AND SEVERE ACCIDENT ANALYSES ......................................... 161
16.1 Summary ......................................................................................................................... 161
16.1.1 Risk Reduction via Extended Design Conditions ....................................................... 161
16.1.2 Severe Accident Analysis (RRC-B) .............................................................................. 162
16.1.3 Practical Elimination ..................................................................................................... 162
16.1.4 Specific Studies ............................................................................................................. 162
16.1.5 Functional Diversity....................................................................................................... 163
16.1.6 Computer Codes Used for RRC-A & RRC-B Analyses ............................................... 163
16.1.7 4900 MW Safety Analyses used in Chapter 16 ............................................................ 163
16.3
Route Map ....................................................................................................................... 167
16.4
Conclusions .................................................................................................................... 167
16.5
References ...................................................................................................................... 168
17
ALARP ASSESSMENT ................................................................................................... 169
17.1
Summary ......................................................................................................................... 169
17.3
Route Map ....................................................................................................................... 171
17.4
Conclusions .................................................................................................................... 173
17.5
References ...................................................................................................................... 174
18
HUMAN FACTORS AND OPERATIONAL ASPECTS ................................................... 176
18.1 Summary ......................................................................................................................... 176
18.1.1 Human Factors ............................................................................................................... 176
18.1.2 Normal Operation........................................................................................................... 176
18.1.3 Abnormal Operation ...................................................................................................... 177
18.3 Route Map ....................................................................................................................... 181
18.3.1 Human Factors ............................................................................................................... 181
18.3.2 Normal Operation........................................................................................................... 181
18.3.3 Abnormal Operation ...................................................................................................... 181
Page 9 of 230
Head Document
18.4
Conclusions .................................................................................................................... 182
18.5
References ...................................................................................................................... 182
19
COMMISSIONING ........................................................................................................... 183
19.1
Summary ......................................................................................................................... 183
19.3
Route Map ....................................................................................................................... 184
19.5
References ...................................................................................................................... 185
20
DECOMMISSIONING ...................................................................................................... 186
20.1
Summary ......................................................................................................................... 186
20.3
Route Map ....................................................................................................................... 189
20.4
Conclusions .................................................................................................................... 190
20.5
References ...................................................................................................................... 191
21
HPC PCSR MANAGEMENT FRAMEWORK, DESIGN, DEVELOPMENT AND USE AND
QA ARRANGEMENTS .................................................................................................... 192
21.1
Summary ......................................................................................................................... 192
21.2.1 Status of Sub-Chapters ................................................................................................. 193
21.3
Route Map ....................................................................................................................... 193
21.4
Conclusions .................................................................................................................... 196
21.5
References ...................................................................................................................... 196
22
FIGURES, GLOSSARY AND ABBREVIATIONS ............................................................ 197
FIGURES .................................................................................................................................... 197
GLOSSARY AND ABBREVIATIONS ......................................................................................... 224
LIST OF FIGURES
Figure 1: Diagram of the Safety Case Structure......................................................................... 197
Figure 2: Document Structure for HPC PCSR2 Chapter 1 ......................................................... 198
Figure 3a: Document Structure for HPC PCSR2 Chapter 2 ....................................................... 199
Figure 3b: Document Structure for HPC PCSR2 Chapter 2 ....................................................... 200
Page 10 of 230
Head Document
Figure 10: Document Structure for HPC PCSR2 Chapter 9 ....................................................... 209
Figure 11: Document Structure for HPC PCSR2 Chapter 10 ..................................................... 210
Figure 15a: Document Structure for HPC PCSR2 Chapter 14 ................................................... 214
Figure 15b: Document Structure for HPC PCSR2 Chapter 14 ................................................... 215
Figure 23: HPC Design Process ................................................................................................. 223
Page 11 of 230
Head Document
PREFACE
This document is the Head Document of Hinkley Point C Pre-Construction Safety Report
2012 (HPC PCSR 2012), during its preparation it was also known as Hinkley Point C
Pre-Construction Safety Report version 2 (HPC PCSR2).
NNB GenCo plans to build a twin UK EPR unit power station at Hinkley Point C (HPC).
NNB GenCo has prepared a Pre-Construction Safety Report, version 2 (PCSR2), to
provide the baseline safety justification to support entry to the construction phase of this
project. This report represents the Head Document of PCSR2 and is the top-level
summary of the safety justification.
The safety case for allowing the movement of the HPC project into the construction
phase can be broken down into the following statements:
x
The design process for the UK EPR units proposed for the HPC site will ensure that
the plant has appropriate features and functions to ensure the safety of operations
and that the risks from operations will be broadly acceptable and reduced so far as is
reasonably practicable,
x
HPC PCSR2 justifies a Reference Design for the UK EPR at HPC. Changes to this
Reference Design will be controlled through suitable interim arrangements until the
appropriate time for implementation of the Modification to Design of Plant Under
Construction (LC 20) arrangements.
x
The HPC site has been shown to be a suitable location for the siting of the twin UK
EPR nuclear power plant,
x
This is NNB GenCo’s current expression of the safety case and status of the further
work required before proceeding with construction,
x
The NNB GenCo processes and procedures described within this safety report
demonstrate that there are adequate organisational arrangements in place for
enabling development of suitable safety management arrangements at the
appropriate time, thereby ensuring the safe design, construction, commissioning,
operation and decommissioning of the twin UK EPR units at HPC.
UK EPR Design
NNB GenCo is being supported in the development of HPC by its parent EDF SA and its
UK affiliates. The UK EPR is currently the subject of a Generic Design Assessment
(GDA), with the generic design and safety case submitted to the Office for Nuclear
Regulation (ONR) and the Environment Agency (EA) jointly by EDF SA and AREVA NP.
The UK EPR is a Pressurised Water Reactor (PWR) whose design combines proven
technology based on the most recent French N4 and German KONVOI PWRs. The
design of the reactor unit represents an evolution in PWR technology. It introduces some
new features including improved protection against and mitigation for core meltdown,
increased robustness against external hazards (in particular aircraft crashes and
earthquakes) and a set of safeguard systems providing quadruple redundancy. The
functioning of the nuclear power plant is based on a primary system, a secondary
system and an ultimate cooling system.
The primary system is a closed water-filled pressurised system installed in a leak tight
steel and concrete enclosure, the Reactor Building. The primary system is comprised of
a reactor, namely a steel vessel containing the nuclear fuel (reactor core), and four
Page 12 of 230
Head Document
cooling loops each containing a reactor coolant pump and a steam generator. A
pressuriser provides control of reactor coolant pressure. The reactor is a light water
moderated and cooled design utilising low-enriched uranium fuel clad in a zirconium
alloy. The reactor has a rated thermal power of 4,500 MW. The heat produced by the
nuclear reaction inside the reactor vessel is extracted by the pressurised water that
circulates in the primary system. The heated water then passes through the steam
generators. Here the heat is transferred to the water of the secondary system that flows
between the steam generator tubes.
The secondary system is a closed system that takes heat from the primary system and
supplies steam to the turbine generator set located in the turbine hall. Water in this
system boils in the steam generators heated by the primary system. The steam drives a
turbine coupled to the generator that produces electrical energy. After leaving the turbine
the steam is returned to its liquid state in the condenser, and then returned to the steam
generator.
Temporary storage of spent nuclear fuel is provided by the presence of a cooling pool
situated in a dedicated Fuel Building that forms an integral structure with the Reactor
Building.
The UK EPR has been designed to meet safety objectives for 3rd generation reactors
that include reduced Core Damage Frequency (CDF), enhanced protection against
external and internal hazards, and significant reduction in the radiological risk to the
public if a core melt were to occur. The reduced risk of a severe accident (core damage
accident) is achieved by the implementation of quadruple redundancy in main safety
systems such as the Emergency Feedwater and Safety Injection systems, and provision
of diversified back-up systems. Severe accident scenarios have been taken into account
at the design stage, including the practical elimination of high consequence low
frequency fault sequences (e.g. high pressure core melt).
The incorporation into the UK EPR design of an aircraft protection shell covering the
reactor, the spent Fuel Building, the interim spent fuel store, trains 2 & 3 of the
safeguard buildings, and trains 1 & 4 of the cooling water pump house ensures
adequate protection of the reactor and key safety systems enabling continued
availability of main safety functions. Further protection against aircraft impact is provided
by the geographical separation of emergency diesel generators and diverse cooling
water emergency outfall points.
The UK EPR design was awarded an interim Design Acceptance Confirmation (iDAC) by
the ONR and an interim Statement of Design Acceptability (iSoDA) by the EA in
December 2011.
The HPC Reference Design is based on the Flamanville 3 (FA3) design and the
outcome of the GDA of the UK EPR, plus site-specific features. The HPC Reference
Design is currently subject to a further iterative engineering phase to address a number
of potential design developments. Changes to this Reference Design will be controlled
through suitable interim arrangements until the appropriate time for implementation of
the Modification to Design of Plant Under Construction (LC 20) arrangements.
The issues and findings identified in the GDA of the UK EPR are being tracked to ensure
that they are appropriately resolved. The design criteria and approaches described in
the GDA safety report are sufficient for completing the remaining design work in a
manner that will ensure the safety of operation of the plant.
HPC Site
The proposed twin UK EPR units of HPC will be located to the west of the ‘A’ and ‘B’
stations and adjacent to the ‘A’ station. The HPC site has been assessed and
Page 13 of 230
Head Document
characterised by NNB GenCo to ensure it is a safe site for the construction,
commissioning, operation and decommissioning of twin UK EPR units. This has included
an assessment of the environmental hazards of the site, its geology, that it is of sufficient
size, that there is adequate cooling available and that it can be connected to grid
supplies. These assessments have shown that the site is fit for purpose.
The ultimate cooling system (heat sink) for the proposed HPC power station will be an
‘open circuit’ system drawing water from the Bristol Channel through two offshore intake
tunnels and discharging through a common discharge tunnel. At the onshore end of
each intake tunnel the water feeds into an open forebay. The intake water is filtered as it
is drawn from each forebay into an adjacent pumping station that supplies the cooling
water for a single unit. Once the cooling water has served its heat removal function it is
piped to a discharge pond (one per unit). A diversification system provides an alternative
means of supplying the heat sink safety systems with water drawn from the main basin
of the discharge pond in the event of loss of the normal heat sink.
In addition to the standard UK EPR design, the proposed HPC power station includes an
Interim Spent Fuel Store (ISFS). This provides on-site storage of long-cooled fuel
removed from the spent fuel pools in the Fuel Building. While the spent fuel pools
provide storage capacity for approximately ten years, the ISFS will have the necessary
storage capacity to cover the full 60-year operational lifetime of the plant.
The proposed HPC power station also includes an Interim Intermediate Level Waste
(ILW) Store to provide storage of ILW arisings until a Geological Disposal Facility (GDF)
is available.
The ONR and the EA regulate compliance with legislation for nuclear installations in the
UK, covering the design, construction, operation and decommissioning of nuclear power
plants. The ONR is responsible for regulating nuclear safety and security, including the
safe management, conditioning and storage of radioactive waste. The EA is responsible
for regulating the environmental discharges and radioactive waste disposals on or from a
site. The constraints imposed by the regulations have the purpose of ensuring the safe
operation of the nuclear facilities and of reducing their environmental impact. The UK
EPR design will comply with all relevant UK regulations and NNB GenCo’s own Nuclear
Safety Design Assessment Principles (NSDAPs). The UK EPR design will comply with
all relevant approved codes of practice where possible or will have suitable substitution
arrangements in place where this is not the case.
NNB GenCo HPC Safety Case Future Plans
Appropriate and timely future safety submissions will be produced to support the
development of HPC. There is a need for a summary and collation of all the relevant
engineering design and substantiation prior to the construction of any significant stage of
safety-related construction. This is to demonstrate a well understood and defined safety
justification for the construction activity taking place. This is achieved though the creation
of a Construction Safety Justification (CSJ) to support the release of a construction Hold
Point. The main purposes of HPC PCSR3 will be to incorporate the final GDA PCSR and
align the Safety Case and Design workstreams.
The CSJ required to release a Hold Point will be tailored to support the specific
construction activities defined by the construction programme. The CSJ will be
categorised to allow the level of detail, amount of review and due process required to be
proportionate to the nuclear safety significance of the associated construction activity.
The CSJ will draw together the design substantiation information pertaining to the
relevant construction activity and provide confidence that the detailed design will meet
the relevant safety objectives prior to commencement of construction. The applicable
Page 14 of 230
Head Document
CSJs will be submitted to ONR for its assessment of NNB GenCo’s application for
consent to construct at the appropriate time.
NNB GenCo is currently in the Pre-Construction phase of the project. Following
submission of HPC PCSR2, NNB GenCo will commence work on HPC PCSR3, with the
aim of bringing together HPC PCSR2, the Final GDA PCSR and relevant CSJs, and to
incorporate the appropriate HPC Reference Design. The NNB GenCo processes and
procedures described within this safety report demonstrate that there are organisational
arrangements in place for enabling development of suitable safety management
arrangements at the appropriate time, thereby ensuring the safe design, construction,
commissioning, operation and decommissioning of the twin UK EPR units at HPC.
Compliance with the regulations, safety principles and design codes and
standards applicable to the various Structures, Systems and Components (SSCs),
and to the protection of workers and the public, are demonstrated in the HPC
PCSR2 safety report. Section 0 provides an executive summary of HPC PCSR2,
summarising the baseline safety justification that supports entering the
construction phase of the HPC project. Each sub-section has a bold paragraph
that contributes towards the overall conclusion that HPC PCSR2 supports NNB
GenCo’s own assurance for entering the construction phase of the project.
Page 15 of 230
Head Document
0
EXECUTIVE SUMMARY
0.1
Purpose and Scope of HPC PCSR2
NNB GenCo plans to build a twin UK EPR unit power stationat Hinkley Point C (HPC).
NNB GenCo has prepared a Pre-Construction Safety Report, version 2 (PCSR2), to:
x
Provide the baseline safety justification for the construction and operation of twin UK
EPR units at HPC,
x
Provide the safety justification to support entry to the construction phase of this
project.
The term ‘PCSR’ refers to the safety report, which is the top-tier/highest level of the
safety case at this Pre-Construction phase. Although described as a report, for HPC it
currently consists of this Head Document plus a set of sub-chapters. These subchapters are available as individual documents. The term 'Safety Case' refers to the
totality of documented information and analyses that substantiate the safety of the
construction and operation of the plant. This includes (but is not limited to) HPC PCSR2
and all its supporting references.
In addition, HPC PCSR2 has been prepared to:
x
Provide the initial demonstration that the current Reference Design proposal will
meet the safety objectives prior to commencing construction or installation,
x
Provide the initial demonstration that the operating limits and conditions of the plant
will be suitable to achieve safe operation,
x
Provide the demonstration that the construction and installation activities will result in
a plant of appropriate quality,
x
Provide the initial assessment of the hazards and faults associated with the twin UK
EPRs at the HPC site,
x
Provide the initial demonstration that sufficient deterministic and probabilistic
assessment has been performed to prove that the plant can be operated safely, and
that risk will be As Low As Reasonably Practicable (ALARP),
x
Provide the initial demonstration of the feasibility of commissioning and
decommissioning,
x
Provide the baseline safety justification for a future request to the Office for Nuclear
Regulation (ONR) for consent to commence construction in line with NNB GenCo
arrangements for Licence Condition (LC) 19 compliance,
x
Detail the safety management process for enabling each safety classified Structure,
System or Component (SSC) or group of SSCs to proceed to construction,
x
Facilitate NNB GenCo’s management of the design, procurement and construction
work,
x
Give confidence that further safety justification, including appropriate design
substantiation, will be developed at the relevant stages of the HPC project,
x
Provide technical information to support the Nuclear Site Licence (NSL) application,
x
Incorporate the Consolidated Generic Design Assessment (GDA) PCSR 2011 and
site-specific studies,
Page 16 of 230
Head Document
x
Identify any current gaps and the Forward Work Activities to close these gaps.
This report is not intended to provide the detailed design substantiation for the twin UK
EPRs at the HPC site; this will be an ongoing iterative process using Construction Safety
Justifications (CSJs) for the appropriate construction Hold Points.
This report does not cover environmental safety, conventional health and safety or site
security; these aspects will be covered in other documentation.
HPC PCSR2 provides the baseline the safety justification to support NNB GenCo
entering the construction phase of the HPC project. Construction of safety
classified structures will be justified by HPC PCSR2 supplemented with
appropriate design substantiation in future safety submissions.
0.2
HPC PCSR2 and the Generic Design Assessment
NNB GenCo is being supported in the development of HPC by its parent EDF SA and its
UK affiliates. The UK EPR is currently the subject of a Generic Design Assessment, with
the design and safety case submitted to the ONR and the EA jointly by EDF SA and
AREVA NP. The UK EPR design was awarded an interim Design Acceptance
Confirmation (iDAC) by the ONR and an interim Statement of Design Acceptability
(iSoDA) by EA in December 2011.
As part of the GDA process, AREVA NP and EDF SA, as the Requesting Parties, have
produced a generic Pre-Construction Safety Report (GDA PCSR). The current version of
the GDA PCSR was issued in March 2011 (referred to as the Consolidated GDA PCSR
2011) and a final version is planned for late 2012.
The GDA PCSR is intended to provide information necessary to achieve generic design
acceptance for construction of an EPR plant in the UK. It does not specify a site, but
identifies bounding characteristics of a hypothetical UK site, and is generic for any
licensee who may wish to build an EPR in the UK.
Relevant parts of Consolidated GDA PCSR 2011 have been adopted by NNB GenCo to
form part of HPC PCSR2. Where sub-chapters of Consolidated GDA PCSR 2011 are
applicable to HPC they have been used as sub-chapters for HPC PCSR2 directly. Sitespecific versions have been produced where the Consolidated GDA PCSR 2011 subchapters are not applicable or do not cover all the required scope. If the differences
between Consolidated GDA PCSR 2011 and HPC are small, or the site-specific
information is not yet fully developed, the Consolidated GDA PCSR 2011 sub-chapters
have been retained, and an explanation of the remaining gaps and associated Forward
Work Activities identified. In this case subsequent versions of the HPC PCSR will
develop site-specific chapters at a later date. Chapter 21 explains the process applied by
NNB GenCo to adopt the GDA documents.
Cross-referencing within adopted GDA sub-chapters may not correctly align with new
HPC site-specific sub-chapters.
HPC PCSR2 aims to make the most effective use of the GDA information and the
assessment process that this has been through. This is achieved by clearly
presenting the differences and additional analysis for HPC and by superseding
certain non-applicable Consolidated GDA PCSR 2011 documents with HPC sitespecific documents.
Page 17 of 230
Head Document
0.3
Structure of HPC PCSR2
This Head Document is the top-level summary of HPC PCSR2, presenting in a single
document a high-level collated overview of the safety report. Below the Head Document
is the full set of HPC PCSR2 documents, grouped into 21 chapter topics. The chapter
topics can be described by five main themes:
x
Chapters 1 - 3 cover the general description of the HPC site characteristics and
applicability of the Consolidated GDA PCSR 2011 site characteristics and general
safety principles of the design,
x
Chapters 4 - 11 cover the main SSCs, together with their safety requirements,
x
Chapters 12 - 18 cover the safety analysis performed to demonstrate that the risk
levels associated with the HPC site are acceptable,
x
Chapters 19 - 20 cover the principles and future feasibility of commissioning and
decommissioning activities,
x
Chapter 21 covers the quality and safety management of the production of HPC
PCSR2 and references to the management of future construction activities.
A diagram of the safety case structure for HPC PCSR2 is provided in Figure 1, which
illustrates the general principles of the structure and the types of documents.
As a minimum, each chapter summary in the Head Document contains the following
information:
x
A summary of the relevant topic,
x
High-level safety functions for systems chapters,
x
Confirmation (or otherwise) of the applicability of the matching GDA sub-chapters,
x
The boundaries/limits of the GDA for that topic,
x
Areas for further development,
x
Conclusion of why each topic supports the request to enter the construction phase,
x
A list of supporting references relevant to the chapter summary.
Figures 2 – 22 illustrate the document structure for each of the chapters, including
significant supporting references. A full list of the sub-chapters that make up HPC
PCSR2, showing which were produced for GDA or for HPC, is provided in the table
below.
Section (Related HPC
PSCR2 Chapter)
Indication of Content Provenance
1- Introduction and
General Description
Consolidated GDA PCSR 2011 used for two Sub-chapters (1.4 and 1.5)
without change.
One all new HPC PCSR2 Sub-chapter (1.2).
Head Document forms the rest of the introduction.
(Sub-chapters 1.1 and 1.3 not used).
2 - Site Data and Bounding
Character of GDA Site
Envelope
All information used is new for HPC PCSR.
Page 18 of 230
Head Document
PSCR2 Chapter)
3 - General Design and
Safety Aspects
Consolidated GDA PCSR 2011 data used for six Sub-chapters (3.1, 3.2, 3.3,
3.4, 3.5 and 5.8) without change.
(Sub-chapter 3.7 not used).
4 - Reactor and Core
Design
All Consolidated GDA PCSR 2011 data used without change.
5 - Reactor Coolant
System and Associated
Systems
Consolidated GDA PCSR 2011 data used for five Sub-chapters (5.0, 5.1, 5.2,
5.3 and 5.4) without change.
6 - Containment and
Safeguard Systems
7 - Instrumentation and
Control (I&C)
8 - Electrical Supply and
Layout
Consolidated GDA PCSR 2011 data used for four Sub-chapters (8.3, 8.4, 8.5
and 8.6) without change.
One partially new HPC PCSR2 Sub-chapter (5.5) which includes GDA data (in
grey shading).
Additional Sub-chapter (6.9) added which includes GDA data rearranged in
presentation to discuss Containment and Safeguard Systems Chemistry
Control.
Two partially new HPC PCSR2 Sub-chapters (8.1 and 8.2) which include GDA
data (in grey shading).
9 - Auxiliary Systems
Consolidated GDA PCSR 2011 data used for three Sub-chapters (9.1, 9.3 and
9.5) without change.
Two partially new HPC PCSR2 Sub-chapters (9.2 and 9.4) which include GDA
data (in grey shading).
Additional Sub-chapter (9.6) added which includes GDA data (in grey shading)
rearranged in presentation to discuss Auxiliary Systems Chemistry Control.
10 - Steam and Power
Conversion Systems
Consolidated GDA PCSR 2011 data used for four Sub-chapters (10.1, 10.3,
10.5 and 10.6) without change.
Two partially new HPC PCSR2 Sub-chapters (10.2 and 10.4) which include
GDA data (in grey shading).
Additional Sub-chapter (10.7) added which includes GDA data (in grey
shading) rearranged in presentation to discuss Secondary System Chemistry.
11 - Discharges and
Waste/Spent Fuel
Consolidated GDA PCSR 2011 data used for one Sub-chapter (11.0) without
change.
(Sub-chapter 11.1 not used).
Two partially new HPC PCSR2 Sub-chapters (11.2 and 11.4) which include
GDA data (in grey shading).
Two completely new Sub-chapters (11.3 and 11.5).
12 - Radiological
Protection
Consolidated GDA PCSR 2011 data used for five Sub-chapters (12.0, 12.1,
12.3, 12.4 and 12.5) without change.
One partially new HPC PCSR2 Sub-chapter (12.2) which includes GDA data
(in grey shading).
Additional Sub-chapter (12.6) added which includes some GDA data
rearranged in presentation to discuss Normal Operation Dose Assessment for
Public.
Page 19 of 230
Head Document
PSCR2 Chapter)
13 - Hazards Protection
(in grey shading).
Consolidated GDA PCSR 2011 data used for one Sub-chapter (13.2)
supplemented by an additional supporting document.
14 - Design Basis Analysis
(DBA)
15 - Probabilistic Safety
Assessment (PSA)
Six partially new HPC PCSR2 Sub-chapters (15.1, 15.2, 15.3, 15.4, 15.5, and
15.7) which include GDA data (in grey shading).
Consolidated GDA PCSR 2011 data used for one Sub-chapter (15.6).
16 - Risk Reduction and
Severe Accident Analyses
17 - ALARP Assessment
All Consolidated GDA PCSR 2011 data used without change (except Subchapter 17.4 not used).
18 - Human Factors and
Operational Aspects
Consolidated GDA PCSR 2011 data used for two Sub-chapters (18.1 and
18.3) without change.
(in grey shading).
19 - Commissioning
Consolidated GDA PCSR 2011 used for one Sub-chapter (19.0).
20 - Decommissioning
All information used is new for HPC PCSR.
21 – HPC PCSR
Management Framework,
Design, Development and
Use and QA Arrangements
All information used is new for HPC PCSR (except a very small amount of
GDA data (in grey shading) in Sub-chapter 21.3 Appendix).
Forward Work Activities
HPC PCSR2 identifies a number of Forward Work Activities that are required
to fully develop the safety case. The activities are set out in report reference
HPC-NNBOSL-U0-000-RES-000082.
The structure of the PCSR2 Head Document aligns with the structure of the GDA
PCSR, but additionally identifies those areas where there are new documents
produced for HPC PCSR2. This means there is a section in the Head Document
corresponding to each of the 21 GDA chapter topics. In addition, the Head
Document also contains an executive summary, document references, tables,
figures and abbreviations. The details of Forward Work Activities are contained in
a separate report.
0.4
Governance and Review Processes
HPC PCSR2 will have undergone many governance and review steps prior to its
submission to ONR. The key steps associated with the submission of HPC PCSR2 are:
x
Verification of all NNB GenCo authored supporting documents,
x
Design Review and Acceptance (DR&A) of all supporting documents produced
outside of NNB GenCo,
Page 20 of 230
Head Document
x
Endorsement from the Architect Engineer of the technical quality of both the
individual documents that comprise HPC PCSR2 and the overall consistency of HPC
PCSR2,1
x
Advice from the Nuclear Safety Committee (NSC) on the HPC PCSR2 Head
Document,
x
Advice from the NSC for several key site-specific references to HPC PCSR2,
x
Acceptance by NNB GenCo’s Operational Control Committee (OCC),
x
The clearance of the Secondary Hold Point, which covers release of HPC PCSR2 to
ONR,
x
Acceptance by the NNB GenCo Board.
NNB GenCo’s internal challenge function continues to develop. Several important subchapters and supporting documents of HPC PCSR2, as well as the whole Head
Document, have been subject to Independent Peer Review (IPR) with the following
criteria developed to select these documents:
x
Where the HPC PCSR2 document provides justification for an issue using a novel
approach, which is being adopted for the first time at HPC (i.e. no EPR family or
other industry relevant previous experience),
x
Where the HPC-specific topic covered by the relevant HPC PCSR2 document is
considered to be novel (e.g. with respect to an external regulator) and a benefit is
perceived from the completion of an IPR to subject the justification presented to
independent expert scrutiny,
x
The HPC site-specific safety justification provided by the relevant HPC PCSR2
document is judged to be significantly different when compared with the generic
justification provided via the GDA process.
IPR of these HPC PCSR2 documents was considered proportionate, with IPR warranted
in terms of the benefit to the robustness of the safety report. Further information about
the IPR strategy is provided in Section 21 of this document.
It is considered that the governance and review processes that have been applied
to the production and development of HPC PCSR2 are appropriate and
proportionate, in terms of the role of HPC PCSR2 as the baseline safety
justification to support movement of the HPC Project into the construction phase.
0.5
Key Site-Specific Sections of HPC PCSR2
The proposed nuclear power station at HPC has some variations and additions
compared with the Generic Design, because of its geography, geology, surrounding
environment, the plan to build two reactors rather than a single unit, the storage and
disposal routes for radioactive waste and spent fuel, and various other aspects to be
developed by the operator and the need for licensee requirements.
The safety case for HPC therefore requires both changes and additions to the generic
safety case. These include:
x
Safety assessment of the specific magnitude, applicability and frequency of internal
and external hazards at the HPC site,
1
Noting that the DIN consistency review included a series of topic meetings on key information that underpins HPC PCSR2: Heat
Sink, Discharges and Waste, Hazards, Chemistry, PSA, and Civil Structures.
Page 21 of 230
Head Document
x
Safety assessment of the areas of the plant outside of the GDA scope,
x
Addition of the Interim Spent Fuel Store (ISFS) for on-site storage of long-cooled fuel
removed from the spent fuel pools in the Fuel Building and an interim Intermediate
Level Waste (ILW) Store to provide storage of ILW arisings until a Geological
Disposal Facility (GDF) is available,
x
Ultimate cooling heat sink system will be an open circuit system, drawing water from
the Bristol Channel,
x
Assessment of impacts associated with the choice of a twin-reactor plant,
x
Incorporation of NNB GenCo’s own management arrangements,
x
The adjacent Hinkley Point A (HPA) and Hinkley Point B (HPB) sites that have an
influence on the HPC safety justification (including the external hazards that could
arise from these sites, and any interface during accident management).
HPC PCSR2 Sub-chapter 2.1 Site Description and Data presents the HPC site
envelope, while HPC PCSR2 Sub-chapter 2.2 Verification of Bounding Character of the
GDA Site Envelope provides the assessment of the HPC site envelope in comparison
with the generic site envelope of the GDA. The information within HPC PCSR2 Subchapter 2.2 determines whether the external hazards analysis presented within the GDA
can be considered applicable given the site and external hazard characteristics of HPC,
or whether detailed hazard analysis is required in those cases where the site
characteristics are not bounded by the GDA site envelope.
Where the generic site envelope does not provide a bounding case, the issue is
highlighted and an assessment is provided in the relevant chapter of HPC PCSR2.
HPC PCSR2 Sub-chapter 2.3 Site Plot Plan Summary details the requirements,
guidelines and restrictions that have influenced the development of the HPC site plot
plan and provides the safety assessment for the adopted layout of the HPC site.
GDA has been performed for a single-reactor site, but there will be two reactor units at
HPC. Therefore a specific assessment has been made for the twin-reactor site. The
results of this study show that the risk per unit is not significantly increased through the
presence of two units.
Different hazards may exist during the period of overlap of fuel loading/operation of
Unit 1 and construction/commissioning activities on Unit 2. These will be assessed
further in future safety submissions, but no fundamental safety issues are anticipated.
NNB GenCo is confident that the relevant risks from the ISFS and Interim ILW Store are
understood and will not impact on the main design. The design and construction of these
two buildings will be subject to NNB GenCo’s Hold Point process.
Section 13 of the Head Document addresses hazards, including those from the adjacent
sites of HPA and HPB. The potential effects of HPC on the safety assessments for HPB
and HPA are outside the scope of HPC PCSR2, but are recognised and there is ongoing
liaison with HPA and HPB on this topic.
Certain relevant parts of the safety case have been submitted in advance of the full HPC
PCSR2 to support the ONR assessment of the NSL application. These are known as
early submission ’batches’ and have addressed the following site-specific issues:
x
The environmental conditions do not preclude the use of the site with respect to
external hazards,
Page 22 of 230
Head Document
x
The geology of the site will provide a secure, long-term support to the necessary
SSCs,
x
The site is of a sufficient size to accommodate the proposed twin UK EPR unit power
station,
x
There is adequate cooling capability available,
x
The site can be connected to grid supplies.
HPC PCSR2 covers the nuclear safety of the whole of the HPC nuclear licensed
site. The key site-specific features of HPC have been identified and have been
assessed to support HPC PCSR2.
0.6
HPC PCSR2 and the HPC Reference Design
NNB GenCo will be the licensee and operator of HPC, with EDF SA acting as the
Architect Engineer for the design and build of HPC. The principal engineering role is
being performed by the Division Ingénierie Nucléaire (DIN) of EDF SA, under the overall
management of NNB GenCo.
The HPC Reference Design is based on the Flamanville 3 (FA3) design and the
outcome of the GDA of the UK EPR, plus site-specific features. The HPC Reference
Design is currently subject to a further iterative engineering phase to address a number
of potential design developments. The potential design developments originate from:
x
The GDA process (via GDA Issues and/or GDA Assessment Findings), culminating
in the end of GDA,
x
Open Points (unresolved technical issues that have the potential to prevent the
placement of detailed design contracts and present a significant risk of design
rework),
x
Lessons learned from the design and constructability of other EPRs (FA3,
Olkiluoto 3, Taishan and United States EPRs),
x
Lessons learned from the events at Fukushima including the outcome of the
assessment of the UK EPR and the results of this analysis (the detailed design
process will provide final confirmation of the margins and potential cliff-edge effects),
x
Review of the design by NNB GenCo,
x
Design changes to address UK specific regulations.
The purpose of these design changes is to improve the safety, constructability or
operability of the UK EPR. However, NNB GenCo is confident that these design changes
will not significantly affect the safety justification presented in HPC PCSR2, or have a
significant impact on the design intent. Each proposed design change will be reviewed
by NNB GenCo to confirm this prior to implementation. Interim arrangements (based on
the NNB GenCo’s established technical review process) will be used prior to the full
implementation of the arrangements made under LC 20 Modifications to Design of Plant
Under Construction2. The LC 20 procedure contains entry conditions for the use of
LC 20 arrangements. The engineering project management steps that control the
development of the HPC Reference Design (which are described in more detail in
Section 21 of this document) are illustrated in Figure 23 and are as follows:
2
Interim arrangements based on the Technical Review process, augmented by features taken from LC 20 (Control of Modifications
during Construction and Commissioning), are to be used in the period prior to the full implementation of the LC 20 arrangements.
These interim arrangements will be used to process the modifications not considered as part of the GDA and the modifications
identified for inclusion in the Decided Design Reference (DDR).
Page 23 of 230
Head Document
x Preliminary Design Reference Phase (PDR milestone),
x Decided Design Reference Phase (DDR milestone),
x Implemented Design Reference Phase (IDR milestone),
x Ready for execution Design Reference Phase (RDR milestone).
HPC PCSR2 is based on the FA3 design, the outcome of the GDA of the UK EPR
plus site-specific features, corresponding to the state of development of the HPC
Reference Design at the end of March 2011. Design work has been ongoing in
parallel with production of HPC PCSR2, and therefore the current status of the
HPC Reference Design is more advanced than that assessed in HPC PCSR2. NNB
GenCo is confident that any design changes will not significantly affect the safety
justification presented in HPC PCSR2, or have a significant impact on the design
intent.
0.7
Design Substantiation to Support Construction
Due to the continued evolution of the HPC Reference Design, updates will be required to
HPC safety case documentation to provide control of safety-related activities. There is a
need for a summary and collation of all the relevant engineering design and
substantiation prior to the commencement of any safety-related construction activity.
This will be achieved through the use of CSJs. This is further described in Section 21 of
this document.
The CSJ will adequately justify nuclear safety-related aspects of the design prior to
commencement of construction activities for the stage to be entered. It will identify the
design intended for construction, and demonstrate that it will meet the safety
requirements. The CSJ will also justify the suitability of the arrangements for ensuring
the design intent of what is presented will be met in the more detailed design undertaken
throughout the construction and installation stages, and that what is actually constructed
and installed can be shown to meet the design intent and can be fully substantiated
through the commissioning stages.
The CSJs will provide a formal link to the information within the safety case and support
the commencement of any relevant construction activities. Where required, the CSJs will
expand on and add to the information existing within the most recent safety report,
indicating when this is bounding and referring to further justification when it is not. It will
act as a summary document providing an introduction and links to the relevant reference
material. CSJs will be categorised for their potential impact on nuclear safety, with the
level of due process required (including seeking NSC advice where appropriate) being
proportionate to this impact. The development, verification and issue of a CSJ will be
proportionate to its nuclear safety significance, and therefore linked to the category of
the CSJ.
development of HPC. CSJs will provide adequate and suitable design
substantiation, to give confidence in justifying any nuclear safety related
construction activity.
0.8
Nuclear Safety Design Assessment Principles
NNB GenCo has defined its own Nuclear Safety Design Assessment Principles
(NSDAPs) derived from the European Utility Requirements (EUR) for Light Water
Reactors (LWRs). The NSDAPs are used by NNB GenCo to assess the HPC EPR
Page 24 of 230
Head Document
design, operational arrangements and the safety case. Consolidated GDA PCSR 2011
and HPC PCSR2 were the main sources used to assess the HPC EPR design against
the NSDAPs. A further fuller description of the NSDAPs including how they were
derived, how they correspond to ONR's Safety Assessment Principles (SAPs), and how
they have been used, is included in Section 3 of this document.
The results of the assessment demonstrate a high level of compliance. The UK EPR
design proposed for HPC complies with 97% of the NSDAPs. The results indicate full
compliance with the following areas:
x
Fundamental safety objective and principles,
x
External and internal hazards,
x
Engineering objectives,
x
Quantitative safety objectives,
x
Site conditions.
The results of the current compliance assessment identified two gaps, one within the
Design Basis Conditions and the other within the Design Extension Conditions (DECs):
x
NSDAP 2.3.0 Deterministic Safety Analysis. This has arisen due to the redesignation
of Loss of Cooling Chain (LOCC) faults as Design Basis Faults (DBFs),
x
NSDAP 3.4.1 Prevention of Early Containment Failure. This has arisen due to the
values calculated for Large Release Frequency (LRF) and Large Early Release
Frequency (LERF).
Work is underway to investigate further and justify these two gaps using an ALARP
approach. This is discussed in Section 3 of this document.
The construction of an SSC will not commence until all relevant NSDAPs are
satisfied or are covered by an appropriate ALARP demonstration. NNB GenCo will
periodically assess the current state of the design against the NSDAPs and
provide an update to support the production of future safety submissions.
Demonstrating compliance with the NSDAPs is considered to be an important
element in the demonstration of ALARP.
0.9
Safety Functions
The NNB GenCo NSDAPs identify three fundamental (or main) safety functions (MSFs)
that are necessary for achieving the overall safety objective of protecting people and the
environment from the harmful effects of ionising radiation.
The three MSFs are:
x
Control of fuel reactivity,
x
Fuel heat removal (or cooling), and
x
Radioactive material containment.
HPC PCSR2 Sub-chapter 3.2 Classification of Structures, Systems and Components,
provides the summary of the GDA approach to definition and categorisation of safety
functions. This approach aligns with the NSDAPs and has the same three MSFs
identified. NNB GenCo has adopted the principles of the GDA classification system;
more detail can be found in Section 3 of this document.
Page 25 of 230
Head Document
It is necessary to derive more detailed safety functions that are specific to the plant type
or technology. For the UK EPR this has led to the development of Plant Level Safety
Functions (PLSFs) and Lower Level Safety Functions (LLSFs). Further details on these
safety functions and the categorisation process can be found in Section 3 of this
document and in the sub-chapters and supporting references of HPC PCSR2 Chapter 3.
PLSFs are broken down further into LLSFs in order to provide a level of detail so that
appropriate categorisation can be applied. The LLSFs combine the PLSFs and the
operating conditions of the plant to indicate what must be achieved to fulfil the PLSFs.
LLSFs are categorised on the basis of their safety significance into three categories
(A, B and C) defined as follows:
x
Category A: any function that plays a principal role in ensuring nuclear safety,
x
Category B: any function that makes a significant contribution to nuclear safety,
x
Category C: used to represent functions with a safety role that is not assigned to
Category A or Category B.
Further detailed guidance on the application of this categorisation methodology
throughout HPC PCSR2 is provided in Sub-chapter 3.2.
HPC PCSR2 includes the status of the identification of LLSFs and the classification of
SSCs as far as had been completed at the time of Consolidated GDA PCSR 2011. It is
noted that the safety categorisation scheme developed in GDA is the subject of GDA
Issue GI-UKEPR-CC-01. Furthermore, the application of the safety categorisation and
classification methodology will not be fully completed within the scope of GDA.
NNB GenCo will complete this process in accordance with GDA Assessment Finding
AF-UKEPR-CC-05. More information can be found in Section 3 of this document, and
the forward work is discussed in the HPC PCSR2 Forward Work Activities report.
The safety functions and their associated categories identified in this document
are an appropriate set on which to base the HPC SSC classification process. A
package of work, with the support of a working group, is in place to apply fully the
safety categorisation/classification methodology to the entire HPC design. This
will not be completed until the modifications resulting from resolution of the GDA
issues have been decided.
0.10
Design Basis Analysis
Statements are presented in HPC PCSR2 to substantiate that the Consolidated GDA
PCSR 2011 Design Basis Analysis (DBA) is fully applicable to future HPC site-specific
DBA, including its applicability to a twin-reactor site.
The purpose of DBA is to demonstrate that there are appropriate design features and
functions (including ‘defence in depth’3) to protect against and mitigate faults, and to
show that the radiological consequences of reasonably foreseeable events remain within
acceptable limits. The safety analysis of such events has also informed the deterministic
design of the safety systems. Faults have been identified from a combination of sources,
including standard lists based on guidance used in the French nuclear fleet, and
international operating experience from many decades of Pressurised Water Reactor
(PWR) operation, and adapted to the UK EPR. The events presented in HPC PCSR2
are aligned with the Probabilistic Safety Assessment (PSA) initiating events in
Consolidated GDA PCSR 2011.
3
Where '’defence in depth’’ ensures the use of redundant components and trains to protect against single failures in active systems
and the use of multiple safety systems and structures in the event of failure of one system or structure.
Page 26 of 230
Head Document
The DBA is based on a deterministic safety approach, complemented by probabilistic
analyses, using the concept of ‘defence in depth’. In the approach used, representative
conditions that bound situations that could be encountered during reactor operation are
identified and grouped into categories known as Plant Condition Categories (PCC)
according to their frequency of occurrence.
PCC-14: Normal Operating Transients
PCC-2: Design Basis Transients (1x10-2/y <f)
PCC-3: Design Basis Incidents (1x10-4 < f < 1x10-2/y)
PCC-4: Design Basis Accidents (1x10-6 < f < 1x10-4/y)
The list of PCC faults covers faults affecting the core and the spent fuel pool (SFP). The
list has been identified systematically for initiating events within the nuclear island; and
for initiating events arising outside the nuclear island it is based on loss of functional
capability of services to the nuclear island. Faults affecting the ISFS and interim ILW
store are not yet assessed due to the early stage of their design, however in the HPC
Site Submission of General Data for the Article 37 of the Euratom Treaty the bounding
nature of the DBA of the plant for the ISFS and ILW storage facility was provided. NNB
GenCo is confident that the relevant risks are understood and this will not impact upon
the main design. Because the ISFS and Interim ILW Store are not integral parts of the
power production facility, their design and assessment do not need completing prior to
commencement of construction of the Nuclear Power Plant (NPP).
The fault and protection schedule within Sub-chapter 14.7 shows the protection in the
current design for each identified PCC fault.
There is confidence in the comprehensiveness of the list of faults in the context of the
GDA scope since it is based on decades of analysis of international operating
experience and best practice, as well as being modified to reflect UK EPR specific
features. Additional confidence is gained from the PCC fault and PSA initiating event
consistency review performed under the Consolidated GDA PCSR 2011. (A small
number of faults identified in the GDA await assessment, but this will be resolved within
the scope of the GDA process as part of a GDA Issue.) Future HPC safety submissions
will develop this into a comprehensive HPC-specific fault and protection schedule
accounting for HPC design development or site-specific PSA development, GDA Issue
and GDA Assessment Findings resolution.
The fault and protection schedule shows that there is adequate ‘defence in depth’
for all considered faults except a small number identified in the GDA that are
being resolved within the scope of the GDA process as part of a GDA Issue. All
considered PCC faults have been assessed and shown to meet the relevant safety
criteria. For the purposes of HPC PCSR2, the HPC site-specific DBA radiological
consequences will be either bounded by, or be sufficiently similar to,
Consolidated GDA PCSR 2011 radiological consequences as to represent an
acceptable and ALARP level of risk.
0.11
Hazards Protection
The internal and external hazards that may affect the proposed UK EPR units at HPC
have been identified and characterised using information from both the GDA and the
site-specific hazard identification and characterisation studies. Assessments have been
made of the adequacy of the protection and mitigation measures that will exist within the
4
PCC-1 events are classified as normal operating transients and are addressed in Sub-chapter 3.4 of the HPC PCSR2 submission.
Page 27 of 230
Head Document
proposed design of the UK EPR units. The hazard protection philosophy is to design
plant to withstand the applicable hazards wherever this is reasonably practicable. Where
damage cannot be prevented the design ensures that there is redundancy and/or
diversity in provision of the required safety functions.
Forward work activities have been proposed that will ensure the detailed design
process incorporates all hazard protection and mitigation requirements for each
of the safety classified SSCs. These Forward Work Activities also provide further
detail on the combination of reasonably foreseeable hazards. This process will
ensure that the risks from hazards are reduced to ALARP for the design of the UK
EPR units at HPC. The details of Forward Work Activities are contained in a
separate report.
0.12
Contributors to Risk
The following table presents the results of the updated site-specific PSA for HPC against
the Safety Design Objectives (SDOs) defined in the NSDAPs.
SDO3
Consequence of accident
Target1
HPC result1
4
Worker fatality
<1x10-6/y
4.1x10-7/y
6
Off-site individual fatality
<1x10-6/y
5.6x10-7/y
8
>100 fatalities (public)
<1x10-7/y
1.4x10-7/y
Total Core Damage Frequency
<1x10-5/r.y
8.6x10-7/r.y
Large Release Frequency (LRF)
<1x10-6/r.y
1.8x10-7/r.y
Large Early Release Frequency (LERF)
N/A2
4.9x10-8/r.y
1. Targets and results are given for the site (two reactors) except the last three rows that are specifically per
reactor.
2. While there is no specific target for LERF it has been included for completeness.
3. The numerical targets for SDO-5 and SDO-7 are presented in Section 15.
The targets in the table are the numerical targets defined in the NSDAPs (noting the
Basic Safety Objective (BSO) is given in the table above, where a BSO and a Basic
Safety Level (BSL) are included in the NSDAPs).
The HPC PCSR2 PSA calculated risk values for HPC, noting it is a twin-reactor site,
meet all the numerical targets, putting the risk in the “Broadly Acceptable” region, with
the exception of SDO-8 (Risk of >100 fatalities) and a number of worker risk single
accidents (SDO-5). In the case of SDO-8, the calculated risk is above the numerical
target. However analysis has shown that the removal of known conservatisms in the
model would result in the numerical target being met. If in future calculations the risk is
above the numerical target, an ALARP assessment will be produced to demonstrate
compliance with SDO-8 (i.e. that it meets the numerical target or is demonstrated to be
ALARP). In the case of SDO-5 (Worker risk from a single accident), an ALARP position
has been presented for cases where the calculated risk is greater than the BSO. It is
recognised that all accidents lie below the BSL numerical value. The NSDAPs are
therefore met for HPC with regard to doses to workers and the public during accident
conditions.
The following pie chart shows the contribution to risk identified from the Level 1 PSA.
Page 28 of 230
Head Document
The greatest contribution to Core Damage Frequency (CDF) is from Loss of Off-site
Power (LOOP). This is believed to be due to conservatisms in the modelling and
assumed failure data associated with this fault. Further investigation will be necessary to
present a complete PSA. Sensitivity studies show that the CDF is sensitive to
assumptions about LOOP frequency and modelling. Sensitivity studies using more
realistic (but still conservative) Emergency Diesel Generators (EDGs) and Ultimate
Diesel Generators (UDGs) reliability data also indicate a significant reduction in CDF can
be achieved.
The connection of the HPC site to the UK National Grid has also been examined in
detail, and six lines over three circuits will provide the connection to the grid. This is two
more lines than any other operating NPP in the UK and helps to ensure that the risks
from LOOP are reduced so far as is reasonably practicable. A complete ALARP study
for the LOOP hazard is a feature of the Forward Work Activities.
Other key contributors to the CDF are reactor coolant pump seals, Instrumentation &
Control (I&C) systems and operator actions.
The LRF is calculated as 1.8x10-7/reactor year (/r.y). This is dominated by late
containment failures. The absolute value and the fraction of CDF are increased
compared with the GDA. This is because of the increased long LOOP frequency
assumed and the Ultimate Heat Sink (UHS) modelling, which assumes total failure of
digital I&C leads to failure of the Containment Heat Removal System (EVU [CHRS]) and
therefore loss of the containment.
Page 29 of 230
Head Document
There are some known limitations in the modelling (e.g. simplifications, or initiating
events, hazards and systems that are not yet included) that make the current CDF a
potential underestimation. The potential impact that these limitations could have on the
HPC risk has been assessed. This assessment indicates that elimination of those
limitations in future development of the PSA will not lead to an excessive increase in
overall risk, and that there will remain a large margin to the target for CDF. Outage,
shutdown and maintenance activities have been considered as part of the risk analysis.
An iterative process to identify design improvements using PSA was implemented
throughout the development of the UK EPR design. For HPC, it is intended that
probabilistic assessments will continue to be used to risk-inform the detailed design as
the HPC design develops.
The PSA results and sensitivity analyses carried out for HPC PCSR2 are
considered to provide sufficient confidence that the installations proposed for
HPC will meet the targets and requirements laid out in the NSDAPs (noting the
ALARP principle applies throughout).
0.13
Design Extension Condition Analysis
In the EPR ‘defence in depth’ approach, the Risk Reduction Category (RRC) RRC-A is
introduced to complement the deterministic list of DBFs by considering a set of DECs
due to multiple failure events. Sub-chapter 15.1 covers the Level 1 probabilistic analysis
of internal initiating events, including the multiple failure events relevant to the DECs.
The analysis of DECs is performed using both deterministic and probabilistic
considerations and leads to the identification of additional safety features (or ‘RRC-A
features’), which make it possible to prevent the occurrence of severe accidents in these
complex situations. The RRC-A sequences are studied in a deterministic manner
through best estimate accident analysis of the design of RRC-A features.
It should be noted that implications of the ISFS on the DECs are yet to be considered;
this will occur when the design is at a suitable stage of development, but the contribution
from the ISFS to the DECs is anticipated to be negligible.
The GDA RRC-A analysis that is adopted for HPC PCSR2 concludes that either
safety analysis criteria are met, or that in the case of loss of SFP cooling the
associated radiological release is negligible.
0.14
Severe Accident Analysis
The assessment of severe accidents (RRC-B) for the UK EPR is adopted from
Consolidated GDA PCSR 2011. This is further described in Section 16 of this document.
Severe accidents are analysed as RRC-B sequences, and such accidents are
characterised as those resulting in fuel rod failure, degradation of the structural integrity
of the reactor core, and release of radioactive fission products into the reactor coolant
system or beyond. Such an event can only occur after the successive loss of multiple
safety functions and sustained loss of core cooling leading to elevated core
temperatures as a result of residual heat. The increased temperatures can lead to
melting of the reactor core, failure of the vessel and ultimately can threaten the integrity
of the containment building.
As part of the severe accident analysis design process, there has been a practical
elimination of high consequence low frequency fault sequences. Practical elimination
refers to the implementation of specific design measures for reducing the risk of a large
early release of radioactive material to the environment to an insignificant level. To
Page 30 of 230
Head Document
achieve practical elimination, each type of accident sequence that could lead to a large
early release of radioactivity is examined and addressed by design measures.
Consolidated GDA PCSR 2011 concludes that the following scenarios are practically
eliminated:
x
Certain situations related to severe accidents:
o High Pressure Core Melt (HPCM) and Direct Containment Heating (DCH),
o Steam explosions leading to failure of the containment,
o Hydrogen combustion processes endangering containment integrity.
x
Rapid reactivity insertion,
x
Containment bypass,
x
Fuel damage in the SFP.
The implications of the ISFS on the severe accident analysis are yet to be considered.
This will occur when the design is at a suitable stage of development, although the
contribution to the severe accident analysis from the ISFS is anticipated to be negligible.
Although the GDA RRC-B analysis confirms that evacuation or relocation of the
population is not necessary, NNB GenCo intends to use the same (or very similar)
off-site emergency plans as HPA and HPB.
0.15
Human Factors
For Human Factors, Consolidated GDA PCSR 2011 predominantly relies on humanbased safety analyses that are derived from the significant operational experience of
EDF’s French PWR fleet. The UK EPR is an evolution of previous PWR designs for
which comprehensive safety records exist, and additional operational experience and
user feedback has been applied to further enhance the Human Factors aspects of the
design. This is described in Section 18 of this document.
Information is presented in the form of a broadly conservative human reliability
assessment, a sample of detailed operator action analysis, and descriptions of the
processes that have been followed to ensure that the Human Factors inputs have
enhanced the designs on which the UK EPR is based.
Overall the Human Factors safety analysis presented in Consolidated GDA PCSR 2011
found that the Human Factors risk associated with SSCs at the beginning of the
construction phase was tolerable. For HPC the effect of plant layout on Human Factors
will be considered, and Human Factors consideration will be part of the detailed design
process. Work to further improve and optimise Human Factors aspects of the UK EPR
design is ongoing. This will ensure the risk of operator error will be reduced to ALARP.
The Human Factors safety assessment presented in the GDA shows that Human
Factors benefit has been applied to the UK EPR design by using an evolutionary
and operational experience driven Human Factors approach. Significant Human
Factors engineering effort has been applied to the development of key Human
Factors programme elements such as the Main Control Room (MCR) design. The
overall quantitative Human Factors risk assessment is considered to be broadly
conservative and sufficient.
Page 31 of 230
Head Document
0.16
Radiological Protection
As described in Chapter 12 of HPC PCSR2, the EPR dose optimisation approach aims
at:
x
Setting radiological protection demands at the same level as those for safety,
achieving an optimisation approach to radiological protection similar to that applied
for safety,
x
Including the UK EPR reactor in an improvement process in relation to the best units
currently operated in France, and updating the UK EPR dose targets in line with the
continuous performance improvements of these units,
x
Reducing the dose uptake of the most exposed worker groups by optimising their
actions,
x
Improving the unit availability by allowing operators to enter the Reactor Building
during power operation, while still complying with radiological protection and
conventional safety rules.
In order to meet these objectives:
x
Optimisation studies were mainly based on recent operational feedback from the
best operating units (individual dose uptake aspects, collective dose uptake and
good practices),
x
The UK EPR was given an ambitious collective dose target: 0.35 man.Sv per year
per unit, averaged over ten years,
x
The UK EPR activities optimised first and foremost were those concerning the most
exposed groups.
The optimised predicted collective dose estimate calculated for the UK EPR is
0.34 man.Sv per year per unit. This value is in accordance with the project target.
The SDOs of the NNB GenCo NSDAPs state that the effective dose received by any
operator annually should be below 10 mSv.
In practice the maximum dose received by any individual worker in a given period can be
controlled by management actions during operation of the plant. For an entirely new
reactor design it is appropriate to carry out an assessment of occupancy times of rooms
containing radioactive materials during proposed maintenance operations to show that
the dose target would be achievable for the required range and type of maintenance
activities foreseen. However the UK EPR is an evolutionary development of current
French and German NPP design, with the aim of reducing the source term associated
with plant operation and maintenance, and the amount of exposed work. Therefore NNB
GenCo is confident that individual worker dose due to maintenance activities will be
below those experienced on current operating French and German NPPs.
Given the dose levels and the measures taken to reduce worker doses in the UK
EPR compared to operating NPPs, NNB GenCo is confident that both the
Optimised Predicted Dose Estimate target of 0.35 man.Sv per year per unit and the
10 mSv per year dose target adopted for the UK EPR will be achievable.
0.17
Reduction of Risk to an ALARP Level
The principles of application of ALARP to HPC PCSR2 are set out in Chapter 17. The
following areas of HPC PCSR2 have involved an ALARP methodology in their
production:
Page 32 of 230
Head Document
x
The safety assessments in Consolidated GDA PCSR 2011 demonstrate that the UK
EPR design can be considered as ALARP, taking into account the documented
design development/optimisation of the plant and also the formal assessment of the
plant against potential modifications (identified through a review of international
assessment of the EPR design and a review of Sizewell B plant features not present
within the EPR design),
x
Approximately 70% of HPC PCSR2 is based on Consolidated GDA PCSR 2011. An
approved DIN ALARP methodology has been used in the production of Consolidated
GDA PCSR 2011. The methodology has been reviewed by NNB GenCo and
considered to be appropriate for HPC PCSR2,
x
Where there are significant site-specific deviations from Consolidated GDA PCSR
2011, relevant individual ALARP studies have been carried out for HPC PCSR2 (e.g.
waste, heat sink, ISFS),
x
The site plot plan involves an assessment against ALARP principles and the twinreactor report involves a qualitative ALARP assessment (a quantitative ALARP
assessment will follow in HPC PCSR3),
x
The ALARP process will be applied during optioneering to resolve the current GDA
issues,
x
Each of the site-specific chapters uses ALARP analyses where relevant.
In addition, there is a high level of compliance of the UK EPR with the NNB GenCo
NSDAPs, which provides additional assurance that the design process will reduce the
risk to ALARP.
An appropriate ALARP position has been adopted for the production of HPC
PCSR2. Chapter 17 of Consolidated GDA PCSR 2011 provides the demonstration
that the design of a generic UK EPR complies with the overall requirements of the
ALARP principle. For HPC PCSR2, site-specific ALARP studies have also been
completed and support the same conclusion for the HPC design. Moving forward
with the design development the ALARP principle will be followed, and further
ALARP studies will be conducted as part of the detailed design.
0.18
Future Development of the HPC Safety Case
NNB GenCo will continue to develop the safety case from the submission of HPC
PCSR2 through all project lifecycle phases:
x
Pre-Construction,
x
Construction,
x
Non-Active Commissioning,
x
Radioactive Commissioning,
x
Operation,
x
Decommissioning.
NNB GenCo is currently in the Pre-Construction phase of the project. Following
submission of HPC PCSR2, NNB GenCo will commence work on HPC PCSR3, with the
aim to bring together HPC PCSR2, the Final GDA PCSR and relevant CSJs and to
incorporate the appropriate HPC Reference Design. The main purposes of HPC PCSR3
will be to incorporate the final GDA PCSR and align the Safety Case and Design
workstreams.
Page 33 of 230
Head Document
During the Construction phase and following submission of HPC PCSR3, NNB GenCo
currently plans to develop the Pre-Commissioning Safety Report (PCmSR), which will
also justify bringing fuel to site (a step change in the actual site risk). The HPC PCmSR
is currently planned to support the Non-Active Commissioning phase and the
Radioactive Commissioning phase.
During the commissioning phases, NNB GenCo will prepare the Active Commissioning
Reports and develop the Pre-Operational Safety Report (POSR).
The POSR will bring together all analyses to support operation including:
x
Design substantiation,
x
Safety analysis, and
x
Results from testing/commissioning.
At this stage NNB GenCo will also develop and implement the arrangements for
undertaking periodic reviews of safety during the Operation phase as required by LC 15.
Once operation at power is established, and after a period of time to be agreed with
ONR, the POSR will become the Station Safety Report (SSR). Changes to the safety
case will be captured under the arrangements for modifying existing plant in accordance
with LC 22, and periodic safety reviews will review the safety case in accordance with
LC 15.
Prior to entering the decommissioning phase, the safety case for decommissioning will
be prepared to substantiate the methodology for decommissioning the plant.
Each of the lifecycle phases of the HPC project will necessitate changes to the
safety case. Within a particular phase, the safety case may need to change
depending on the activities being conducted and to reflect lessons learned. All
phases of the project will be controlled in accordance with agreed arrangements.
0.19
Fukushima Recommendations
Following the March 2011 Accident at the Fukushima NPP in Japan, a GDA Issue for
response to Fukushima was raised. The response has the potential to result in changes
to the UK EPR design and safety case, which are being addressed by the Requesting
Parties under the GDA Issue Resolution Plan. The outcome of the GDA reviews is not
available for HPC PCSR2, but will be incorporated in subsequent HPC safety reports.
Also, NNB GenCo embarked upon a number of initiatives including:
x
Response to the European Nuclear Safety Regulators Group (ENSREG) stress test
specification,
x
Response to HM Chief Inspector of Nuclear Installations final report (known as the
Weightman Report).
A single NNB GenCo report Response to the March 2011 Accident at Fukushima has
been produced. This document addresses the post-Fukushima issues and brings
together all the outputs and actions endorsed within the company. It identifies potential
resilience enhancements to the HPC design and emergency arrangements, including
confirmation of design basis for seismic and flooding events, quantification of the
available margin between the design basis and the capability of the plant and the
identification of any cliff-edge effects.
In response to the EU ‘stress tests,’ and HM Chief Inspector’s Fukushima Final
Report, NNB GenCo will undertake a number of Forward Work Activities including
Page 34 of 230
Head Document
design enhancements. NNB GenCo is confident that the HPC Reference Design is
sufficiently flexible to accommodate any required changes.
0.20
Forward Work Activities
HPC PCSR2 identifies a number of Forward Work Activities that are required to fully
develop the safety case. The details of these Forward Work Activities are contained in a
separate report. Resolution of these Forward Work Activities will be scheduled by NNB
GenCo as part of the production of CSJs and HPC PCSR3. Forward Work Activities can
be summarised by the following main themes:
x
Further studies required to substantiate the HPC Reference Design,
x
GDA Issues that are due to be resolved by the Requesting Parties within the
timescale of the GDA process but which may affect the HPC safety case:
o Resolution of GDA Issues is the remit of the Requesting Parties. The Issues
are not separately addressed by HPC PCSR2 to avoid duplication of effort.
However, HPC PCSR2 explains any cases where resolution of GDA Issues
may affect consent to construct, and justifies proceeding in the meantime, or
identifies any restriction on proceeding with construction.
x
GDA Assessment Findings that have originated during the GDA process but are due
to be resolved by NNB GenCo at an appropriate stage:
o The list of GDA Assessment Findings was published with the GDA Step 4
reports on 14th December 2011. This list has been reviewed and a number of
the Assessment Findings identified as being relevant to HPC PCSR2.
Resolution of the Assessment Findings is the responsibility of NNB GenCo.
Therefore resolution plans will be drawn up at a time commensurate with the
requirements of the Assessment Findings, within the allocated project
milestones. Assessment Findings with a milestone of nuclear island safetyrelated concrete or earlier are relevant to HPC PCSR2.
x
GDA Out-of-scope Items are a set of topics excluded from the scope of the GDA.
o These Out-of-scope Items will be the responsibility of NNB GenCo to address
in due course. The Head Document identifies those that may affect
construction, and summarises the approach for each.
x
Fukushima related recommendations that have arisen from:
o The EU ‘stress tests,’ which have resulted in NNB GenCo identifying a number
of potential design resilience enhancements,
o The HM Chief Inspector’s Fukushima Final Report and NNB GenCo’s
subsequent responses, which provide details of the actions NNB GenCo is
carrying out in response to the Fukushima event.
The response of NNB GenCo to the events at Fukushima is summarised in a separate
supporting reference.
A separate report summarises the Forward Work Activities with details for each chapter
of the HPC PCSR2 Head Document. The Forward Work Activities report sets out the key
safety-related activities to be carried out in continuing the development of the safety
case for HPC. NNB GenCo considers the development of HPC PCSR2 to be consistent
with the current HPC programme, and that it will support the transition to the
construction phase of the project.
Page 35 of 230
Head Document
The adopted strategy enables NNB GenCo to issue a PCSR that presents a
coherent picture of the design and safety of the plant. Forward Work Activities are
well understood, considered achievable and not considered a challenge to
confidence in the safety case.
0.21
Conclusions
HPC PCSR2 is a significant milestone in NNB GenCo’s plans to build a twin UK EPR
unit power station at HPC. HPC PCSR2 provides the baseline safety justification to
support entering the construction phase of the HPC project. This document is the Head
Document of HPC PCSR2 and forms the top tier of the safety case. It presents NNB
GenCo’s expression of the safety case.
Design
The UK EPR is an evolutionary design, combining proven technology based on the most
recent French N4 and German KONVOI PWRs. A design process has been developed
to ensure that the plant has appropriate features and functions to ensure the safety of
operations and that the risks from operations will be acceptable and reduced so far as is
reasonably practicable.
HPC PCSR2 is based on a Reference Design for the UK EPR at HPC. The UK EPR
design, under the GDA process, was awarded an iDAC by the ONR and an iSoDA by
EA in December 2011. HPC PCSR2 makes effective use of the Consolidated GDA
PCSR 2011 and the assessment process that this has been through.
Design work has been ongoing in parallel with production of HPC PCSR2, and the
current status of the HPC Reference Design is more advanced than that assessed in
HPC PCSR2. The HPC Reference Design retains the flexibility to accommodate any
required design changes and design development requirements. The HPC Reference
Design is currently subject to a further iterative engineering phase (following the Basic
Design Readiness Review) to address a number of potential design developments. The
purpose of these design changes is to improve the safety, constructability or operability
of the UK EPR. This includes potential resilience enhancements identified by NNB
GenCo in response to the lessons learned from Fukushima. NNB GenCo is confident
that any design changes will not significantly affect the safety justification presented in
HPC PCSR2, or have a significant impact on the design intent
Safety Case
HPC PCSR2 covers the nuclear safety of the whole of the HPC nuclear licensed site.
The key site-specific features of HPC have been identified and assessed and the HPC
site has been shown to be a suitable location for the siting of the twin UK EPR NPP.
The assessment of HPC PCSR2 against the NNB GenCo NSDAPs shows there is a
high level of compliance. HPC PCSR2 has also identified and categorised an
appropriate set of safety functions on which to base the SSC classification process.
Construction of an SSC will not commence until all relevant NSDAPs are satisfied or
covered by an appropriate ALARP demonstration.
NNB GenCo considers that an appropriate ALARP position has been established within
HPC PCSR2, and there is high confidence that the final design of HPC will result in
acceptable and ALARP levels of nuclear safety risk.
NNB GenCo has assessed reasonably foreseeable hazards for the plant with adequate
protection and mitigation arrangements developed that will reduce the risks of identified
hazards to ALARP levels. Analysis has also shown that there are margins between the
Page 36 of 230
Head Document
magnitude of the hazards predicted for the HPC site and the design basis for the UK
EPR.
The PSA results and sensitivity analysis carried out for HPC PCSR2 provide sufficient
confidence that the installations proposed for HPC will meet the targets and
requirements laid out in the NSDAPs (noting the ALARP principle applies throughout).
Additionally, although the ISFS and Interim ILW Store are at a conceptual stage, NNB
GenCo has confidence that the relevant risks from these facilities are understood and
will not impact on the main UK EPR design.
The design basis analysis, HPC PSA studies and hazards analysis show that there is
adequate ‘defence in depth’ for all faults, except a small number identified in the GDA
that are being resolved within the scope of the GDA process.
The organisation and safety management arrangements applied to the production and
development of HPC PCSR2 are appropriate and proportionate. The NNB GenCo
processes and procedures demonstrate that there are adequate organisational
arrangements in place for enabling development of suitable safety management
arrangements at the appropriate time, thereby ensuring the safe design, construction,
commissioning, operation and decommissioning of the twin UK EPR units at HPC.
development of HPC. CSJs will be used to provide adequate and suitable design
substantiation to further support the safety justification for entry into the construction
phase. For each section of HPC PCSR2, Forward Work Activities post HPC PCSR2
have been identified and these are well understood, considered achievable and not
considered a challenge to confidence in the safety case.
NNB GenCo concludes that HPC PCSR2 provides an adequate summary of the
baseline safety justification, which supports entering the construction phase of
the HPC project.
Page 37 of 230
Head Document
1
INTRODUCTION AND GENERAL DESCRIPTION
1.1
Summary
Chapter 1 of HPC PCSR2 gives an introduction to the HPC site and the proposed UK
EPR reactor units. It also provides an overview of the design and safety assessment
process for the generic EPR, comparisons of the design against international safety
standards, and the specific UK regulations with which the design of the HPC UK EPR
units must comply. The appendix to Chapter 1 gives an outline of how HPC PCSR2
complies with the objectives that were defined for it in the specification [Ref. 1.1].
The HPC site is located on the Somerset coast 12km to the north-west of Bridgwater.
The site is adjacent to Hinkley Point A (HPA) and Hinkley Point B (HPB) sites. HPA is a
two-unit Magnox NPP managed by Magnox Limited. HPA is currently being
decommissioned by Magnox Limited under contract with the Nuclear Decommissioning
Authority (NDA). HPB is a two-unit NPP utilising Advanced Gas-cooled Reactors (AGRs)
and operated by EDF Energy Nuclear Generation Ltd (NGL).
1.1.1 Generic Design Features
The UK EPR is a PWR whose design combines proven technology based on the most
recent French N4 and German KONVOI PWRs. The design of the reactor unit
represents an evolution in PWR technology, and introduces some new features including
improved protection against and mitigation for core meltdown, increased robustness
against external hazards - in particular aircraft crashes and earthquakes - and a set of
safeguard systems providing a quadruple redundancy. The functioning of the nuclear
production unit is based on a primary system, a secondary system and an ultimate
cooling system.
The primary system is a closed water-filled pressurised system installed in a leak tight
steel and concrete enclosure, the Reactor Building. The primary system is comprised of
a reactor, namely a steel vessel containing the nuclear fuel (reactor core), and four
cooling loops each containing a reactor coolant pump and a steam generator. A
pressuriser provides control of reactor coolant pressure. The reactor is a light water
moderated and cooled design utilising low-enriched uranium fuel clad in a zirconium
alloy. The reactor has a rated thermal power of 4,500 MW. The heat produced by the
nuclear reaction inside the reactor vessel is extracted by the pressurised water which
circulates in the primary system. The heated water then passes through the steam
generators. Here the heat is transferred to the water of the secondary system that flows
between the steam generator tubes.
The secondary system is a closed system that takes heat from the primary system and
supplies steam to the turbine generator set located in the turbine hall. Water in this
system boils in the steam generators heated by the primary system. The steam drives a
turbine coupled to the generator that produces electrical energy. After leaving the
turbine, the steam is cooled and returned to its liquid state in the condenser and then
returned to the steam generator.
The ultimate cooling system cools the condenser by circulating sea water. This system
can be either open or closed depending on the production unit's construction. An ‘open
system’ refers to circulating water that is directly drawn from and discharged into the
sea.
Storage of spent nuclear fuel is provided by a cooling pool situated in a dedicated Fuel
Building that forms an integral structure with the Reactor Building.
Page 38 of 230
Head Document
The UK EPR has been designed to meet safety objectives for 3rd generation reactors
that include reduced CDF, enhanced protection against external and internal hazards,
and significant reduction in the radiological risk to the public if a core melt were to occur.
The reduced risk of a severe accident (core damage accident) is achieved by the
implementation of quadruple redundancy in main safety systems such as the Emergency
Feedwater and Safety Injection systems, and provision of diversified back-up systems.
Severe accident scenarios have been taken into account at the design stage including
the practical elimination of high consequence low frequency fault sequences (e.g. high
pressure core melt).
1.1.2 Site-Specific Features (HPC)
The proposed two UK EPR units of HPC will be located to the west of the HPA and HPB
stations and adjacent to the HPA station.
The HPC site will comprise a range of buildings and related facilities including:
x
Two nuclear islands each with a UK EPR reactor and associated buildings (including
the Reactor Building, the four Safeguard Buildings, the Fuel Building and the Nuclear
Auxiliary Building (NAB)),
x
Two conventional islands, each including a turbine hall, located adjacent to the
nuclear islands,
x
A cooling water pump house for each reactor unit, with cooling water tunnels
connecting water intakes and outfalls to the pump houses and turbine halls,
x
Fuel and waste management facilities (including interim storage for spent fuel and
ILW),
x
Transmission infrastructure including the National Grid 400kV substation,
x
Staff facilities, administration, storage facilities and other plant,
x
A public information centre to provide education and public facilities,
x
A sea wall incorporating a public footpath.
The ultimate cooling system (heat sink) for the proposed HPC power station will be an
‘open circuit’ system drawing water from the Bristol Channel through two offshore intake
tunnels and discharging through a common discharge tunnel. At the onshore end of
each intake tunnel the water feeds into an open forebay. The intake water is filtered as it
is drawn from each forebay into an adjacent pumping station that supplies the cooling
water for a single unit. Once the cooling water has served its heat removal function it is
piped to a discharge pond (one per unit). Each discharge pond is internally sub-divided
for the non-safety and safety systems. A diversification system provides an alternative
means of supplying the heat sink safety systems with water drawn from the main basin
of the discharge pond in the event of loss of the normal heat sink.
In addition to the standard EPR design, the proposed HPC power station includes the
provision of an ISFS to allow for the on-site storage of long-cooled fuel removed from the
SFPs. While the SFPs provide storage capacity for approximately ten years, the ISFS
will have the necessary storage capacity to cover the full 60-year operational lifetime of
the plant. The design of the ISFS is conceptual at this stage, but (as with the rest of the
plant) the safety case development and design processes will take into account the
lessons arising from the earthquake and subsequent tsunami that seriously affected the
Fukushima Daiichi nuclear plant in March 2011.
Page 39 of 230
Head Document
The proposed HPC power station also includes the provision of an Interim ILW Store, to
provide storage of ILW arisings until a GDF is available.
The ONR and the EA regulate compliance with legislation for nuclear installations in the
UK, covering the design, construction, operation and decommissioning of nuclear power
plants. The ONR is responsible for regulating nuclear safety, including the safe
management, conditioning and storage of radioactive waste. The ONR is also
responsible for regulating security within the civil nuclear industry. The EA is responsible
for regulating the environmental discharges and radioactive waste disposals on or from a
site. The constraints imposed by the regulations have the purpose of ensuring the safe
operation of nuclear facilities and of reducing their environmental impact. The UK EPR
design will comply with all relevant UK regulations and NNB GenCo’s own NSDAPs. The
UK EPR design will comply with all relevant approved codes of practice where possible
or will have suitable ALARP arrangements in place where this is not the case.
The EPR reactor has been subject to detailed design and safety assessments in France,
Finland and the USA:
x
Assessment by the French Nuclear Safety Authority and its technical support
organisation over a 19-year design period led to the granting of the Flamanville 3
decree of authorisation of creation in April 2007. Aspects of the EPR design features
that are novel compared with existing plants were subject to in-depth regulatory
assessment. These included design against severe accidents, containment design
and I&C,
x
A construction licence for the Olkiluoto 3 EPR was granted by the Finnish
Government in February 2005. The EPR design and safety assessments have been
reviewed by the Finnish Radiation and Nuclear Safety Authority (STUK) against its
YVL regulatory guides, and some modifications were introduced for Olkiluoto 3. The
design changes for Olkiluoto 3 were reviewed for Flamanville 3, and while this did not
lead to any subsequent recommendation of design modification for Flamanville 3
(and hence for the UK EPR design), design features specific to Olkiluoto 3 have
been considered in confirming that the UK EPR design meets the ALARP principle
(see Section 17 and Sub-chapter 17.5),
x
AREVA submitted a design certification application to the US Nuclear Regulatory
Commission (NRC) in December 2007 for the US EPR design. Since then the NRC
has been undertaking a design certification review, and discussions between AREVA
and NRC have continued on a range of technical issues,
x
A Multinational Design Evaluation Programme (MDEP) EPR working group has been
established with regulatory agencies from France, Finland, the UK and the US to
provide for co-operation and the exchange of technical assessments.
HPC PCSR2 has been prepared to:
x
Provide the initial demonstration that the current Reference Design proposal will
meet the safety objectives prior to commencing construction or installation,
x
Provide the initial demonstration that the operating limits and conditions of the plant
will be suitable to achieve safe operation,
x
Provide the demonstration that the construction and installation activities will result in
a plant of appropriate quality,
x
Provide the initial assessment of the hazards and faults associated with the twin UK
EPRs at the HPC site,
Page 40 of 230
Head Document
x
Provide the initial demonstration that sufficient deterministic and probabilistic
assessment has been performed to prove that the plant can be operated safely, and
that risk will be ALARP,
x
Provide the initial demonstration of the feasibility of commissioning and
decommissioning,
x
Provide the baseline safety justification for a future request to the ONR for consent to
commence construction in line with NNB GenCo arrangements for Licence Condition
(LC) 19 compliance,
x
Detail the safety management process for enabling each safety classified SSC or
group of SSCs to proceed to construction,
x
Facilitate NNB GenCo’s management of the design, procurement and construction
work,
x
Give confidence that further safety justification, including appropriate design
substantiation, will be developed at the relevant stages of the HPC project,
x
Provide technical information to support the NSL application,
x
Incorporate the Consolidated Generic Design Assessment (GDA) PCSR 2011 and
site-specific studies,
x
Identify any current gaps and the Forward Work Activities to close these gaps.
This list originated as a set of objectives in the HPC PCSR2 specification [Ref. 1.1].
However, since the specification was produced the project has evolved to the point
where it is considered the above list better reflects the purposes of HPC PCSR2.
Compliance of HPC PCSR2 against the objectives in the specification [Ref. 1.1] is
provided in the appendix to Chapter 1 PCSR2 Compliance with Objectives [Ref. 1.2]. An
assessment of existing safety case documentation and future work identified in Forward
Work Activities has been undertaken, which has demonstrated that HPC PCSR2 is
compliant with these objectives. NNB GenCo’s revised HPC PCSR2 purposes (stated
above) are met within HPC PCSR2.
1.2
Source Information and Applicability of GDA
The detail of this topic is provided in HPC Sub-chapter 1.2 and Consolidated GDA PCSR
2011 Sub-chapters 1.4 and 1.5 [Refs. 1.3, 1.4, & 1.5]. Figure 2 illustrates the document
structure for Chapter 1.
1.2.1 Status of Sub-chapters
The status of Consolidated GDA PCSR 2011 sub-chapters is as follows:
x
Sub-chapter 1.2 General Description of the Units [Ref. 1.3] has been produced as an
updated, site-specific sub-chapter. The GDA version is not applicable for HPC,
x
Sub-chapter 1.4 Compliance with Regulations [Ref. 1.4] is applicable for HPC,
x
Sub-chapter 1.5 Safety Assessment and International Practice [Ref. 1.5] is applicable
for HPC.
Consolidated GDA PCSR 2011 Sub-chapter 1.1 Introduction is not applicable for HPC.
In the GDA this presents a general introduction to the GDA PCSR; for HPC that
information is replaced by Section 0 of this document. Sub-chapter 1.3 Comparison with
Page 41 of 230
Head Document
Reactors of Similar Design is not being used in HPC PCSR2 as this kind of assessment
does not need to form part of the safety report.
1.2.2 Boundary and Scope of GDA
Consolidated GDA PCSR 2011 Chapter 1 gives a general introduction to the GDA
PCSR, and the generic site characteristics and EPR unit. It describes the overall
purpose and scope of the GDA PCSR and its structure and layout. For HPC PCSR2,
only those parts of Consolidated GDA PCSR 2011 that are valid and applicable to HPC
have been adopted, as indicated above.
There are no GDA Out-of-scope Items relevant to this chapter.
1.3
Route Map
HPC PCSR2 Chapter 1 is structured as follows:
1.4
x
Sub-chapter 1.2 General Description of the Units [Ref. 1.3] provides a general
overview of the buildings and structures of the UK EPR units and the associated
facilities on the HPC site. It also gives a description of the main nuclear and
conventional plant systems, together with a brief overview of the general operating
principles for the UK EPR.
x
Sub-chapter 1.4 Compliance with Regulations [Ref. 1.4] gives an overview of the UK
regulations with which the UK EPR design must comply. An overview of the structure
of the UK regulations and the associated regulatory framework is provided, followed
by an outline of the key relevant UK regulations. This sub-chapter also includes a
discussion of applicable international guidelines and of the French Basic Safety
Rules (RFS) and technical guidelines issued by the French Safety Authority.
x
Sub-chapter 1.5 Safety Assessment and International Practice [Ref. 1.5] provides an
overview of the design and safety assessment process for the EPR within France,
Finland and the USA, together with an overview of comparisons of the EPR design
against international safety standards (the Western European Nuclear Regulators’
Association (WENRA) reference levels; the International Atomic Energy Agency
(IAEA) Safety Standards; and the EUR for LWR nuclear power plants. See also
Section 3 for further discussion of safety standards and principles, including the
NSDAPs.
x
Appendix to Chapter 1 Compliance with Objectives [Ref. 1.2] provides confirmation
and demonstration, in the form of a compliance matrix, that the 34 objectives for HPC
PCSR2 identified in the specification [Ref. 1.1] have been met, and where the
relevant analyses can be found within the safety report.
Conclusions
HPC PCSR2 Chapter 1 provides an introduction and general description of the buildings
and structures of the proposed UK EPR units and associated facilities on the HPC site.
It also includes an overview of UK regulations that the UK EPR must comply with,
relevant international guidelines, and the design and safety assessment process that
has been undertaken on the EPR worldwide.
Chapter 1 also provides the confirmation that the safety report provided within HPC
PCSR2 meets the objectives of the document.
Page 42 of 230
Head Document
1.5
References
Ref
Title
Location
Document No.
1.1
Specification for the Pre Construction Safety
Report PCSR2 for Hinkley Point C, Issue 2, Feb
2012
Electronic Document and
Records Management
System (EDRMS)
HPC-NNBOSL-U0000-SPE-000002
1.2
HPC PCSR2 Appendix to Chapter 1 – PCSR2
Compliance with Objectives, Issue 1, May 2012
EDRMS
HPC-NNBOSL-U0000-REP-000061
1.3
HPC PCSR2 Sub-Chapter 1.2 – General
Description of the Units, Issue 1, April 2012
EDRMS
HPC-NNBOSL-U0000-RES-000010
1.4
Consolidated GDA PCSR Chapter 1.4 –
Compliance with Regulations, Issue 03, March
2011
EDRMS
UKEPR0002-016-I03
1.5
Consolidated GDA PCSR Chapter 1.5 – Safety
Assessment and International Practice, Issue 03,
March 2011
EDRMS
UKEPR0002-017-I03
Page 43 of 230
Head Document
2
SITE DATA AND BOUNDING CHARACTER OF GDA SITE
ENVELOPE
2.1
Summary
HPC PCSR2 Chapter 2 provides:
x
The site description and data (including the Consolidated GDA PCSR 2011 generic
site data) to be used within the various deterministic and probabilistic assessments
carried out within the overall PCSR for HPC (Sub-chapter 2.1).
x
A comparison (within Sub-chapter 2.2) of the site-specific conditions against the
generic site envelope presented within Consolidated GDA PCSR 2011. This
comparison enables an assessment to be made of the bounding character of the
GDA site envelope, and hence provides a safety justification for those external
hazards assessed and justified within the GDA and which provide a bounding case
over the site envelope.
x
A summary of the site plot plan (Sub-chapter 2.3), including an assessment of how
risks will be reduced to ALARP through optimisation of the site layout and design.
A specific risk assessment and safety justification is provided within Chapter 13 of HPC
PCSR2 for those site characteristics that are not bounded by the generic site envelope.
The purpose of Sub-chapters 2.1 and 2.2 is to demonstrate, in response to the ONR’s
intervention question, that the environmental conditions at the HPC site would not
preclude the use of the site with respect to external hazards.
2.1.1 Bounding character of the GDA site envelope
The site data specific to HPC have been compared to the generic site envelope
presented within the GDA [Ref. 2.1]. This assessment is limited to those characteristics
and values presented within the GDA site envelope. The results of this comparison are
shown in the table below5:
Hazard
GDA value
HPC value
Bounded assessment
Earthquake
EUR hard ground
spectrum used (0.25g)
0.25g spectrum for generic
buildings.
HPC seismic spectrum is bounded
by the GDA PCSR seismic
spectrum.
0.25g spectrum modified
to 0.2g spectrum at low
frequencies for sitespecific buildings.
Accidental
aircraft crash
{ CCI removed }
Tornadoes
Wind speed:
Frequency:
-7
4.53x10 /y
-1
60 ms
Wind speed:
51.2m/s
(10,000 year return period
combined tornadic and
conventional wind speed)
Frequencies of aircraft impact on
non-protected buildings are
bounded by the GDA PCSR
frequencies.
The wind speed of the tornado is
bounded by the GDA extreme wind
design value.
5
Where reference is made to climate change the medium emissions (A1B) scenario has been used within the assessment to provide
a best estimate of climate change effects.
Page 44 of 230
Head Document
Hazard
GDA value
HPC value
Bounded assessment
Extreme high air
temperature
Extreme high
instantaneous
temperature:
Extreme high
instantaneous
temperature:
42°C
43.9°C
The results for the non-stationary
values (i.e. including climate
change) show that extreme air
temperatures are higher than the air
temperatures presented within the
generic site envelope.
Extreme high 12-hourly
mean temperature:
Extreme high 12-hourly
mean temperature:
36°C
39.4°C
- including climate change)
- including climate change)
7-day mean temperature:
7-day mean temperature:
-15°C
-6.1°C
Daily mean temperature:
Daily mean temperature:
-25°C
-10.9°C
Extreme low instantaneous
temperature:
Extreme low instantaneous
temperature:
-35°C
-12.3°C
(10,000 year return period)
(10,000 year return period)
Plant states PCC-2 to
PCC-4:
10,000 year return period
temperature including
climate change:
Extreme low air
temperature
Extreme high
seawater
temperature
30°C
30°C
An ALARP assessment for the
Heating, Ventilation and Air
Conditioning (HVAC) systems
shows that the increases in the
extreme high air temperature can be
accommodated through modification
to the HVAC and system design.
The low air temperatures presented
within the GDA site envelope are
bounding with respect to low air
temperatures predicted to be
observed at Hinkley Point.
The GDA high water temperature
bounds the HPC high water
temperature for the design basis
plant states (PCC-2 to PCC-4: plant
fault studies and Design Basis
Conditions).
(PCC = Plant Condition Category)
Plant states PCC-1, RRCA, RRC-B:
26°C
10,000 year return period
temperature including
climate change (RRC-A,
RRC-B):
30°C
100 year return period
temperature (PCC-1):
27.5°C
The GDA does not bound for plant
states PCC-1 (frequent transients),
RRC-A and RRC-B (Design
Extension Conditions (DECs)),
although it is expected that
modifications to the heat
exchangers will result in an
accommodation of the extreme high
seawater temperatures. A specific
study will be carried out to evaluate
the impact of high water
temperature above 26°C.
(RRC = Risk Reduction Category)
Lightning
Lightning current:
To be confirmed
200kA
(level 1 protection)
The GDA approach is consistent
with paragraph 214 of the Safety
Assessment Principles (SAPs)
(application of codes and
standards). Additional work is being
completed to provide an
understanding of the extreme
lightning strike intensity (see
Forward Work Activities in
[Ref. 2.2]).
Page 45 of 230
Head Document
Hazard
GDA value
HPC value
Bounded assessment
Electromagnetic
Interference
(EMI)
1Vm-1
0.398V/m
There are no identified sources of
EMI in the vicinity of Hinkley Point.
Grid Reliability
Short LOOP (<2h):
Field surveys confirm that the HPC
site is bounded by the GDA PCSR.
-2
Radiological
consequences
of accidents The short Loss of Off-site Power
(LOOP) and LOOP >24 hours are
bounded by the GDA.
-2
6.12x10 failure/y
4x10 failure/y
Long LOOP (<24h):
Long LOOP (<24h):
-3
Level 3 PSA –
Societal risk
Short LOOP (<2h):
The long LOOP (<24h) is not
bounded by the GDA.
-3
1.02x10 failure/y
5x10 failure/y
LOOP between 24 and
192h:
LOOP between 24 and
192h:
{ CCI removed }
{ CCI removed }
These HPC results will be used
within the overall risk assessment,
and the risk will be demonstrated to
be acceptable, or appropriate
design modifications will be made to
lower the risk to an acceptable level.
Probability of 100 deaths
on Occurrence of Release
Dose Band 5: 1
Probability of 100 deaths
on Occurrence of Release
Dose Band 5: <1
The assessment shows that the
GDA site envelope is bounding for
the societal risk calculations.
Dose Band 4: 0
Dose Band 4: 0
Dose Band 3: 0
Dose Band 3: 0
Dose Band 2: 0
Dose Band 2: 0
Dose Band 1: 0
Dose Band 1: 0
Doury model: DF2
conditions
Atmospheric Dispersion
Modelling System (ADMS)
model
ADMS calculations show that the
’DF2 m/s without rain‘ condition
from the Doury model (which is
used in generic dose evaluations) is
bounding for 98% of measured
atmospheric conditions over a
period of five years; a level
consistent with the method applied
in the GDA to ensure that the
results are reasonably conservative.
The hazards associated with the industrial environment and transportation routes, i.e.
explosions, fires and chemical releases, have been assessed within Sub-chapter 2.2.
The analysis shows that the consequences from these hazards are either bounded by
the GDA or are of such a low frequency as to be screened out from further analysis.
2.1.2 Site Data Out-of-scope of GDA
There are several items of site data that are not presented within the generic site
envelope, and therefore have not been subjected to the bounding character assessment
and so will have to be the subject of specific safety justifications. These areas of site
data pertain to:
x
Long Period Ground Motion,
x
Explosions,
x
Liquefaction (as a result of
earthquake),
x
Missiles,
x
x
Off-site fire,
Capable faulting,
Page 46 of 230
Head Document
x
Chemical release (including
radiological release),
x
Freezing rain,
x
x
Fog,
Ship collision,
x
x
White frost/icing,
Animal infestation,
x
x
Heat sink specific hazards:
External flooding:
o
o
Marine clogging,
Coastal flooding,
o
o
Silting,
Rainfall and surface runoff,
o
Frazil ice and freeze up,
o
High groundwater level,
o
Hydrocarbon pollution.
o
Cooling water system trip
– surge event in forebay.
x
Snow and frost,
x
Wind,
x
Snow and wind combination,
x
Wind generated missiles,
x
Drought/low seawater level,
x
Mist/humidity,
x
Hail,
x
Ground engineering hazards:
o
Slope instability,
o
Collapse, subsidence or
uplift,
o
Soil liquefaction (e.g. as
result of additional loading
on an embankment),
o
Behaviour of foundation
materials,
o
Site erosion.
Where appropriate, data for these characteristics are shown below6.
7
Site data characteristic
Design Basis Value
All phenomena contributing to the risk of
external flooding
Extreme high seawater level (tide & surge): 8.62m
Above Ordnance Datum (AOD)
Extreme wave height (at -7m OD contour): 8.46m8
Climate change allowance (2110): +1.0m
Low seawater level
Extreme low seawater level: -7.62m OD
15 minutes: 171.7mm
1 hour: 197.5mm
Rainfall
1 day: 294.8mm
(A1B climate change scenario: 2099)
Clogging9 of water intake system by frazil ice
Frazil ice formation is to be expected.
Clogging of water intake system by marine
organisms
Frequency for use in PSA: 0.18/y
6
Unless explicitly stated, where reference is made to climate change the medium emissions (A1B) scenario has been used within the
assessment to provide a best estimate of climate change effects.
7
-4
th
For natural hazards this relates to a frequency of occurrence of 10 /y, at the 84 percentile confidence level. Man-made hazards are
-5
assumed to have a frequency of occurrence of 10 /y.
8
This is the extreme wave height, separate from the extreme high seawater level. Half of this wave height should be used when
calculating the extreme coastal flooding height, using this figure in conjunction with the high seawater level and climate change
allowances.
9
Clogging of water intake system implies a situation where the drum screens are sufficiently clogged as to cause a reactor trip to be
undertaken.
Page 47 of 230
Head Document
Design Basis Value7
Site data characteristic
Frequencies of collision:
1 intake head: 3.0×10-6/y
2 intake heads on the same tunnel: 1.5×10-7/y
Ship collision
2 intake heads on different tunnels: 1.4×10-12/y
3 intake heads:1.5×10-13/y
4 intake heads: 1.6×10-16/y
Animal infestation
The analysis shows that the Hinkley Point site is not
particularly exposed to animal infestation.
Turbine disintegration/missile from power
plant in the vicinity (HPB)
Frequency of HPC buildings being struck by HPB
-7
turbine missile: 7.68x10 /y.
Snow
55.8cm (maximum snow depth over a 10,000 year
return period – this does not include snow drifts, which
are assessed under the combined snow and wind
hazard).
Wind
50.1m/s
2.1.3 Justification that the Site is of a Sufficient Size
The Plot Plan Summary Report is included within HPC PCSR2 Sub-chapter 2.3. This
sub-chapter provides a description of the evolution of
{
CCI removed
}
the
plot plan (the Reference Design for HPC PCSR2), including a safety justification for the
layout and a qualitative assessment justifying how the risks from the layout will be
reduced to ALARP through elimination, reduction, isolation and control of hazards. HPC
PCSR2 Sub-chapter 2.3 also provides an explanation of the design optioneering
process that has been undertaken for the various facilities on the HPC site, thereby
demonstrating that the design of the HPC site layout has been optimised wherever
possible. Finally, HPC PCSR2 Sub-chapter 2.3 provides, in response to one of the
ONR’s intervention questions, the basis of the justification that the HPC site is of a
sufficient size to adequately accommodate the two UK EPR units and their associated
support facilities and services.
2.2
Chapter 2 of Consolidated GDA PCSR 2011 provides generic site data. The HPC
PCSR2 augments that information with HPC site-specific information and assessment
and compares the site-specific information with the generic site data. Therefore a new
site-specific chapter has been developed for HPC PCSR2. The source information for
this chapter has been derived from a large number of supporting reference documents.
The information from these reports has been consolidated into Sub-chapter 2.1, and the
comparison of this data with the generic site envelope has been completed in Subchapter 2.2. Figure 3 illustrates the document structure for Chapter 2.
Consolidated GDA PCSR 2011 contains the following sub-chapters:
x
Sub-chapter 2.1 Site Data used in the Safety Analyses,
x
Sub-chapter 2.2 Site Environmental Characteristics.
Page 48 of 230
Head Document
These have been replaced by the following HPC PCSR2 sub-chapters:
x
Sub-chapter 2.1 Site Description and Data,
x
Sub-chapter 2.2 Verification of Bounding Character of GDA Site Envelope,
x
Sub-chapter 2.3 Site Plot.
The boundary of the GDA has been explained above and, as discussed, site-specific
information has been added to that from the GDA to enable a complete assessment of
the HPC site within HPC PCSR2.
Seven GDA Out-of-scope Items [Ref. 2.3] are relevant to this topic. These are listed
below with the NNB GenCo position.
x
Topic Area 2 Civil Engineering, Item 3 Soil parameters and induced vibrations –
NNB GenCo has characterised the soil parameters and seismic conditions of the
land proposed for HPC within PCSR2 Chapter 2.
x
Topic Area 3 External Hazards, Item 1 External flooding: design of site protections
– NNB GenCo has characterised the maximum flooding extent over a 10,000 year
return period. This information is presented within HPC PCSR2 Chapter 2.
Information regarding the flooding protection systems is presented within HPC
PCSR2 Chapter 13.
x
Topic Area 3 External Hazards, Item 2 Low water level: design of site protections –
NNB GenCo has characterised the low water level over a 10,000 year return period.
This information is presented within HPC PCSR2 Chapter 2. Information regarding
the requisite protection systems is presented within HPC PCSR2 Chapter 13.
x
Topic Area 3 External Hazards, Item 3 Climatic conditions: design of Ultimate Heat
Sink – NNB GenCo has characterised the climatic conditions that could potentially
occur during the expected lifespan of the heat sink; these are presented within HPC
PCSR2 Chapter 2. The design of the UHS and other relevant SSCs uses this
information, and this is presented within HPC PCSR2.
x
Topic Area 3 External Hazards, Item 4 Hazard from human origin (industrial
environment, transport routes, EMI, etc.): design of site protections – NNB GenCo
has characterised the external man-made hazards; these are presented within HPC
PCSR2 Chapter 2. The design of the relevant protection systems is presented within
HPC PCSR2 Chapter 13.
x
Topic Area 4 PSA, Item 3 Any requirement on the PSA modelling that needs
detailed design information or site-specific data beyond the scope of the GDA. In
particular any anticipation of future updates of documents included in the reference
design configurations - NNB GenCo has characterised the site-specific data of
relevance to the PSA and these data are presented within HPC PCSR2 Chapter 2
and used within the analysis in Chapter 15.
x
Topic Area 5 Fault Studies, Item 1 Site-specific calculations for radiological
consequences – NNB GenCo has characterised the site-specific data of relevance to
the fault studies and these data are presented within HPC PCSR2 Chapter 2.
Page 49 of 230
Head Document
2.3
Route Map
There are three new sub-chapters for HPC PCSR2 Chapter 2, replacing those in
Consolidated GDA PCSR 2011:
x
Sub-chapter 2.1 Site Description and Data [Ref. 2.4],
x
Sub-chapter 2.2 Verification of the Bounding Character of the GDA Site Envelope
[Ref. 2.5],
x
Sub-chapter 2.3 Site Plot Plan Summary [Ref. 2.6].
The information used within these sub-chapters is utilised throughout HPC PCSR2, in
particular the information is utilised within Chapter 13 Hazards Protection and
Chapter 15 Probabilistic Safety Assessment.
2.4
Conclusions
Chapter 2 provides the site data and descriptions required to complete the deterministic
and probabilistic safety assessments presented within HPC PCSR2. Chapter 2 also
provides the comparison of the HPC site characteristics against those used within the
GDA site envelope. The results of this comparison show that the GDA site envelope is
either bounding in its severity, or that the HPC site characteristics can be adequately
taken into account within the HPC design. Finally, Chapter 2 provides the justification
that the site is of a sufficient size to construct, commission, operate and decommission
the proposed twin UK EPR unit design, and that the site layout has been optimised in
order to reduce the risks to ALARP.
2.5
Ref
References
Title
Location
Document No.
2.1
Consolidated GDA PCSR Sub-chapter 2.1, Issue
03, March 2011
EDRMS
2.2
HPC PCSR2 Forward Work Activities, Issue 1.0,
Nov 2012
EDRMS
HPC-NNBOSL-U0-00RES-000082
2.3
Letter to ONR from EDF
Agreed List of Out of Scope Items for the UK EPR
for GDA, Dated 15th April 2011
EDRMS
ND(NII) EPR00836N
2.4
HPC PCSR Sub-chapter 2.1 - Site Description and
Data, Issue 3, Jan 2012
EDRMS
HPC-NNBOSL-U0-000RET-000004
2.5
HPC PCSR Sub-chapter 2.2 - Verification of the
Bounding Character of the GDA Site Envelope,
Issue 2, Jan 2012
EDRMS
2.6
HPC PCSR Sub-chapter 2.3 - Site Plot Plan
Summary, Issue 2, May 2012
EDRMS
HPC-NNBOSL-U0-ALLRET-000001
UKEPR0002-021-I03
Page 50 of 230
Head Document
3
GENERAL DESIGN AND SAFETY ASPECTS
3.1
Summary
This section summarises General Design and Safety Aspects for HPC as described in
Chapter 3 of HPC PCSR2. The content of Chapter 3 is of a broad technical base
describing general safety principles, classification, design procedures, equipment
qualification, and design codes and standards.
3.1.1 General Safety Principles
The purpose of Sub-chapter 3.1 is to describe the basic safety approach implemented in
the EPR design. It provides both a summary of the main EPR design requirements and a
description of the main technical approach adopted to meet these requirements. The
EPR design was developed within a French and German framework involving both
national safety authorities. The safety authorities produced a specific set of
recommendations for the design of new PWRs, known as the ‘Technical Guidelines’,
which were the fundamental requirements applied to the EPR design. Subsequently, the
EPR design was compared against international standards such as IAEA safety
guidelines, EUR and WENRA reference levels. The ‘Technical Guidelines’ later formed
the basis for the EUR for LWR Nuclear Power Plants, Volume 2, Chapter 1, Revision C
[Ref. 3.1].
3.1.1.1 Nuclear Safety Design Assessment Principles
The NSDAPs [Ref. 3.2] are NNB GenCo’s own safety criteria and standards for the
assessment of nuclear safety of installations operated by the company. The NSDAPs
are based on the EUR and adapted to fit the UK context, particularly regarding the
ALARP principle, radiological targets, and the use of the five levels of ‘defence in depth’.
The NSDAPs are therefore more stringent than the EUR and appropriate for the UK. As
the EPR design is developed from the EUR, and the NSDAPs are mainly based on the
EUR Volume 2.1, then the UK EPR design assessment against the NSDAPs shows a
high level of compliance. Additional assessments have also been undertaken of the UK
EPR design against the ONR SAPs [Ref. 3.3], and the comparison of the SAPs against
the EUR [Ref. 3.4]. The results provide confidence that the decision to base the
NSDAPs on the EUR was correct in a UK licensing context.
3.1.1.2 Comparison of HPC UK EPR Design against NSDAPs
A comparison of the HPC site-specific EPR design (as detailed in HPC PCSR2) against
the NSDAPs has been undertaken [Ref. 3.5]. The table below shows the results of the
assessment.
Page 51 of 230
Head Document
Compliance
Assessment
Acronym
Compliance Assessment Labels
COM
Compliance
CWO
Compliance with Objectives Only
GAP
Number of
NSDAPs
Percentage of
total NSDAPs (%)
298
90.8
21
6.4
Gap or Non Compliance
2
0.6
NAP
Not Applicable
0
0.0
NAS
Not Assessable Today
7
2.2
Total = 328
The table below describes the meaning of the Compliance Assessment Acronyms.
Compliance
Assessment
Acronym
Meaning
COM
The UK EPR design, operational arrangements and safety case meets the
requirement but does not go significantly beyond.
CWO
The UK EPR design, operational arrangements and safety case is supposed to
achieve the objective of the NSDAPs; either a different approach is used to achieve
the same objectives, or the approach is not yet defined.
GAP
The UK EPR design, operational arrangements and safety case does not meet the
requirement or principle.
The method of addressing the gaps will be detailed in a preliminary ALARP
assessment in the pre-ALARP assessment section of [Ref. 3.5] and also in a separate
document/forward work plan if necessary.
NAP
The requirement is not applicable to the UK EPR design, operational arrangements
and safety case.
NAS
Assessment cannot currently be made because the current level of detail in UK EPR
design, operational arrangements and safety case is not sufficiently developed to
address requirements.
The assessment undertaken of the UK EPR design and safety case as described in
[Ref. 3.5] shows a high level of compliance. There is up to 97% level of compliance
reached. This result takes into account work in progress on issues to be resolved
through the Forward Work Activities or through GDA Issue and Assessment Finding
resolution plans. NNB GenCo is confident that the work in progress will later show an
adequate level of compliance.
According to the results of the current assessment there are two gaps in compliance
against the NSDAPs. Using an ALARP approach in line with Appendix 2 of the NNB
GenCo NSDAPs, preliminary ALARP assessments have been undertaken for these two
gaps:
x
NSDAP 2.3.0 – Deterministic Safety Analysis.
Any design basis category/condition 2 to 4 condition shall not lead to:
x
Another design basis category/condition in a higher category, or
x
Another design basis category/condition with more severe consequences. For
instance, a design basis category/condition not involving loss of integrity of
Page 52 of 230
Head Document
the reactor coolant system pressure boundary shall not lead to another
design basis category/condition with loss of integrity of the reactor coolant
system pressure boundary.
A gap exists in the Standstill Seal System (DEA, [SSSS]) design. It remains to be
demonstrated that some PCC-2 (LOOP) events do not induce Loss of Coolant
Accidents (LOCAs). EDF SA and AREVA NP have still to perform a design basis
assessment on the effects of a break in the thermal barriers of the reactor coolant
system’s cooling line. This will be provided as part of the response to the GDA Issue
GI-UKEPR-FS-05 requiring a review of faults on the essential support systems.
x
NSDAP 3.4.1 – Prevention of Early Containment Failure.
Measures are required to prevent Reactor Pressure Vessel (RPV) failure at high
pressure, which could lead to high pressure melt ejection and direct primary
containment heating, or generation of high energy missiles that could damage the
containment. These measures will include reliable means of depressurisation of the
reactor coolant system to a pressure low enough to prevent significant DCH when
molten material is ejected from the reactor vessel. Probabilistic verification using best
estimate analysis and engineering judgement may be used, with the aim of showing
that the cumulative frequency of sequences leading to early failure of the primary
containment is at least one order of magnitude less than the overall frequency of
large releases.
HPC PCSR2 Sub-Chapter 15.4 states that LRF is 1.8x10-7 and LERF is 4.9x10-8.
This is not an order of magnitude difference, and therefore represents a potential gap
against the requirements of the NSDAP. However, the “may be used” wording in this
NSDAP allows the compliance to be substantiated and demonstrated by any other
relevant (ALARP) approach. This issue is currently under investigation.
The assessment of the UK EPR design against the NSDAPs for Engineering Objectives
(NSDAP 5.0.0) shows that the objectives have either been met or that an ALARP
analysis has been provided to justify the design.
The construction of an SSC will not commence until all relevant NSDAPs are satisfied or
are covered by an appropriate ALARP demonstration.
Throughout the plant’s life, NNB GenCo will ensure that there is adequate compliance
between the UK EPR design and the NSDAPs. Thus NNB GenCo will periodically
assess the current state of the design against the NSDAPs during the production of
PCSR3, PCmSR, POSR and SSRs.
3.1.1.3 HPC Site-Specific Design
The UK EPR design is developed through a combination of deterministic fault studies
(reported in HPC PCSR2 Chapters 14 and 16), balanced with PSA (reported in HPC
PCSR2 Chapter 15), and supported by good practices, provision of deterministic rules,
requirements, and codes. The design life of the UK EPR is 60 years, as defined in HPC
PCSR2 Sub-chapter 1.2 [Ref. 3.6]. As stated in HPC PCSR2 Sub-chapter 11.5, the
design life of the interim ILW Store and ISFS is 100 years.
No HPC site-specific fault and protection schedule has been produced for submission
with HPC PCSR2. For the purposes of HPC PCSR2, the content of the GDA fault and
protection schedule is applicable to HPC (see HPC PCSR2 Chapter 14). HPC PCSR2
Chapter 13 discusses internal and external hazards, and HPC PCSR2 Chapter 15
reports the results of a preliminary Loss of Ultimate Heat Sink (LUHS) assessment. A
HPC site-specific fault schedule is included in the Forward Work Activities [Ref. 3.7].
Page 53 of 230
Head Document
Finally, an investigation of the GDA generic site characteristics has been undertaken
and it is confirmed that these, with a few limited exceptions, bound the HPC site-specific
values. This is reported in HPC PCSR2 Sub-chapter 2.2, where any exceptions are
discussed.
3.1.2 Classification of Structures, Systems and Components
Consolidated GDA PCSR 2011 Sub-chapter 3.2 describes the classification scheme
applied to the UK EPR safety-related SSCs. The safety of the plant is dependent on the
performance of its SSCs in normal, fault and hazard conditions. The effect on nuclear
safety of the failure of a SSC depends on its significance and role.
A three-stage approach to classification is developed based on IAEA guidance (NS-R-1)
[Ref. 3.8], the ONR SAPs [Ref. 3.9], and the principles of International Electrotechnical
Commission (IEC) standard IEC 61226 [Ref. 3.10]:
x
Identify safety functions and assign categories based on their importance to safety,
x
Identify the safety functional groups of SSCs and safety features that fulfil the safety
functions and classify based on importance to safety,
x
Link the classification to a set of requirements for design, construction and operation.
NNB GenCo has adopted the principles of this classification system and will apply this in
line with information provided in [Ref. 3.11]. The civil structures have specific
requirements that apply only to them (this is described in the Civil Engineering Summary
Document [Ref. 3.12]). The current application of the methodology for the classification
of buildings is presented (for this point in the project development) in the Buildings and
Structures Classification Summary [Ref. 3.13]. Further work is required in this area.
Consolidated GDA PCSR 2011 Sub-chapter 3.2 also includes tables of information of
safety classification for nuclear island SSCs:
x
Table 1 identifies the classification of main mechanical SSCs (including safety
functions),
x
Table 2 identifies the classification of main electrical systems,
x
Table 3 identifies the classification of I&C systems,
x
Table 4 identifies the classification of the main civil structures. An expansion of this
for HPC is available in the EPR-HPC Building and Structures Safety Classification
Summary Report [Ref. 3.13],
x
Table 5 identifies the list of ‘other structures’ in the Reactor Building and associated
design requirements including safety function,
x
Table 6 identifies the classification of fuel handling and storage SSCs (mechanical
parts),
x
Table 7 identifies hazards safety functions and main safety functional groups.
3.1.2.1 Identification of Safety Functions
Standard IEC 61226 outlines the criteria and identifies methods to be used to assign the
functions of a NPP to three levels reflecting the importance to safety. IEC 61226 defines
a function as:
“a specific purpose or objective to be accomplished that can be specified or
described without reference to the physical means of achieving it”.
Page 54 of 230
Head Document
Consolidated GDA PCSR 2011 identifies three Main Safety Functions (MSFs) that are
necessary for achieving the overall safety objective of protecting people and the
environment. These are:
x
x
Fuel heat removal,
x
Containment of radioactive material.
The MSFs are then further broken down into Plant Level Safety Functions (PLSFs),
each of which are necessary in order to fulfil the MSFs. The PLSFs have evolved from
an examination of IAEA standards for PWRs, good practice (Sizewell B) and analysis of
the EPR plant process.
The Lower Level Safety Functions (LLSFs) add a further layer of detail to the PLSFs.
They combine the PLSFs and the operating conditions of the plant to indicate what must
be achieved to fulfil the PLSFs. It is these LLSFs that are categorised.
3.1.2.2 Safety Function Categorisation
Three categories for the safety functions (A, B and C) are defined as follows:
x
Category A: any function that plays a principal role in ensuring nuclear safety,
x
Category B: any function that makes a significant contribution to nuclear safety,
x
Category C: used to represent functions with a safety role that are not assigned to
Category A or Category B.
Further detailed guidance on the application of this categorisation methodology is
provided in Consolidated GDA PCSR 2011 Sub-chapter 3.2, which brings the approach
in line with the main requirements of ONR SAPs and IAEA NS-R-1. It is also worth
noting that the international I&C standard IEC 61226 has been adopted as a British
Standard and builds on the requirements established in NS-R-1 to provide guidance on
the categorisation of functions according to their importance for safety. Although IEC
61226 concerns the categorisation of I&C functions, the methodologies it suggests are
applicable to other areas, and an interpretation of the IEC 61226 guidance will be
applied to the UK EPR.
3.1.2.3 Safety System Classification
The proposed classification of SSCs is:
x
Class 1 – any SSC that forms a principal means of fulfilling a Category A function,
x
Class 2 – any SSC that makes a significant contribution to fulfilling a Category A
safety function, or forms a principal means of ensuring a Category B safety function,
x
Class 3 – any SSC that contributes to a Category B function, or forms a principal
means of fulfilling a Category C function,
x
SSCs not Class 1, 2 or 3 are ‘Non-Classified’ (NC).
3.1.3 Design of Safety Related Civil Structures
Consolidated GDA PCSR 2011 Sub-chapter 3.3 presents the design methodology for
the civil structures of the generic EPR design adopted in the UK at HPC, and is
applicable to HPC PCSR2. The civil engineering elements covered in the GDA are the
general methodology, the safety analysis, the EPR Technical Code for Civil Works
(ETC-C) design code and the design of certain structures on the nuclear island.
Page 55 of 230
Head Document
Further design detail is provided in the HPC EPR Reference Design [Ref. 3.14].
Consolidated GDA PCSR 2011 uses ETC-C Revision B, but does not reference the later
2010 AFCEN ETC-C and the associated UK companion document. The requirement to
use these two later documents for the UK EPR is identified in the Civil Engineering
Summary Document [Ref. 3.12]. However there is ongoing work within the GDA process
to finalise the application of ETC-C within the UK context that will be reflected in the final
version of the UK companion document or through Assessment Findings.
As the buildings not covered in the GDA have various functions and requirements, they
are subjected to their own specific design load cases and assumptions. HPC PCSR2
civil engineering within the whole plant safety case is therefore based on the Civil
Engineering Summary Document [Ref. 3.12], the Heat Sink Summary Document
(HSSD) [Ref. 3.15] and the Technical Galleries Summary Document [Ref. 3.16] as well
as the inclusion of civil engineering aspects within the appropriate chapters. The Site
Geology Summary Document is also a key supporting document [Ref.3.17].
3.1.4 Mechanical Systems and Components
Consolidated GDA PCSR 2011 Sub-chapter 3.4 presents the design for the mechanical
systems and components for the generic EPR design being adopted in the UK at HPC,
and is generally applicable to HPC PCSR2.
However there is one main difference. Consolidated GDA PCSR 2011 defines use of the
Technical Code for Mechanical Equipment (RCC-M) edition 2007. For HPC, the 2007
version with 2008, 2009 and 2010 addenda will be used. The changes have been
reviewed by the Architect Engineer, and this review will be subject to the NNB GenCo
DR&A procedure.
3.1.5 Safety Related Interfaces
Consolidated GDA PCSR 2011 Sub-chapter 3.5 presents the design of the safetyrelated interfaces in the nuclear island between the mechanical equipment and civil
structures, safety of electrical equipment and civil engineering, and safety-related
interfaces between the nuclear island and non-nuclear areas for the generic EPR design
being adopted in the UK at HPC. There are no HPC site-specific changes from the GDA,
and the sub-chapter is applicable to HPC PCSR2.
3.1.6 Qualification of Electrical and Mechanical Equipment for
Accident Conditions
HPC PCSR2 Sub-chapter 3.6 describes the principles for the qualification of safetyrelated structures and mechanical, electrical and C&I equipment regarding its correct
function under accident conditions including severe accidents. Equipment qualification is
assured through design, testing and/or analysis, and use of equipment experience data.
HPC PCSR2 Sub-chapter 3.6 is a new HPC site-specific Sub-chapter which has been
reviewed and accepted through the NNB GenCo DR&A procedure. It makes appropriate
use of the information from the Consolidated GDA PCSR 2011 Sub-chapter 3.6
alongside updated HPC specific information. It applies to safety classified mechanical
and electrical equipment, which must operate for the systems to fulfil their safety
function.
Page 56 of 230
Head Document
3.1.7 Codes and Standards used in the design of the EPR
The purpose of Consolidated GDA PCSR 2011 Sub-Chapter 3.8 is to give an overview
of the principal codes and standards used in the EPR design (it is not an exhaustive list).
The contents of the codes have been reviewed and a comparison undertaken with those
codes that would normally be used in the UK.
The principal technical design codes considered are:
x
Design and Construction Rules for mechanical components of PWR nuclear islands
(RCC-M) [Ref. 3.18]. NNB GenCo has reviewed the RCC-M 2008, 2009 and 2010
modification sheets as part of the DR&A process. For the HPC design, NNB GenCo
has adopted the 2007 version plus the 2008, 2009, and 2010 addenda.
Other design principles fundamental to UK structural integrity safety reports are
discussed elsewhere in this document, for example: High Integrity Components
(HICs) (Section 5.1.4.1); requirements for Incredibility of Failure (IoF) components
(Section 5.1.4.1); and the break preclusion concept (Section 10.1.6).
x
Technical Code for Electrical Equipment (RCC-E) [Ref. 3.19]. During the GDA
process a comparison has been made of RCC-E and UK practices. The conclusion
has been reached that there are no technical or legal limitations in the use of the
RCC-E code.
The design principles of I&C system design are described in Consolidated GDA
PCSR 2011 Sub-chapter 7.1 [Ref. 3.20].
x
ETC-C [Ref. 3.21]. The GDA examined the civil engineering design of the principal
structures of the UK EPR and also assessed the ETC-C code, which was the
principal code governing the design of these structures. The generic design had
been performed using the 2006 version of the code. However during the GDA
process the code was updated and revised, and this has culminated in the AFCEN
2010 version of the ETC-C [Ref. 3.21]. This latest version of the code has also been
examined within the GDA process for its acceptability within the context of the UK
regulatory regime. As a consequence, a UK companion document [Ref. 3.22] has
been written in order to modify and clarify how the code is to be implemented within
the UK, and use of this document is mandatory for the UK EPR.
x
EPR Technical Code for Fire Protection (ETC-F) [Ref. 3.23]. The EPR design for fire
protection is based on the ETC-F. As part of the GDA process a review of the ETC-F
was undertaken, which concluded that the ETC-F does not specifically address the
UK conventional fire safety regulations (i.e. personnel protection and property
protection). To examine these issues the ETC-F document has been assessed
against the requirements of the UK regulations and a companion document has been
produced that presents the necessary adaptations to ETC-F. The adaptations
comprised two parts:
1) Proposed adaptations of ETC-F main body, including modification of parts
where differences exist between French and UK requirements,
2) Provision of a specific annex applicable to the UK.
Further work relating to the use of ETC-F is detailed in the HPC PCSR2 Forward
Work Activities report [Ref. 3.7].
x
Technical Code for Mechanical Equipment (RSE-M) [Ref. 3.24]. An independent
review of RSE-M has been undertaken. The review related to the methodology, and
to its verification and validation. RSE-M is not a design code, but relates principally to
rules of operation.
Page 57 of 230
Head Document
3.1.8 Summary of Computer Codes Used in Chapter 3
Consolidated GDA PCSR 2011 Sub-Chapter 3.8 Appendix A describes the computer
codes and software used in the analysis and design of the UK EPR and work associated
with all Chapter 3 sub-chapters. A range of finite element analysis software tools,
together with calculation/assessment programs and macros were identified in the
design. These software tools have been subject to a GDA review by the ONR to confirm
their suitability for use in the UK context and to identify where further information to
support their use would be required. The GDA Assessment Findings with respect to
software are noted, and where applicable appropriate action will be taken to address
them.
NNB GenCo (Design Authority) has also undertaken a further review of software, taking
into account the previous findings during GDA. Surveillance of software is an ongoing
process and will be undertaken against plans prepared by the Design Authority and the
Architect Engineer for the detailed design phase.
Computer codes used in the development of the UK EPR design outside of Chapter 3
are reported in the associated HPC PCSR2 sub-chapter.
3.2
Summary of the process for learning from Fukushima and the
stress tests
Full details of the resilience enhancements for the UK EPR that have been proposed to
address Fukushima lessons learned can be found within the HPC PCSR2 Forward Work
Activities report [Ref. 3.7], linked to NNB GenCo's report Response to the March 2011
Accident at Fukushima [Ref. 3.25].
The UK EPR, and the proposed HPC power station in particular, has been subjected to
a series of ‘stress tests’ in response to the events that occurred at the Fukushima Daiichi
NPP in March 2011. The stress tests applied were as defined in the ENSREG
specification document and consisted of the following:
x
Consideration of effects of earthquakes, flooding and extreme weather,
x
Determination of available margin between Design Basis Earthquake (DBE) and
plant capability,
x
Identification of any cliff-edge effects,
x
Consideration of loss of major safety systems, i.e. loss of electrical supplies and loss
of UHS irrespective of cause,
x
Consideration of severe accident scenarios irrespective of consideration of fault
sequence.
Results from the stress tests assessment shows that the design basis for the UK EPR is
appropriate, and that there are margins between the magnitude of the hazards predicted
for the Hinkley Point site and the design basis for the UK EPR.
Output from the stress tests includes the identification of measures, for further
consideration as potential changes for incorporation in the UK EPR design or
prospective licensee emergency arrangements, to further increase the margins. The
next stage of the process is to apply the resilience guidance developed with ONR and
the other UK licensees to the identified measures for further consideration, in order to
develop the approach and scope for providing the necessary resilience modifications.
Any design modifications arising will be carried forward and undergo optioneering,
without the ongoing plant design evolution forcing the decision. Any design modifications
Page 58 of 230
Head Document
will be managed by a modification process and will be subject to the NNB GenCo DR&A
procedure.
Changes to the safety case for the UK EPR arising from the stress tests assessment will
be incorporated into the relevant site-specific HPC safety case documentation.
3.3
The detail of this topic is given in Consolidated GDA PCSR 2011 Sub-chapters 3.1-3.5
and Sub-chapter 3.8. Consolidated GDA PCSR 2011 Sub-chapter 3.7 deals with
interfaces to conventional safety. The safety case strategy identifies that these risks
should be addressed elsewhere, and so there is no equivalent sub-chapter within HPC
PCSR2. A new site specific Sub-chapter 3.6 has been provided for HPC PCSR2. Figure
4 illustrates the document structure for HPC PCSR2 Chapter 3.
Consolidated GDA PCSR 2011 Sub-chapter 3.1 presents general safety principles, and
is applicable to HPC. The NSDAPs themselves are detailed in [Ref. 3.2]. The status of
the PSA work undertaken in support of HPC PCSR2 is reported in HPC PCSR2 Chapter
15.
Consolidated GDA PCSR2 2011 Sub-chapter 3.2 details the procedure for classification
of SSCs. The application of the classification system is a GDA Issue, although a report is
available [Ref. 3.10] that outlines how an appropriate classification system could be
applied at HPC.
Consolidated GDA PCSR 2011 Sub-chapter 3.3 presents the design for the civil
structures of the generic EPR design adopted in the UK at HPC, and is generally
applicable for HPC PCSR2 as discussed in Section 3.1.3 above.
Consolidated GDA PCSR 2011 Sub-Chapter 3.4 presents the mechanical systems and
components, and is applicable to HPC. The HPC PCSR2 Forward Work Activities report
identifies areas for further work [Ref. 3.7].
Consolidated GDA PCSR 2011 Sub-Chapter 3.5 presents safety-related interfaces, and
is applicable to HPC. The HPC PCSR2 Forward Work Activities report identifies areas
for further work [Ref. 3.7].
HPC PCSR2 Sub-chapter 3.6 presents the procedure for the Qualification of Electrical
and Mechanical Equipment for Accident Conditions, and is generally applicable to HPC
PCSR2, noting the requirements of the Forward Work Activities [Ref. 3.7].
There is no Sub-chapter 3.7 in HPC PCSR2 as this report does not cover conventional
health and safety; these aspects will be covered in other documentation.
Consolidated GDA PCSR 2011 Sub-chapter 3.8 presents codes and standards used in
the design of the EPR, and is applicable to HPC.
The agreed list of GDA Out-of-scope Items for the UK EPR is detailed in ONR Letter
[Ref 3.26]. These are summarised below:
Classification
x
The classification system for SSCs. The issue of classification for HPC is covered by
a GDA Issue.
Page 59 of 230
Head Document
Civil Engineering
3.4
x
Detailed design of Waste Treatment Building, pumping station, tunnels & galleries,
x
Detailed design of common raft and NAB raft,
x
Soil parameters and induced vibrations,
x
Detailed design of NAB chimney,
x
Design of prestressing gallery in interface with the common raft,
x
P14 drawings and detailing provisions,
x
ETC-C Part 2 Sections 2.1, 2.6, 2.8, 2.11, 2.12 and 2.13,
x
Detailed design of diesel buildings,
x
Detailed design of pool liners,
x
Detailed design of anchorages other than those covered by the ETC-C,
x
MCR detailed design and layout,
x
Detailed design of NAB and Safeguards Auxiliary Buildings.
Route Map
The general design and safety aspects for HPC are described in Chapter 3 as:
3.5
x
Sub-chapter 3.1 General Safety Principles [Ref. 3.27] presents general safety
principles,
x
Sub-chapter 3.2 Classification of Structures, Equipment and Systems [Ref. 3.28]
details the procedure for classification of SSCs,
x
Sub-chapter 3.3 Design of Safety Classified Civil Structures [Ref. 3.29] presents the
design for the civil structures of the generic EPR design adopted in the UK at HPC.
This sub-chapter also has an interface with the HSSD [Ref. 3.15] and through this
document also with Sub-chapters 9.2 and 9.4 of HPC PCSR2,
x
Sub-Chapter 3.4 Mechanical Systems and Components [Ref. 3.30] presents the
mechanical systems and components,
x
Sub-Chapter 3.5 Safety Related Interfaces [Ref. 3.31] presents safety-related
interfaces,
x
Sub-chapter 3.6 Qualification of Electrical and Mechanical Equipment for Accident
Conditions [Ref. 3.33] presents the procedure for the qualification of electrical and
mechanical equipment for accident conditions,
x
Sub-chapter 3.8 Codes and Standards Used in the EPR Design [Ref. 3.32] presents
codes and standards used in the design of the EPR.
Conclusions
The generic EPR design is based on the fundamental requirements of the ‘Technical
Guidelines’, which in turn formed the basis for the EUR for LWR Nuclear Power Plants,
Volume 2, Chapter 1, Revision C. NNB GenCo's own fundamental nuclear safety
principles, the NSDAPs, are based on the EUR and adapted to fit the UK context,
particularly regarding the ALARP principle, radiological targets, and the use of the five
levels of ‘defence in depth’. A comparison of the HPC site-specific EPR design against
Page 60 of 230
Head Document
the NSDAPs has been undertaken and shows up to 97% compliance. There are two
gaps in compliance that will be addressed using an ALARP approach.
A three-stage approach to the safety classification of SSCs has been developed, based
on IAEA guidance, the ONR SAPs and the principles of IEC Standard 61226. The
implementation of classification will be completed following resolution of the associated
GDA Issue. The HPC classified site-specific civil structures will be designed in line with
the methodology outlined in HPC PCSR2 and ETC-C with its associated UK companion
document. The remaining SSCs are designed against the principle mechanical (RCC-M
and RSE-M), civil (ETC-C), electrical (RCC-E) and fire protection (ETC-F) codes and
utilise UK adaptations as necessary. A specification also exists for the qualification of
electrical and mechanical equipment under accident conditions. The computer codes
used in the development of the design (finite element, structural assessment,
calculation/assessment software) have been subject to ONR review and ongoing NNB
GenCo surveillance.
Therefore:
x
The HPC site-specific EPR design is suitably compliant with NNB GenCo company
fundamental nuclear safety principles,
x
There is confidence in the methodology for the safety classification of SSCs,
x
The principal technical design codes and standards used in the EPR design have
been reviewed and a comparison undertaken with those codes that would normally
be used in the UK,
such that there is sufficient confidence in the HPC site-specific EPR design as presented
in HPC PCSR2.
3.6
References
Ref
Title
Location
Document No.
http://www.europeanutil
ityrequirements.org/eur
.htm
EUR Volume 2, Chapter
1, Revision C April 2001
3.1
EUR for Light Water Reactor Nuclear Power
Plants, Revision C, April 2001
3.2
Nuclear Safety Design Assessment Principles,
Issue 1, Feb 2012
EDRMS
NNB-OSL-STA-000003
3.3
Comparison of EPR design with HSE/ONR
SAPs, Issue 00, June 2008
EDRMS
UKEPR-0005-001 Issue
00
3.4
UK NII/HSE Safety Assessment Principles
comparison with EURs, ENSN070068 Rev B
Oct 2007
EDRMS
HPC-NNBOSL-U0-000REP-001286
3.5
HPC PCSR2 Assessment against the NSDAPs,
Issue 2, June 2012
EDRMS
3.6
HPC PCSR2 Sub-Chapter 1.2 – General
Description of the Units, Issue 1, April 2012
EDRMS
3.7
Nov 2012
EDRMS
3.8
Safety of Nuclear Power Plants: Design
(Requirements for Design).
http://wwwpub.iaea.org/books/IAE
ABooks/6002/Safetyof-Nuclear-PowerPlants-Design-SafetyRequirements
3.9
Safety Assessment Principles for Nuclear
Facilities. 2006 Edition Revision 1
UK Health and Safety Executive (HSE)
http://www.hse.gov.uk/
nuclear/saps/index.htm
ISSN 1020-525X IAEA
Safety Standards Series
N° NS-R-1. IAEA. 2000.
2006 Edition Revision 1
Page 61 of 230
Head Document
Ref
Title
Location
Document No.
3.10
IEC 61226 Nuclear power plants Instrumentation and control systems important
to safety - Classification of instrumentation and
control functions. Edition 2, 2005
British Standards
Library
IEC 61226 Ed. 2.0 dated
2005,
3.11
Classification of Structures, Systems and
Components, NEPS-F DC 557, Revision C, Jan
2011
EDRMS
HPC_NNBSOL-U0-000REP-000089
3.12
Civil Engineering Summary Document, Issue
1.0, October 2012
EDRMS
3.13
EPR HPC – Building and structures
classification summary report, Rev A, April 2012
EDRMS
ECEIG111827
3.14
Hinkley Point C EPR Reference Design For
PCSR2 ECUK110225, Rev B, March 2012
EDRMS
HPC-NNBOSL-U0-000NOT-000004
3.15
Heat Sink Summary Document, Issue 2, Jan
2012
EDRMS
3.16
Technical Galleries Summary Document, Issue
1, Aug 2012
EDRMS
3.17
Site Geology Summary Document, Issue 1.0,
Aug 2012
EDRMS
3.18
RCC-M : Design and Construction Rules for
mechanical components of PWR nuclear
islands, 2007
-
RCC-M AFCEN
3.19
RCC-E: Design and Construction Rules for
Electrical Components of PWR Nuclear Islands,
Dec 2005
-
RCC-E AFCEN
3.20
Consolidated GDA PCSR – Sub-chapter 7.1 –
Design principles of the Instrumentation and
Control systems, Issue 02, 2009, EDF/AREVA
EDRMS
UKEPR-0002-071-I02
3.21
ETC-C : EPR Technical Code for Civil works,
-
AFCEN – 2010 Edition
3.22
UK EPR – GDA – UK Companion Document to
AFCEN ETC-C, Revision E, August 2012
EDRMS
ENGSGC110015
3.23
ETC-F: EPR Technical Code for Fire Protection,
ENGSIN050312 Revision B, 2006
EDRMS
3.24
RSE-M, Technical Code for Mechanical
Equipment, 2007
-
3.25
Response to the March 2011 Accident at
Fukushima, Issue 2, May 2012
EDRMS
3.26
Agreed List of Out of Scope Items for the UK
EPR for GDA, Dated 15th April 2011
EDRMS
ND(NII) EPR00836N
RSE-M, 2007 Edition.
3.273.32
Consolidated GDA PCSR Sub-chapters 3.1 –
3.5, 3.8, Issue 03, 2011, EDF/AREVA.
EDRMS
UKEPR-0002-031-I03
UKEPR-0002-032-I03
UKEPR-0002-035-I03
UKEPR-0002-036-I03
UKEPR-0002-018-I03
UKEPR-0002-039-I03
3.33
HPC PCSR2 Sub-Chapter 3.6, Qualification of
electrical and mechanical equipment for
accident Conditions, Issue 1, November 2012
EDRMS
Page 62 of 230
Head Document
4
REACTOR AND CORE DESIGN
4.1
Summary
This section provides a summary of the HPC PCSR2 Chapter 4 sub-chapters, which for
the purposes of HPC PCSR2 have the same scope as those of the Consolidated GDA
PCSR 2011 [Refs. 4.1-4.6]. This section also gives more detail of specific design
aspects than has been presented in the GDA.
4.1.1 Safety Functions
As detailed in Sub-chapters 4.2, 4.3 and 4.4, the reactor and core design supports all
three of the MSFs of the UK EPR (i.e. fuel heat removal, control of fuel reactivity and
containment of radioactive material).
The MSFs provided by the fuel assemblies are:
x
Control of fuel reactivity and safe core shutdown under all circumstances,
x
Fuel heat removal through preservation of a coolable geometry,
x
Containment of radioactive materials (in particular fission products) within the first
barrier.
The safety functional requirements met by the neutronic core design are:
x
Control of fuel reactivity to enable the chain reaction to be stopped under all
circumstances and to return the reactor to a safe state,
x
Removal of heat produced in the fuel via the coolant,
x
Containment of radioactive material (actinides and fission products) inside the first
barrier.
The MSFs carried out by thermal and hydraulic design are:
x
Removal of heat produced in the fuel via the coolant,
x
Containment of radioactive material (actinides and fission products) within the first
barrier.
4.1.2 Summary Description of the Core and the Fuel Assemblies
The reactor core contains the nuclear fuel. The remainder of the core structure serves
either to support the fuel, control the chain reaction, or to channel the coolant.
The reactor core consists of a specified number of fuel rods, which are held in bundles
by spacer grids and top and bottom fittings. The fuel rods consist of uranium dioxide
pellets stacked in an M5 alloy cladding tube plugged and seal welded to encapsulate the
fuel. The square bundles, known as fuel assemblies, are arranged within the core in a
pattern that approximates to a cylinder.
Each fuel assembly is formed by a 17 x 17 array, made up of 265 fuel rods and 24 guide
thimbles. The 24 guide thimbles are joined to the grids, some of which enhance mixing
of the coolant, and the top and bottom nozzles. The guide thimbles are the locations for
the Rod Cluster Control Assemblies (RCCAs), the neutron source rods or the in-core
instrumentation. Guide thimbles that do not contain one of these components are fitted
with plugs to limit coolant bypass flow.
Page 63 of 230
Head Document
The fuel product for the first core and a number of reloads of HPC will be the AFA3GLE
fuel product, which is the same as the design for Flamanville 3. This is the standard
AREVA fuel for EPR with AFA3G grids and with M5 structure and cladding material.
Based on operational experience regarding fuel assembly bow, quaternary alloy is being
considered as the material for the guide tubes (note that this activity is being managed
as a GDA Assessment Finding as presented in the HPC PCSR2 Forward Work Activities
report [Ref. 4.7]). As an ALARP consideration, the addition of a lower plenum in the fuel
rod enables capture of a greater quantity of fission product gases providing for an
increase in enrichment and burn-up, thereby indirectly leading to a reduced frequency of
refuelling outages and hence reduced associated dose.
For HPC it has been confirmed that the fuel will be UO2 only (there are currently no
plans to load Mixed Oxide (MOX) fuel) [Ref. 4.8]. The fuel cycle being considered for
fault studies is 500 Effective Full Power Days (EFPDs) with +/-2 months flexibility,
30 days stretch (cycle extension), and 25 days anticipation (cycle curtailment). This is
equivalent to an 18-month operating cycle, which is common for PWRs operating
worldwide. There will be a provision for frequency sensitive mode operation, which is
essentially the mode of operation that provides frequency support to the grid (the safety
implications of operation within this mode will be managed and the associated risks will
be demonstrated as ALARP (this Forward Work Activity is recorded in [Ref. 4.7]).
The maximum burn-up limit for an individual rod corresponds to a mean rod burn-up of
62MWd/kgU (corresponding approximately to a fuel assembly burn-up of 58MWd/kgU).
The initial core consists of 241 assemblies split up into three regions with different fuel
pellet enrichments. Based on enrichments currently in use in the EDF fleet, the
enrichment for HPC is not expected to exceed 4.5 weight per cent (w/o) (compared to
the EPR design maximum of 5.0w/o) [Ref. 4.8].
Fuel loading patterns will be based on an 18-month equilibrium cycle with an INOUT fuel
management scheme as described in the GDA. They will be based on consideration of
protecting the vessel and the heavy reflector from irradiation damage, having a good fuel
optimisation, and maintaining a flat radial neutron flux distribution.
Provisions are made in the design of the SFPs to accommodate fuel examination
equipment for pool side inspections. Furthermore, the fuel route design will enable
docking of transport flasks for off-site post irradiation examination purposes (see
Section 9).
The core is radially surrounded by a heavy reflector made of thick steel slabs, whose
function is to reflect the neutrons that escape the core back towards the fuel assemblies.
The core is cooled and moderated by light water at a pressure of 15.5MPa.
4.1.3 Summary Description of the Reactivity Control Methods
The moderator/coolant contains enriched boric acid (enriched in B-10) as a neutron
absorber. The boron concentration in the coolant is varied as required (see Section 5 for
primary circuit chemistry) to make relatively slow reactivity changes, including
compensation for the effects of fuel burn-up. Additional neutron poison (Gadolinium Gd), in the form of burnable-poisoned fuel rods, is used to establish the required initial
core reactivity and power distribution. This contributes to managing the reactivity
associated with enriched fuel, which enables efficient utilisation of the fuel. The
maximum number of Gd rods will be 24 per assembly, with a Gd enrichment of 8% and
UO2 enrichment of 2.5%. The localisation of Gd rods will be appropriate so as not to be
detrimental to the radial power distribution.
Page 64 of 230
Head Document
The core reactivity and the core power distribution are also controlled by the movable
RCCAs, which are neutron absorber rods that enable rapid changes in reactivity to be
made. They are made of AIC (silver, indium, cadmium alloy) and B4C (boron carbide).
Each RCCA consists of a group of individual absorber rods fastened at the top end to a
common hub or spider assembly. The RCCAs are split into several groups. The Control
Rod Drive Mechanisms (RGL [CRDM]) control the position of the RCCAs and enable
them to be moved into the active part of the core in order to shut down the reactor. The
RGL [CRDM] are electro-mechanical devices fixed to the reactor vessel cap. They
control the RCCA position and ensure the reactor trips by interrupting the RGL [CRDM]
electrical supplies, which causes the RCCAs to drop by gravity into the fuel assemblies.
4.1.4 Objectives of the Nuclear and Thermal-Hydraulic Design
Analyses
The nuclear design evaluation has established that the reactor core has inherent
characteristics which, together with the reactor control and protection systems, provide
adequate reactivity control even if the highest reactivity worth RCCA is stuck in the fully
withdrawn position. Further nuclear design analyses and evaluations will establish
physical locations for burnable poison rods, and physical parameters such as fuel
enrichments and boron concentration in the coolant (this Forward Work Activity is
recorded in [Ref. 4.7]).
The design also provides for inherent stability against radial and axial power oscillations,
and for control of axial power oscillation induced by control rod movements.
The thermal-hydraulic design analyses and evaluations establish coolant flow
parameters, which ensure adequate heat transfer between the fuel cladding and the
reactor coolant. The reactor design enables residual heat removal by natural convection
of the primary coolant in certain circumstances. The thermal design takes into account
local variations in dimensions, power generation, flow distribution, and mixing. The
mixing vanes incorporated in the fuel assembly spacer grid design induce additional flow
mixing between the various flow channels within a fuel assembly, as well as between
adjacent assemblies. Instrumentation is provided within and outside the core to monitor
the nuclear, thermal-hydraulic and mechanical performance of the reactor, and to
provide inputs to automatic control and reactor protection functions (see Chapter 7).
As reported in Consolidated GDA PCSR 2011, the issue of fuel assembly bow has been
shown not to affect the Critical Heat Flux (CHF) at the edge of fuel assemblies.
Results from fault studies analysis based on the operational requirements for HPC will
be presented in the PCmSR (this Forward Work Activity is recorded in [Ref. 4.7]).
4.1.5 Other Items Presented in the Consolidated GDA PCSR 2011
The functional design of reactivity control and a compilation of reactor design
parameters are presented in Consolidated GDA PCSR 2011. In addition to this the
design methods, tools, and computer codes used are described.
4.2
and appendix. Figure 5 illustrates the document structure for Chapter 4.
Page 65 of 230
Head Document
All Chapter 4 sub-chapters of Consolidated GDA PCSR 2011 are applicable for HPC
[Refs. 4.1 to 4.5].
The design for HPC is bounded by the assumptions of Consolidated GDA PCSR 2011
[Refs. 4.1-4.6].
The scope of GDA sets the boundaries of fuel and core design for the UK EPR. This
includes different fuel cycle length designs and MOX considerations. For HPC,
operational parameters have been narrowed down compared to the scope of the GDA
[Ref. 4.8].
There is only one item considered to be out-of-scope of the GDA: the final evaluation of
the impact of fuel assembly bow on safety margin will be defined more precisely before
implementation in HPC, accounting for operating experience and ongoing developments
(e.g. fuel assembly mechanical improvements). This Forward Work Activity is recorded
in [Ref. 4.7]. Final safety margins are potentially linked to the implemented core
management.
4.3
Route Map
HPC PCSR2 Chapter 4 discusses the reactor and core design for the UK EPR and is
organised as follows.
4.4
x
Sub-chapter 4.1 Summary Description [Ref. 4.1] presents a summary of the content
of Chapter 4. It includes details of the reactor design parameters.
x
Sub-chapter 4.2 Fuel System Design [Ref. 4.2] describes the fuel system design. It
lists the safety requirements to be met in the design of the fuel assemblies and
provides a description of the fuel and control rod designs.
x
Sub-chapter 4.3 Nuclear Design [Ref. 4.3] covers the nuclear design. It provides a
description of the core and, in addition to listing the safety requirements, it focuses
on design bases, power distributions, reactivity, core control and criticality. Nuclear
design parameters are presented.
x
Sub-chapter 4.4 Thermal and Hydraulic Design [Ref. 4.4] describes the thermal and
hydraulic design. The safety requirements, design bases, and relevant design criteria
are discussed. The analysis methods and design data are discussed. Testing and
instrumentation requirements are briefly described.
x
Sub-chapter 4.5 Functional Design of Reactivity Control [Ref. 4.5] presents the
functional design of reactivity control. In addition to describing the safety
requirements and design bases, it gives a functional design description of the
relevant systems.
x
Appendix 4 Computer Codes Used in Chapter 4 [Ref. 4.6] briefly discusses the
relevant computer codes: Apollo 2, SMART, ORIGEN-S, FLICA III-F, and STAR-CD.
Conclusions
The reactor and core design represents an evolution from existing designs where there
is substantial operating experience, with some improved features added. These include:
x
Additional support for the fuel to limit the effects of assembly bow,
Page 66 of 230
Head Document
x
Addition of a heavy reflector to reduce irradiation damage to the reactor vessel and
optimise fuel utilisation.
The reactivity control is based on two diverse methods – boron and control rods - that
are conceptually and physically diverse and standard practice in PWRs. The control rods
incorporate some redundancy by enabling shutdown even with the highest reactivity
worth rod stuck fully withdrawn.
The reactor and core design is sufficiently well developed to support moving into the
construction phase, and the design basis described in HPC PCSR2 provides an
adequate baseline safety justification to support this. Work activities to develop further
the safety case in the reactor and core design area are identified in the HPC PCSR2
Forward Work Activities report [Ref. 4.7].
4.5
Ref
References
Title
Location
Document No.
4.14.5
Consolidated GDA PCSR Sub-chapters 4, 2011, Issue 03
and 04 (Sub-chapter 4.3 only) EDF/AREVA.
EDRMS
UKEPR0002-041-I03
UKEPR0002-042-I03
UKEPR0002-043-I04
UKEPR0002-044-I03
UKEPR0002-045-I03
4.6
Consolidated GDA PCSR Appendix 4, Issue 03, 2011,
EDF/AREVA.
EDRMS
UKEPR0002-046-I03
4.7
HPC PCSR2 Forward Work Activities, Issue 1.0, Nov
2012
EDRMS
4.8
UK EPR – Review Meeting “Assumptions for the
Adjusting Phase of the 1st Fuel
Management” - April 6th 2011 – Conclusion and
Recommendations
EDRMS
UKX-NNBOSL-XX-000MOM-000001
Page 67 of 230
Head Document
5
REACTOR COOLANT SYSTEM AND ASSOCIATED
SYSTEMS
5.1
Summary
This section of the Head Document summarises the safety functional roles, components,
and chemistry of the Reactor Coolant System (RCP [RCS]) and associated systems, as
described in Chapter 5 of HPC PCSR2. A description of how the integrity of the highest
integrity components in the RCP [RCS] is justified is also presented. With little exception,
the information presented in Chapter 5 of Consolidated GDA PCSR 2011 is considered
applicable to HPC. The design of the RCP [RCS] is evolutionary, is considered
consistent with the principle of ALARP, since all reasonably practicable means to
minimise the possibility of failure of the Reactor Coolant Pressure Boundary (RCPB)
components are applied, and is supported by significant operational experience. Gaps
are identified, and Forward Work Activities to address these gaps are summarised in the
HPC PCSR2 Forward Work Activities report [Ref. 5.1].
As detailed in Consolidated GDA PCSR 2010 Sub-chapter 5.1, the RCP [RCS] supports
all three of the MSFs of the UK EPR (i.e. fuel heat removal (both during normal
operation and shutdown conditions), control of fuel reactivity and containment of
radioactive material). The RCP [RCS] achieves these MSFs by performing the following
functional roles:
x
The second barrier to the release of radioactive material (in the event of fuel cladding
failure),
x
Control of the fuel reactivity in the reactor core,
x
Removal of fuel heat from the reactor core,
x
Control of the reactor coolant (primary circuit) pressure.
5.1.2 Components of the Reactor Coolant System
The components of the RCP [RCS] are described in Consolidated GDA PCSR 2010
Sub-chapters 5.3 and 5.4. The RCP [RCS] of the UK EPR consists of the RPV, including
89 Control Rod Drive Mechanisms RGL [CRDM], with four cooling loops. Each cooling
loop consists of one steam generator and one reactor coolant pump. There is a single
pressuriser, connected to the hot leg of loop 3 via the surge line. The RCP [RCS] also
consists of the pressuriser spray lines and the relief valves, lines and tanks.
The RCP [RCS] has connections to the following auxiliary systems:
x
Safety Injection and Residual Heat Removal System (RIS/RRA [SIS/RHRS]) via:
o Four nozzles on the hot legs (used for RRA [RHRS] suction),
o Four nozzles on the cold legs (also used for accumulator discharge, Extra
Boration System RBS [EBS] injection, Medium Head Safety Injection (MHSI)
and Low Head Safety Injection (LHSI)/RRA [RHRS] to these four loops).
x
Chemical and Volume Control System (RCV [CVCS]) via:
o Two nozzles on the cold legs of loops 2 and 4 (RCV [CVCS] make-up on two
loops),
Page 68 of 230
Head Document
o One nozzle on the crossover leg of loop 1 (RCV [CVCS] letdown on one loop),
o One nozzle on the pressuriser for the auxiliary spray line.
x
Other connections to nitrogen supply to the (DEA [SSSS]) of the reactor coolant
pumps, connections to the Nuclear Sampling System (REN [NSS]), and instrument
nozzles.
The RCP [RCS] is included in the scope of the Nuclear Steam Supply System (NSSS)
contract. The UK technical configuration for the system is presented in [Ref. 5.2].
5.1.3 RCP [RCS] Fluid Characteristics
The pressures and temperatures for the RCP [RCS] in Consolidated GDA PCSR 2011
are as follows:
x
RCP [RCS] operating pressure: 155 bar abs (in the pressuriser),
x
RCP [RCS] design maximum pressure: 176 bar abs,
x
Pressuriser temperature in operation: 345°C (which is the saturation temperature at
155 bar abs),
x
RCP [RCS] design maximum temperature is:
o 362qC for the pressuriser, surge line, spray lines and safety relief valves,
o 351qC for the remainder of the RCP [RCS].
These pressures and temperatures are adopted without change for HPC.
5.1.4 Integrity of Reactor Coolant Pressure Boundary
The justification of the integrity of the RCPB is described in Consolidated GDA PCSR
2011 Sub-chapters 5.2 and 3.4, based on the concept defined in Consolidated GDA
PCSR 2011 Sub-chapter 13.2 Internal Hazards Protection. The key elements of the
justification for the integrity of the RCPB are summarised below.
5.1.4.1 High Integrity Components
High Integrity Components (HICs) are defined as components where it cannot be
justified that the consequences of the gross failure are acceptable.
All RCPB components (pressure boundary parts) are denoted as HICs and can be listed
in two categories:
x
Non-breakable components: reactor pressure vessel, steam generator, pressuriser,
reactor coolant pump casing,
x
Break-preclusion piping: main primary coolant and main secondary coolant lines
(excluding surge line and connected lines).
Note: the reactor coolant pump flywheel is also classified as a HIC due to the missile
generation risk.
‘Non-breakable’ is denoted to components whose failure may lead to a situation where
no measures are available to recover to a safe state. That is to say, failure of nonbreakable components would lead to the loss of the ability to cool the core, and hence
lead directly to core damage resulting in a potential unacceptable release of radioactive
products outside the containment. No protection is provided for failure of these
components where it is not reasonably practicable to do so. Therefore they are designed
to the highest integrity so that their failure does not need to be considered
Page 69 of 230
Head Document
deterministically. However, the off-site radiological risk associated with their failure is
included in the PSA for the reactor (see Chapter 15). Given the extremely low probability
of failure of a non-breakable component, and due to the capability of the containment
building to withstand the severe accident conditions that could result from failure of the
non-breakable components, the radiological risk from such failures is assessed as
negligible.
‘Break-preclusion’ is applied to high energy pipework for which the failure frequency is
considered so low that catastrophic failure of those break-preclusion lines has been
deterministically ruled out. Therefore, surrounding components and structures do not
need to be designed to withstand such a failure. However, the break-preclusion
components (main primary coolant and some10 main secondary coolant lines) have
design provisions to ensure that gross failure will not lead directly to severe core
damage or unacceptable release of radioactivity outside the reactor containment. The
necessity and detailed design of these provisions are to be confirmed for HPC.
The cases for non-breakable components and break-preclusion pipework are detailed in
Consolidated GDA PCSR 2011 Sub-chapters 3.4 and 5.2. The case for break-preclusion
concept is discussed in more detail in Consolidated GDA PCSR 2011 Sub-chapter 13.2.
The cases are similar and predominantly based on the following lines of defence:
x
Preventative measures - based on good design, materials selection (e.g. defect
tolerance, fracture toughness), manufacture and pre-service inspection,
x
Consideration of all credible operating regimes (normal, fault, accident and severe
accidents/DECs) and all credible degradation mechanisms,
x
Operation and maintenance of the component within its normal operating limits, i.e.
by installation of protective devices (e.g. relief valves) and in-service surveillance
informed by operating experience,
x
Managing severe accidents - by consideration of accidents that are not postulated
within the design basis, i.e. design extensions.
However, the cases differ slightly in the area of ‘leak-before-break’. For break-preclusion
components, due to the fact that failure could not lead directly to core damage, the
safety case provides leak detection and tolerance to large through-wall defects as a
means for limiting the consequences of failure. Conversely, for non-breakable
components, due to the fact that failure could lead directly to core damage, the safety
case is more heavily weighted towards defect tolerance of the component and In-Service
Inspection (ISI) to monitor degradation before a leak could occur.
Consolidated GDA PCSR 2011 Sub-chapter 5.2 also provides a comparison of the nonbreakable and break-preclusion concepts to UK design requirements for ‘Incredibility of
Failure’ (IoF) components, defined by the UK Technical Advisory Group on Structural
Integrity (TAGSI). Consolidated GDA PCSR 2011 Sub-chapter 5.2 demonstrates that
both the concepts of non-breakable and break-preclusion contain successive
independent lines of ‘defence in depth’, which are deemed to be equivalent to the
independent lines of the TAGSI approach for IoF components.
5.1.4.2 Design Code
In accordance with the requirements detailed in Consolidated GDA PCSR 2011 Subchapter 3.2, the RCPB is designated as Safety Class 1 HICs, with M1 mechanical
design requirements. As such, it is subject to the design requirements of the RCC-M
10
Only the main secondary line between the steam generators and the fixed points downstream of the main steam isolation valves
VIV [MSIV].
Page 70 of 230
Head Document
code for level 1 equipment (RCC-M1, see Consolidated GDA PCSR 2011 Sub-chapter
3.8).
While Consolidated GDA PCSR 2011 defines the RCC-M code edition 2007 to be used
for the mechanical equipment, for HPC the 2007 version with 2008, 2009 and 2010
addenda will be used. The differences between these two versions have been reviewed
and deemed to be insignificant and acceptable. For the long lead item (LLI) forgings,
which were procured prior to the production of the above review, RCC-M edition 2007
with 16 relevant modifications (via FDM) was used. (This is consistent with RCC-M 2007
plus addenda until 2010.) This approach was approved by the Design Assurance
Coordination Committee (DACC) [Ref. 5.3]. An RCC-M adaptation document is provided
in [Ref. 5.4].
5.1.4.3 Material Properties and Quality of Manufacture
The materials selected for the main components of safety classified mechanical
equipment are generally those already in use for similar components on operational
nuclear power plants, for which there is satisfactory operational feedback. However
other materials may be used provided appropriate justification is available. In particular,
for steam generators (and potentially the pressuriser), 20MND5 steel grade will be used,
albeit with a limit applied to the composition (in particular the nickel content), as
described in the GDA Step 4 Report on Structural Integrity [Ref. 5.5].
The mechanical properties are defined in accordance with Volume I Appendix ZI and
Appendix ZIII of the RCC-M code, and consistently with the provisions of Volume II. The
specifications applicable to materials used for parts subject to pressure from RCC-M
Class 1 reactor coolant system equipment (see Sub-chapter 3.8) are listed in Chapter B
2000 of the RCC-M for existing materials, or in the equipment specifications for new
materials.
To ensure the manufacturing quality of the HIC components and forgings, the RCC-M
M140 process will be used. The M140 process and its clauses include demonstrating
that the manufacturer of the components has a proven record of producing material that
meets the requirements of the RCC-M code. Reference 3 provides an assessment of the
M140 process and confirms that it is fit-for-purpose to support the safety justification of
the components designed to RCC-M.
In the procurement arrangements for these components, NNB GenCo has incorporated
the requirements of three GDA Assessment Findings that relate to competency of the
steelmaker, limits in composition of the main vessel forgings and nickel content of
20MND5 (AF-UKEPR-SI-23, 24 and 27).
5.1.4.4 Pre-Service and In-Service Inspection
All safety class 1 mechanical components of the RCPB will be designed, manufactured
and assembled to permit all welds and areas to be inspected as far as reasonably
practicable. To ensure the manufacturing quality of forged HIC components, qualified
Non-Destructive Testing (NDT) of the HICs during manufacture and following assembly
must show that no unacceptable defects are present. The ISI programme will be based
on the results of mechanical analysis (fatigue, fast fracture, etc.) and on operating
experience in specific areas. The procurement and code strategy for Pre-Service
Inspection (PSI) is yet to be decided for HPC.
In addition to NDT, hydrostatic pressure tests will be carried out (both during the
construction/commissioning phases of HPC).
Page 71 of 230
Head Document
5.1.4.5 Qualification Body
NNB GenCo Design Authority is taking the lead in developing the inspection qualification
requirements, for example appointing an independent third-party qualification body. It
has also set up an NNB GenCo/Architect Engineer Inspection Qualification Working
Group, which also includes input where required from AREVA and the qualification body.
Formal decisions for the strategy of the inspection qualification requirements are made
at the NNB GenCo/Architect Engineer Monitoring and Decision Making (MODEM)
meetings. Future safety submissions will identify inspection qualification requirements.
5.1.5 Primary Circuit Chemistry
During normal operation the additives in the primary coolant are:
x
Enriched boric acid for reactivity control,
x
Lithium hydroxide for pH regulation,
x
Hydrogen to maintain reducing conditions and to suppress radiolysis of the water,
x
Depleted zinc acetate to reduce general corrosion and to limit the cobalt and nickel
deposition on ex-core surfaces and fuel assemblies, to reduce corrosion product
transport and activation, thus minimising dose rates.
During shut down hydrazine is injected into the primary coolant before RIS/RRA
[SIS/RHRS] connection to prevent oxygen ingress. Then hydrogen peroxide is added to
dissolve corrosion products thereby aiding their removal by the demineralisers. During
start up hydrazine is added to remove oxygen (supporting the degassing performed by
the Coolant Degasification System (TEP4 [CDS])).
The enriched boric acid is added from the Reactor Boron and Water Make-Up System
(REA [RBWMS]) and is recycled via the Coolant Treatment System TEP3/5/6 [CTS].
Injection of lithium hydroxide, hydrogen, zinc acetate, hydrazine and hydrogen peroxide
is provided by the RCV [CVCS]. The Gaseous Waste Processing System TEG [GWTS]
provides nitrogen sweeping within all tanks that have a gas space with a risk of
hydrogen gas concentration exceeding 4%. This aids control of gaseous wastes and
minimises explosion risk. See Section 9 for more information on the REA [RBWMS] and
RCV [CVCS], and Section 11 for the TEG [GWTS].
The use of enriched boric acid instead of natural boric acid has several safety benefits. It
enables reduced concentration of the boric acid, so the volume of storage tanks is
minimised; it enables reduced base concentration (since lithium hydroxide can be
corrosive to fuel cladding at high concentrations); it enables operation at a constant pH
throughout the cycle; and it reduces the risk of boric acid precipitation. The lithium
hydroxide contains isotopically pure 7Li to minimise production of tritium. The choice of
materials for primary systems is a key parameter ensuring the safe operation of the unit.
Taking into account this choice, the chemistry is optimised to ensure the integrity of
materials and to reduce radiation fields.
Radiochemistry control through the primary circuit chemistry is also described in this
sub-chapter. The management of fission product radionuclides (iodine) and actinides is
necessary in order to limit the associated nuclear safety, environmental and
radiobiological hazards.
Tritium and Carbon-14 source terms have been minimised as far as reasonable
practicable, and their primary coolant concentrations are managed accordingly.
Page 72 of 230
Head Document
As described above, corrosion product activation and deposition can be reduced by the
addition of zinc acetate to the primary coolant, enabling the reduction of corrosion
product transport and activation, thus minimising ex-core dose rates to personnel.
Consolidated GDA PCSR 2011 Sub-chapter 5.5 Reactor Chemistry has been split into
two new sub-chapters for the production of the site-specific HPC PCSR2. All of the
secondary side chemistry information has been removed, and moved into the new HPC
PCSR2 Sub-chapter 10.7 Secondary System Chemistry. During this split of
Consolidated GDA PCSR 2011 Sub-chapter 5.5 no technical information or wording was
added, deleted or modified, except for the addition of two references post-dating the
GDA PCSR, the addition of a new introduction section and some minor wording changes
to enhance clarity.
HPC PCSR Sub-chapter 5.5 Section 2 describes the chemistry regime for the HPC
primary side water chemistry. It also explains how the chosen parameters support the
safety functions of the plant and equipment. Section 2 also provides the supporting
analyses. HPC PCSR Sub-chapter 5.5 Section 3 presents the preliminary values for
different chemical and radiochemical parameters in the primary circuit.
The main chemistry parameters are described and justified in Consolidated GDA PCSR
2011 Sub-chapter 5.5, including the design optimisation that provides the means to
achieve the objectives of nuclear safety, radiation protection, material and equipment
integrity, minimisation of environmental impact, hazard protection (explosion risk) and
operational performance.
5.2
and HPC PCSR Sub-chapter 5.5. Figure 6 illustrates the document structure for
Chapter 5.
With one exception, all of the Chapter 5 sub-chapters of Consolidated GDA PCSR 2011
are applicable to HPC.
The exception is with regards to Sub-chapter 5.5, as described in Section 5.1.5 above.
Chapter 5 of Consolidated GDA PCSR 2011 covers the RCP [RCS] and associated
systems to be installed at UK EPR units. The generic envelope of the design presented
in Consolidated GDA PCSR 2011 will be the same for the UK EPR units at HPC.
From the Out-of-scope items [Ref. 5.6], the following are relevant to the RCP [RCS]:
From the structural integrity item (number 12):
x
UK EPR project-specific detailed design documents for the main components
including requisitions, specifications, final stress and fast fracture specifications and
reports,
x
Detailed inspection (PSI and ISI) reports (accessibility to deploy potential inspection
techniques remains within GDA scope),
x
Detailed specification of fracture toughness tests for avoidance of fracture
demonstration,
Page 73 of 230
Head Document
x
Specific end of manufacturing NDT qualification processes for component zones
other than the prototype application for avoidance of fracture demonstration,
x
Quality Assurance arrangements for LLIs,
x
Irradiation damage surveillance programme details (principles and supporting
information on irradiation damage surveillance programme remain within GDA
scope).
From the Quality Assurance item (number 14):
x
Quality Assurance arrangements for manufacturing activities.
From the cross-cutting item (number 18):
x
Mid-loop operations (testing/maintenance on steam generators by operators) and
steam generator nozzle dams safety case.
All of the above are ongoing or future activities for NNB GenCo [Ref. 5.1].
5.3
Route Map
Chapter 5 of HPC PCSR2 is organised as follows:
x
Sub-chapter 5.0 Safety Requirements [Ref. 5.7] describes the safety requirements
and functional criteria used in the design of the reactor coolant system, together with
a brief outline of testing requirements.
x
Sub-chapter 5.1 Description of the Reactor Coolant System [Ref. 5.8] describes the
safety functional roles of the reactor coolant system, together with the design
assumptions, fluid characteristics and design description of the key components
(reactor vessel, pressuriser, reactor coolant pumps and steam generators). System
parameters are given for both normal operating conditions and standard shutdown
states. The main control functions are also outlined.
x
Sub-chapter 5.2 Integrity of the Reactor Coolant Pressure Boundary (RCPB)
[Ref. 5.9] describes how the integrity of the RCPB is ensured. The applicable design
rules and material specifications are summarised, and the main principles and
parameters governing the reactor coolant system water chemistry are given in
Section 2. A description of the requirements applied to HICs is given in Section 3.
Section 4 describes the design criteria for the overpressure protection system. An
outline of the ISI requirements is presented in Section 5.
x
Sub-chapter 5.3 Reactor Vessel [Ref. 5.10] describes the reactor pressure vessel,
including the design operating conditions, design requirements, materials used and
applicable mechanical design rules. A preliminary safety evaluation is given,
including a description of the fracture mechanics analyses performed to assess the
margins to fast fracture. ISI requirements are given, together with manufacturing
requirements.
x
Sub-chapter 5.4 Components and Systems Sizing [Ref. 5.11] provides a description
of the main reactor coolant systems and components, including as appropriate: the
relevant operating conditions and interfaces; the design criteria to be applied;
materials and material properties; design details and calculations; safety evaluation
and assessment of mechanical integrity in accident conditions; manufacturing and
inspection details. The systems and components covered include: the reactor coolant
pumps, the steam generators; the reactor coolant pipework; the pressuriser and
pressuriser relief line; valves associated with the RCPB; pressuriser pressure safety
Page 74 of 230
Head Document
relief valves and severe accident depressurisation valves; the primary component
supports.
x
Sub-chapter 5.5 Reactor Chemistry [Ref. 5.12] provides a description of the primary
circuit chemistry only. The description of the secondary circuit chemistry is now
presented in Sub-chapter 10.7. Further information can be found in the new Subchapter 6.0 Containment and Safeguards Systems and the new Sub-Chapter 9.6
Auxiliary Chemistry Control.
In addition to the information presented in Consolidated GDA PCSR 2011 Chapter 5, the
CRDM and reactor internals are described in Consolidated GDA PCSR 2011 Chapter 4.
5.4
Conclusions
The safety justification of the RCPB components is based on a multi-leg approach.
These include the highest integrity design and materials, selection of a highly competent
manufacturer, high quality inspection processes and competent qualification body.
Additionally the chemistry is optimised to ensure the safety conditions and the integrity of
materials, and to reduce radiation fields and environmental discharges.
Although some work remains to be completed, in particular relating to consideration of
design for operability and maintainability and to the inspection processes, it is
considered that this work will not significantly impact the design phase of the RCPB.
The design for the reactor coolant and associated systems is sufficiently well developed
to support moving into the construction phase, and the design basis described in HPC
PCSR2 provides an adequate baseline safety justification to support this.
5.5
Ref
References
Title
Location
Document No.
5.1
Nov 2012
EDRMS
5.2
(EDF) UK Technical Configuration (of the NSSS)
-
Contract PE1401-003,
Piece A3
5.3
Notes from DACC held in June 2011
EDRMS
NNB-OSL-NOT-000172
5.4
RCC-M Adaptation Document For The
Procurement of Long Lead Forgings, Issue 2, May
2012
EDRMS
NNB-OSL-SPE-000011
http://www.hse.gov.uk/ne
wreactors/reports/stepfour/technicalassessment/ukepr-si-onrgda-ar-11-027-r-rev-0.pdf
ONR-GDA-AR-11-027
5.5
GDA Step 4 Report Structural Integrity
5.6
Letter from ONR to NNB
for GDA, Dated 15th April 2011
EDRMS
ND(NII) EPR00836N
5.75.11
Consolidated GDA PCSR Sub-chapters 5.0-5.4,
Issue 03, 2011, EDF/AREVA.
EDRMS
UKEPR0002-050-I03
UKEPR0002-051-I03
UKEPR0002-052-I03
UKEPR0002-053-I03
UKEPR0002-054-I03
5.12
HPC PCSR Sub-chapter 5.5 - Reactor Chemistry,
Issue 2, May 2012
EDRMS
Page 75 of 230
Head Document
6
CONTAINMENT AND SAFEGUARD SYSTEMS
6.1
Summary
This section of the HPC PCSR2 Head Document summarises the safety functional roles,
components and chemistry of the Containment & Safeguard Systems, as described in
Chapter 6 of HPC PCSR2.
The primary safety function of the containment systems is to ensure that in the unlikely
event of release of radioactive material into the Reactor Building there is no subsequent
release to the environment.
The various safeguard systems are in place to ensure that any abnormal conditions will
be rectified and control maintained over the primary and secondary circuits.
The design is sufficiently well developed and stable, and the design basis described in
HPC PCSR2 gives an adequate baseline safety justification for the containment and
safeguard systems to support moving into the construction phase.
As detailed in Sub-chapter 6.2, the containment systems support the containment of
radioactive material MSF of the UK EPR.
As detailed in Sub-chapter 6.3 and Sub-chapter 6.6 respectively, the Safety Injection
System (RIS [SIS]) and the Emergency Feedwater System (ASG [EFWS]) support the
following MSFs of the UK EPR:
x
Fuel heat removal,
x
x
As detailed in Sub-chapter 6.7, the RBS [EBS] supports the following MSFs of the UK
EPR:
x
x
As detailed in Sub-chapter 6.8, the Main Steam Relief Train (VDA [MSRT]) system
supports the following MSFs of the UK EPR:
x
Fuel heat removal,
x
The functional roles that are performed by each of these systems in supporting the
MSFs are described under the system summaries below.
6.1.2 Containment Systems
The containment function is provided by:
x
The Reactor Building,
x
The static containment including all the design features that improve the leak
tightness of the buildings,
Page 76 of 230
Head Document
x
The dynamic containment systems, such as the ventilation and filtering systems that
are housed in the peripheral buildings around the Reactor Building and control any
small amount of leakage that may come from the Reactor Building itself (under feed
and bleed conditions).
The Reactor Building consists of:
x
A cylindrical, reinforced concrete, outer shield building,
x
A cylindrical, pre-stressed concrete, inner containment building with a steel liner, and
x
An annular space between the two buildings.
The shield building protects the containment building from external hazards.
Other safety classified systems perform containment functions outside the scope of the
systems addressed within Chapter 6; these are explicitly identified and described in
more detail within Chapters 4-11.
6.1.3 Safeguard Systems
The safeguard systems covered in Chapter 6 of HPC PCSR2 are the:
x
RIS [SIS],
x
ASG [EFWS],
x
RBS [EBS],
x
VDA [MSRT] system.
The RIS [SIS] can operate as an injection system maintaining the coolant inventory of
the RCP [RCS], and controlling core reactivity in the case of abnormal plant conditions
using borated water from the In-Reactor Water Storage Tanks (IRWST) and the
associated sump filters. It can also work in a residual heat removal mode (RIS/RRA)
[SIS/RHRS] for certain fault conditions and for residual heat removal when the reactor is
in a shutdown state.
The ASG [EFWS] supports all three MSFs. Firstly, it aids control of fuel reactivity by
allowing a steam generator to be isolated in the unlikely case of a Main Steam Line
Break (MSLB). Secondly, it enables fuel heat to be removed in transient or accident
conditions to the point that allows the RIS/RRA [SIS/RHRS] to be connected, and it
provides sufficient cooling capacity to maintain the primary cooling system at hot
shutdown conditions for 24 hours in the event of station blackout/loss of UHS. Thirdly,
the ASG [EFWS] supports containment of radioactive material by enabling a steam
generator to be isolated in the event of a tube leak, and in the case of a feedwater or
MSLB the affected steam generator can be isolated to prevent overpressurisation of the
containment.
The principal safety function of the RBS [EBS] is to compensate for any increase in
reactivity during a state change brought about by transient or accident conditions, and to
bring the reactor to a controlled state. The RBS [EBS] also has a role in providing the
means to perform hydrostatic proof testing of the primary circuit.
The VDA [MSRT] provides a means of dumping steam from the steam generators to
atmosphere when the turbine main condenser is unavailable. This allows the circuit to
achieve conditions that allow the RIS/RRA [SIS/RHRS] to be connected and residual
heat to be removed from the core. This may be necessary under various plant transient
and accident conditions. In allowing steam dumping the VDA [MSRT] also protects the
steam generators against overpressurisation.
Page 77 of 230
Head Document
In addition Chapter 6 of HPC PCSR2 covers habitability of the control room, ISI and
chemistry and radiochemistry control.
6.1.4 Integrity of the Containment Systems
It is the design basis of the EPR that the Reactor Building should be resistant to all
internally generated forces under abnormal conditions and be capable of containing the
potentially radioactive inventory under all design conditions.
The components of the Reactor Building are constructed to a high standard, are subject
to rigorous pre-operational inspections and are protected against time-dependent
degradation processes. In addition there are systems installed to assess containment
performance (EPP - Leak Rate Control and Testing) and associated systems to collect
and filter any leaks from the inner containment (Annulus Ventilation System EDE [AVS]).
Heat can be removed from the containment by the EVU [CHRS] in a fault scenario and
in some accident conditions. Under normal operation and other conditions heat is
removed by the installed ventilation system (EBA [CSVS]).
In the case of severe accident, provision is made to retain the molten core in a pit under
the pressure vessel ensuring a good spreading into the core catcher (located just over
the basemat). Cooling is provided passively by the EVU [CHRS] using IRWST water.
Active cooling is also possible to reduce steam production inside the containment. The
addition of sodium hydroxide creates sufficiently alkaline conditions to avoid molecular
iodine volatilisation. The size of the pit and the selection of materials ensure the good
spreading and cooling of the molten core, which in turn ensures that escape of
radioactive material through the basemat is not possible.
Finally, provision is made to eliminate combustible gases in the containment by passive
chemical recombination of hydrogen through the Combustible Gas Control System
(ETY [CGCS]). Passive autocatalytic recombiners (PARs) are distributed throughout the
containment, mainly in equipment rooms where higher concentrations are expected;
PARs passively operate once the hydrogen concentration reaches a threshold value.
The containment isolation system relies on valves and penetration designs that minimise
the amount of leakage from the various penetrations. These include penetrations into
and out of the containment for pipes containing fluids, and for electrical and ventilation
services. In addition there are specific penetrations such as the equipment hatch, the
personnel airlocks and the fuel transfer tube that are subject to specific design
constraints to minimise and control the escape of potentially radioactive material from
the containment, and to assure that it is collected and filtered and, in some cases,
recycled. In a fault sequence scenario it is the function of the isolation system to close at
the beginning of a fault, to remain closed during the post-fault period and to remain
operable following the accident if required.
6.1.4.1 Design Code
In accordance with the requirements detailed in Sub-chapter 3.2, the equipment of the
containment and safeguard systems are designated as an appropriate class associated
with their nuclear safety function, and in some cases their potential to cause damage to
other higher classified SSCs. As such, each component is subject to the requirements of
the appropriate mechanical design code for classified equipment.
While Consolidated GDA PCSR 2011 defines use of the RCC-M code edition 2007 for
the mechanical equipment, for HPC PCSR2 the 2007 edition with 2008, 2009 and 2010
addenda will be used. (See Chapter 3 for further details on the use of codes and
standards during the design and construction of the units.) These codes will be used
Page 78 of 230
Head Document
during the detailed design and construction process, and thus the design will be
compliant with the codes.
The materials selected for the components of safety classified mechanical equipment
are generally those already in use for similar components on operational nuclear power
plants, for which there is satisfactory operational feedback. However, other materials
may be used provided that adequate justification is made within the appropriate safety
case documentation.
Appendix ZIII of the RCC-M code and consistently with the provisions of Volume II.
The quality of manufacture is ensured through the General Quality Assurance
Specifications (GQAS) [Ref. 6.1].
6.1.4.3 In-Service Inspection (ISI)
Components will be designed and manufactured to allow all areas subject to significant
stresses and possible in-service degradation mechanisms to be readily inspected. For
areas where radioactivity is a consideration, design, construction and installation
provisions will ensure that the collective dose impact of ISIs is minimised as far as
The ISI programme will be based on the results of mechanical analysis (fatigue, fast
fracture, etc.) and on operating experience in specific areas. The exact details and
frequency of the ISI programme will form part of the maintenance and inspection
schedule.
6.1.5 Habitability of the Control Room
Equipment, supplies and procedures will be provided to enable the operators to remain
in the MCR and take actions required to operate the plant safely in normal conditions,
and to maintain it in a safe condition following all types of events that might result in a
release of radioactive material to the environment. The habitability systems are designed
to:
x
Withstand external hazards,
x
Meet operator personal needs (kitchen including water and food storage, medical
facilities, washroom facilities),
x
Provide adequate protection against radiation to allow access to, and occupation of,
the MCR during accidents,
x
Provide protection against toxic or harmful gases,
x
Provide appropriate protection against the effects of fires,
x
Protect the emergency control and I&C equipment (i.e. systems and equipment that
are important for safety and are required to perform necessary safety functions
during accidents and emergencies).
6.1.6 Chemistry and Radiochemistry
Additional to the GDA, Sub-chapter 6.9 has been included in HPC PCSR2 to better
specify the chemistry and radiochemistry control of the safeguard systems. This chapter
discusses:
Page 79 of 230
Head Document
6.2
x
Reactivity control through the boron regime in RBS [EBS], RIS [SIS] accumulators
and IRWST,
x
Iodine mitigation under accident situations through sodium hydroxide injection to the
EVU [CHRS] and EDE [AVS] filters,
x
Xenon and iodine mitigation under normal operating conditions through the RIS/RRA
[SIS/RHRS] during shutdowns,
x
Hydrogen management under severe accident situations ensured by the components
of the ETY [CGCS],
x
Heat removal carried out by ASG [EFWS] and VDA [MSRT] under accident
conditions,
x
Radiological monitoring in safeguard systems by the use of the Plant Radiation
Monitoring System (KRT [PRMS]) channels.
and appendix and HPC Sub-chapter 6.9. Figure 7 illustrates the document structure for
Chapter 6.
The information presented in Chapter 6 of Consolidated GDA PCSR 2011
[Refs. 6.2 to 6.10] is applicable to HPC in the case of Sub-chapters 6.1, 6.2, 6.3 and 6.4.
In the case of Sub-chapters 6.5 through to 6.9 and including technical Appendix 6A,
several issues are identified and Forward Work Activities to address these are
summarised in the HPC PCSR2 Forward Work Activities report [Ref. 6.11]. Sub-chapter
6.9 is new for HPC PCSR2 - there is no equivalent sub-chapter within Chapter 6 of
Consolidated GDA PCSR 2011. The information of Sub-chapter 6.9 is drawn from Subchapters 5.5 and 18.2 of Consolidated GDA PCSR 2011.
Chapter 6 of Consolidated GDA PCSR 2011 covers the containment and associated
systems of the UK EPR. Apart from a small number of design developments and
modifications in the detailed design proposed by AREVA, the generic envelope of the
design presented in Consolidated GDA PCSR 2011 will be fully applicable to the UK
EPR units at HPC.
From the GDA Out-of scope Items [Ref. 6.12], the following are relevant to safeguard
systems:
x
MCR detail design & layout,
x
Detailed inspection (PSI and ISI) reports (accessibility to deploy potential inspection
techniques remains within GDA scope).
The HPC PCSR2 Forward Work Activities report [Ref. 6.11] gives details of how these
design developments and out-of-scope items will be addressed.
6.3
Route Map
Page 80 of 230
Head Document
6.4
x
Sub-chapter 6.1 Materials [Ref. 6.2] deals with the materials used in the construction
of the containment and safeguard systems.
x
Sub-chapter 6.2 Containment Systems [Ref. 6.3] describes the containment systems
and the associated safety analyses under normal operating and abnormal conditions.
x
Sub-chapter 6.3 Safety Injection System [Ref. 6.4] describes the RIS [SIS] system in
the two modes of reactivity control – primary circuit coolant inventory and residual
heat removal.
x
Sub-chapter 6.4 Habitability of the Control Room [Ref. 6.5] describes the design
measures taken to ensure that the MCR can be safely manned during any event that
might result in a radioactive release to the environment.
x
Sub-chapter 6.5 In-Service Inspection Principles (Excluding Main Primary and
Secondary Systems) [Ref. 6.6] sets out the principles that govern the selection of
areas and the frequency of ISI of parts of the safety-related plant (excluding the
primary and secondary circuits). In particular it itemises design features that are
incorporated to facilitate such inspections. The design considerations that would
indicate areas of vulnerability to in-service degradation mechanisms such as fatigue,
stress corrosion, corrosion, fast fracture and radiation damage are considered, and
appropriately conservative inspection criteria will be developed to ensure any defect
is identified well before it poses an operational or safety threat to the system.
x
Sub-chapter 6.6 Emergency Feedwater System [Ref. 6.7] deals with the ASG
[EFWS] system, which provides three safety functions: fuel reactivity control; fuel
heat removal up to the point of RIS/RRA [SIS/RHRS] connection; and a containment
function enabling steam generator shutdown.
x
Sub-chapter 6.7 Extra Boration System [Ref. 6.8] describes the RBS [EBS] system
for injecting boron into the primary circuit to maintain reactivity control.
x
Sub-chapter 6.8 Main Steam Relief Train System [Ref. 6.9] describes the VDA
[MSRT] system.
x
Sub-chapter 6.9 Containment and Safeguard Systems Chemistry Control [Ref. 6.13]
describes the chemistry and radiochemistry control associated with the containment
and safeguard systems. In particular the preliminary specifications for principal
reagents such as boric acid, sodium hydroxide and hydrazine are given.
Furthermore, this chapter describes the management of impurities such as halides,
sulphates etc., and the mitigation of process products such as iodine, xenon and
hydrogen. Further chemistry information can be found in Sub-chapter 5.5 Reactor
Chemistry, Sub-chapter 10.7 Secondary System Chemistry and the new Sub-chapter
9.6 Auxiliary Chemistry Control.
x
Appendix 6A MER Calculations – BDR Results [Ref. 6.10] contains the mass-energy
release calculations for the containment. These consider the temperature and peak
pressure under design basis incidents and accidents leading to a release of steam
into the containment.
Conclusions
The primary safety function of the containment systems is to ensure that in the unlikely
event of release of radioactive material into the Reactor Building there is no subsequent
release to the environment. This chapter demonstrates that the design codes, the
materials of manufacture, the operational chemistry control and the relevant ISI will
Page 81 of 230
Head Document
ensure that the containment systems meet the safety case under normal operating and
abnormal conditions.
The various safeguard systems identified within this chapter are designed and operated
to ensure that any abnormal conditions will be rectified and that control will be
maintained over the primary and secondary circuits. The safeguard systems contribute
to fulfilling the three MSFs of fuel heat removal, containment of radioactive material and
control of fuel reactivity. This chapter demonstrates that the design codes, the materials
of manufacture, the operational chemistry control and the relevant inspections will
ensure that the various safeguard systems meet the safety case under normal operating
and abnormal conditions.
This chapter also describes the design measures taken to ensure that the MCR can be
safely manned during any event that might result in a radioactive release to the
environment.
The design for the containment and safeguard systems is sufficiently well developed to
support moving into the construction phase, and the design basis described in HPC
6.5
Ref
6.1
References
Title
General Quality Assurance Specifications
Location
Document No.
EDRMS
ECUK100053
6.26.10
Consolidated GDA PCSR – Sub-chapters 6.1 to
6.8 and Appendix 6A. Issue 04, Issue 03 and
Issue 02 as marked, March 2011
EDRMS
UKEPR-0002-061-I04
UKEPR-0002-062-I03
UKEPR-0002-063-I03
UKEPR-0002-064-I03
UKEPR-0002-065-I02
UKEPR-0002-066-I03
UKEPR-0002-067-I03
UKEPR-0002-068-I03
UKEPR-0002-069-I02
6.11
Nov 2012
EDRMS
6.12
EPR for GDA, Dated 15th April 2011
EDRMS
ND(NII) EPR00836N
6.13
HPC PCSR Sub-chapter 6.9 - Containment and
Safeguard Systems Chemistry Control, Issue 1,
July 2012
EDRMS
Page 82 of 230
Head Document
7
INSTRUMENTATION AND CONTROL
7.1
Summary
Monitoring and control of each UK EPR unit at HPC is carried out by I&C equipment,
which consists of several I&C systems. The overall design of the I&C architecture and its
associated equipment must comply with process control, nuclear safety and operational
requirements.
The UK EPR I&C architecture is designed in accordance with the ‘defence in depth’
concept, and the different parts of the I&C architecture are classified and qualified
according to their importance to safety and their conditions of operation.
The UK EPR safety analysis depends on the performance of various automatic and
operator initiated actions. The I&C described in Chapter 7 adequately supports all such
actions. Chapter 7 forms the starting point for the I&C part of the whole plant safety case
and justifies the capabilities of the I&C architecture, systems and equipment that are
necessary to achieve the safety role of the I&C.
The functional architecture of the I&C systems in each UK EPR unit is structured in
different levels, as described in Chapter 7, and is summarised below together with an
overview of how the I&C systems are to be substantiated.
The I&C systems support all three MSFs of the UK EPR (i.e. fuel heat removal, control
of fuel reactivity and containment of radioactive material) to meet the following functional
criteria:
x
All the means necessary to control and monitor the plant in normal operation (within
specified operating limits and conditions) must be available to operators in the MCR,
x
The operators must have at their disposal in the MCR all the operating facilities
required to carry out all actions claimed in the safety case,
x
The I&C system must guarantee the execution of automatic actions identified in the
safety case, with a reliability commensurate with the frequency of the incident or
event and within the required time period identified for that function,
x
If the MCR is unavailable (due to a fire for example), the operators must be able to
shut down the reactor as they leave the room, and then be able to carry out
monitoring and control of the plant from a Remote Shutdown Station (RSS) to allow a
safe shutdown state to be reached and maintained.
Further details on the safety classification and functionality of the I&C systems is
provided below.
7.1.2 Level 0: Process Interfaces
Instrumentation – Instrumentation (including sensors) are directly involved with the
MSFs and also with the measurement of the parameters required for process control. In
addition, instrumentation is used to inform operators about the status of the plant. The
instrumentation classification is dependent on the highest categorisation of the function
for which the instrumentation is used. In summary, the instrumentation used by the I&C
systems includes:
x
Conventional process instrumentation,
Page 83 of 230
Head Document
x
Accident and severe accident instrumentation,
x
In-core instrumentation,
x
Ex-core instrumentation,
x
Rod position measurement,
x
Reactor pressure vessel water level measurement,
x
Loose parts and vibration monitoring,
x
Radiation monitoring,
x
Boron instrumentation.
Process Instrumentation Pre-processing System (PIPS) – The PIPS provides signal
processing for the TELEPERM XS platform based systems and is used for the analogue
and binary signals delivered by sensors that do not require specialised conditioning. It
also provides signals to some non-TELEPERM XS platform based systems. PIPS
provides isolation between the downstream systems for sensors shared by TELEPERM
XS and non-TELEPERM XS systems. The downstream systems that interface with the
PIPS are the Protection System ([RPR [PS]), Severe Accident Instrumentation and
Control (SA I&C), Reactor Control Surveillance and Limitation (RCSL), Process
Automation System (PAS), Safety Automation System (SAS) and Non-Computerised
Safety System (NCSS).
The PIPS is a Class 1 system, as it is subject to the requirements applicable to the
highest categorised function with which the sensors are associated (Category A), and is
implemented using TELEPERM XS technology. The PIPS equipment is distributed
across four divisions and is located in the Safeguard Buildings. In each division the PIPS
equipment not associated with the SA I&C is powered by redundant Uninterruptible
Power Supplies (UPSs), backed by the EDG. The PIPS equipment associated with the
SA I&C (located in division 1 and division 4 only) is powered by redundant UPSs backed
by the EDG and the UDG. One of the redundant UPSs to the SA I&C associated PIPS
equipment has a 12-hour battery.
Priority and Actuation Control System (PACS) – The role of the PACS is to manage
the control priority for actuators (by selecting the highest priority command), controlling
the switching device, monitoring the actuator movement and providing essential
protection of the electrical components. The PACS for a particular actuator must support
the classification and other requirements of the actuator.
PACS functionality is implemented in either the PAS/SAS automation systems or in the
electrical switchgear.
7.1.3 Level 1: Automation Systems
Protection System (RPR [PS]) – The role of the RPR [PS] is to implement the
automatic and manual protection functions, including support system functions, which
are Category A. These functions are required for the unit to reach the controlled state as
a consequence of a Postulated Initiating Event (PIE) PCC-2 to PCC-4. It also
implements some Category B functions needed after achievement of the controlled state
to reach the safe shutdown state, and to maintain it there, after any internal PCC-2 to
PCC-4 event. In addition, some RRC-A functions are also implemented in the RPR [PS],
as are a number of Category C and NC functions.
The RPR [PS] is a Class 1 system and is implemented on the TELEPERM XS digital
I&C platform with an architecture based on four-fold redundancy. RPR [PS] equipment is
Page 84 of 230
Head Document
distributed across four divisions and is located in the Safeguard Buildings. In each
division the RPR [PS] equipment is powered by redundant UPSs, backed by the EDG.
Safety Automation System (SAS) – The main role of the SAS is to implement the
Category B automatic and manual protection functions necessary to bring the plant from
the controlled state to the safe shutdown state following a PIE PCC-2 to PCC-4. The
SAS also implements functions relating to Class 2 support systems that do not change
their status during an event, and also provides a diverse digital line of protection from the
main line of protection (RPR [PS]) necessary to prevent significant radiological releases.
In addition the SAS implements a number of Category C and NC functions.
The SAS is a Class 2 system and is implemented using the SPPA-T2000 digital I&C
platform. SAS equipment is distributed across four divisions and is located within the
safeguards and diesel buildings. The detailed architecture of the SAS is dependent on
the mechanical equipment it controls. In each division the SAS equipment is powered by
redundant UPSs, backed by the EDG.
Reactor Control, Surveillance and Limitation (RCSL) - The RCSL processes
functions such as the core control functions (average temperature, axial offset, etc.), the
automatic limiting conditions of operation functions and limitation functions for core
parameters (these functions act to avoid initiating the protection functions and restore
the normal operation of the reactor). The task performed by the RCSL is only required in
normal operation of the plant (PCC-1).
The RCSL is a Class 2 system, due to its management of functions categorised up to
Category B, and is implemented on the TELEPERM XS digital I&C platform. RCSL
equipment is located in the Safeguard Buildings. RCSL data collection equipment is
located in all four divisions and RCSL processing and drive equipment is located in
divisions 1 and 4. In each division the RCSL equipment is powered by redundant UPSs,
backed by the EDG.
Non-Computerised Safety System (NCSS) - The NCSS is a backup system that
provides automatic and manual protection functions ensuring that the overall I&C
systems reliability figures are such that the design complies with Targets 8 and 9 of
ONR’s SAPs. The technology used for the NCSS platform must be diverse from the
TELEPERM XS platform and the SPPA-T2000 platform to avoid a Common Cause
Failure (CCF) and therefore is based on a non-computerised technology.
The NCSS provides the functions necessary to reach and maintain a stable state until
the computerised I&C systems are restored. The NCSS is a Class 2 system in order to
meet the required overall reliability figures for the I&C safety systems. NCSS equipment
is distributed across four divisions and is located within the Safeguard Buildings. In each
division the NCSS equipment is powered by redundant UPSs, backed by the EDG.
Process Automation System (PAS) – The main role of the PAS is the monitoring,
automatic control and manual control of the plant in all normal operating conditions. The
PAS also performs monitoring and control functions related to risk reduction. The PAS
provides Category C and NC non-seismically qualified functions of the nuclear island
and the conventional island (except those functions associated with specific I&C
systems outside the scope of Chapter 7, e.g. turbine/alternator I&C). Functions are
allocated across the PAS architecture corresponding to the redundancy and
independence requirements of the mechanical equipment associated with the functions.
The PAS is a Class 3 system, as it provides the functions categorised up to Category C,
and is implemented using the SPPA-T2000 digital I&C platform. PAS equipment is
distributed across four divisions in the Safeguard Buildings, two sections in the
conventional island and in other buildings. PAS equipment is powered from the same
Page 85 of 230
Head Document
division or section that is supplying the process being controlled by the PAS. In some
cases PAS equipment is powered by redundant UPSs, backed by the EDGs.
RRC-B Safety Automation System (RRC-B SAS) – The RRC-B SAS provides the
Category C severe accident seismically qualified functions, with the exception of severe
accident functions dedicated to total loss of power that are allocated to the SA I&C.
The RRC-B SAS is a Class 3 system due to its management of functions categorised up
to Category C, and is implemented using the SPPA-T2000 digital I&C platform. The
RRC-B SAS equipment is located in divisions 1 and 4 of the Safeguard Buildings. In
each division the RRC-B SAS equipment is powered by redundant UPSs, backed by the
EDG and the UDG.
SA I&C System – The role of the SA I&C is to provide the necessary severe accident
functions (RRC-B functions) needed in the event of a total loss of power (i.e. LOOP plus
the loss of EDGs plus the loss of UDGs).
The SA I&C is a Class 3 system due to its management of functions categorised up to
Category C, and is implemented using the TELEPERM XS digital I&C platform. The SA
I&C equipment is located in divisions 1 and 4 of the Safeguard Buildings. In each
division the SA I&C is powered by redundant UPSs, backed by the EDG and the UDG.
To compensate for the total loss of power, one of the redundant UPSs to the SA I&C has
a 12-hour battery.
7.1.4 Level 2: Monitoring and Control of the Unit
Safety Information and Control System (MCS [SICS]) – MCS [SICS] provides a set of
mainly conventional controls and displays to the operators in the MCR that are
connected to the Level 1 Automation Systems. The MCS [SICS] is intended as a backup
interface for the operators in the event of Process Information and Control System
(MCP [PICS]) unavailability and therefore needs to be functionally independent of
MCP [PICS]. During normal operation (PCC-1) MCS [SICS] may be used to maintain the
plant in a steady operating condition for a limited time in the event of MCP [PICS]
unavailability. In all PCC-2 to PCC-4 PIEs, MCS [SICS] can be used to bring the plant to
and maintain the plant in a safe shutdown state in the event of MCP [PICS]
unavailability. When MCP [PICS] is available MCS [SICS] is in a passive state. Action by
the operator is required to enable MCS [SICS] controls in the event of an identified
unavailability of MCP [PICS].
The MCS [SICS] is a Class 1 interface due to its management of functions categorised
up to Category A. Each MCS [SICS] control and display is powered from its own division
by redundant UPSs, backed by the EDG.
Inter WorkStation Console (PIPO) – PIPO provides a small number of manual controls
(including reactor trip and turbine trip) that are used during situations requiring the
evacuation of the MCR to the RSS. PIPO is a Class 1 interface.
Protection System Operator Terminal (PSOT) – The PSOT is the dedicated
computer-based touch screen Human Machine Interface (HMI) associated with the
RPR [PS] and is based on the Qualified Display System (QDS) platform. The PSOT is
located adjacent to the MCP [PICS] workstations in the MCR and in the RSS. The PSOT
is a Class 1 interface.
Inter-panel Signalisation Panel (PSIS) – PSIS is a conventional display located
between the four Plant Overview Panels (POPs) in the MCR and provides Category B
indications on the status of the RPR [PS], the SAS/PAS and the MCP [PICS] life-sign (as
monitored by the SAS). The PSIS is a Class 2 interface.
Page 86 of 230
Head Document
Non-Computerised Safety System (NCSS) - Manual controls, permissive management
and displays associated with the Class 2 NCSS are located in the MCS [SICS] panel.
Severe Accident (SA) Panel – The SA Panel provides the manual controls for the
Severe Accident I&C System and is located in a dedicated area of the MCS [SICS]
panel. The controls on the SA Panel are not normally active, but are enabled when
required using dedicated controls on the panel. The SA Panel is a Class 3 interface.
Process Information and Control System (MCP [PICS]) - The MCP [PICS] is the
primary interface for the operators in the MCR and the RSS. The MCP [PICS] provides
the displays, operating guides and control facilities necessary to operate the plant in
normal operating conditions (PCC-1) and also in RRC-A and RRC-B situations. The
MCP [PICS] is also the preferred means of monitoring and control for PCC-2 to PCC-4
events. The MCP [PICS] includes the control and monitoring workstations and the four
POPs in the MCR, the control and monitoring workstations in the RSS and monitoring
workstations in the Technical Support Centre. It also provides other peripheral
equipment (e.g. printers) and interfaces to other non-real time Level 3 systems that are
outside the scope of Chapter 7.
In the event of MCP [PICS] unavailability, operators use the MCS [SICS] to monitor and
control the plant. MCP [PICS] therefore needs to be functionally independent of
MCS [SICS]. In the event of the MCR becoming untenable, the plant is controlled and
monitored by the operators from the RSS using MCP [PICS]. MCP [PICS] processing
equipment is therefore located remote from the MCR to avoid simultaneous loss.
The MCP [PICS] is a Class 3 system as it supports Category C and NC functions.
However due to the application of Category B requirements to the workstation
equipment and architecture of the MCR HMI, the MCP [PICS] HMI meets Class 2
requirements, including the Single Failure Criterion and emergency power supply.
MCP [PICS] is implemented using the OM690 digital Operating and Monitoring system,
which is part of the SPPA-T2000 digital I&C platform. The MCP [PICS] HMI is powered
from UPSs, backed by the EDGs.
7.1.5 Substantiation
Substantiation of the software and related hardware used by I&C systems will be
established via compliance with appropriate standards and practices throughout the
development lifecycle that is commensurate with the reliability required to meet the
associated safety classification. The quality of the development process and the quality
of the final I&C systems will be demonstrated via a process that involves both
‘production excellence’ activities and independent confidence building measures
(ICBMs).
7.2
The detail of this topic is given in Consolidated GDA PCSR 2011 Sub-chapters 7.1-7.7.
Figure 8 illustrates the document structure for Chapter 7.
All Chapter 7 sub-chapters of Consolidated GDA PCSR 2011 are applicable for HPC.
Chapter 7 of Consolidated GDA PCSR 2011 covers the main I&C systems to be
provided on both UK EPR units at HPC. It is anticipated that apart from a small number
Page 87 of 230
Head Document
of differences in the functional requirements (due to one unit incorporating some of the
site-based systems, e.g. ISFS), the main I&C systems will be the same on each UK EPR
unit.
The GDA Out-of-scope Items include:
1)
I&C Automation Systems:
a) Detailed design and verification and validation activities for the PACS and
NCSS,
b) Commissioning and site manuals providing the specification and the execution
of the site tests, encompassing the manual used for on-site maintenance and
testing for all I&C automation systems.
2)
Instrumentation:
a) Detailed design/manufacturing of process instrumentation and the rod position
measurement,
b) Qualification programme and results for in-core and ex-core instrumentation
and rod position measurement.
3)
I&C systems that were not included within the scope of the GDA:
a) Turbine I&C,
b) Fire detection and protection I&C,
c) Waste treatment building I&C,
d) Seismic monitoring system,
e) Fatigue, leakage, loose part or vibration monitoring,
f)
Radiation monitoring.
None of the above out-of-scope items will need to be addressed before the milestone
associated with nuclear island safety-related concrete. However, HPC PCSR3 will
provide an update on progress for these out-of-scope items.
7.3
Route Map
Chapter 7 describes the I&C architecture and the main features of I&C systems and is
organised as follows:
x
Sub-chapter 7.1 Design Principles of the Instrumentation and Control Systems
[Ref. 7.1] presents the design principles of the I&C systems.
x
Sub-chapter 7.2 General Architecture of the Instrumentation and Control Systems
[Ref. 7.2] describes the general architecture of the I&C and the qualification
principles for the various I&C components and systems.
x
Sub-chapter 7.3 Class 1 Instrumentation and Control Systems [Ref. 7.3] describes
the Class 1 parts of the I&C architecture (i.e. the RPR [PS] and MCS [SICS]).
x
the Class 2 parts of the I&C architecture (SAS, RCSL system and NCSS).
x
the Class 3 parts of the I&C architecture (RRC-B SAS, MCP [PICS], PAS and the SA
I&C System.
Page 88 of 230
Head Document
7.4
x
Sub-chapter 7.6 Instrumentation [Ref. 7.6] describes the instrumentation used. It
covers the following: conventional process instrumentation; accident and severe
accident instrumentation; process instrumentation pre-processing; in-core and excore instrumentation; rod position measurement; reactor pressure vessel water level
measurement; loose parts monitoring and vibration monitoring; radiation monitoring
and boron instrumentation.
x
Sub-chapter 7.7 I&C Tools, Development Process and Substantiation [Ref. 7.7]
provides information for the design and development of the two I&C platforms
(TELEPERM XS platform for the RPR [PS], RCSL and SA I&C and SPPA-T2000
platform for the MCP [PICS], PAS, SAS and RRC-B SAS). Additionally, it provides
information on the substantiation approach for software-based systems for both
platforms and any smart devices that are subsequently used.
x
Dedicated I&C will be referred to in system sub-chapters when available in future
PCSR versions.
Conclusions
The I&C systems have been designed in order to support the three MSFs of the UK EPR
unit. The three levels of I&C functions (process interfaces, automation systems
monitoring and control) ensure effective segregation between the safety functional
systems and the process control of the unit. The safety classified I&C systems have
been suitably identified, classified and designed in order to fulfil their safety functional
requirements.
The design for the I&C systems is sufficiently well developed to support moving into the
construction phase, and the design basis described in HPC PCSR2 provides an
adequate baseline safety justification to support this.
7.5
Ref
References
Title
Location
Document No.
7.1
Consolidated GDA PCSR 2011 – Sub-chapter 7.1
– Design principles of the Instrumentation and
Control systems, Issue 03 March 2011
EDRMS
UKEPR-0002-071-I03
7.2
– General architecture of the Instrumentation and
Control systems, Issue 03 March 2011
EDRMS
UKEPR-0002-072-I03
7.3
– Class 1 Instrumentation and Control systems,
Issue 03 March 2011
EDRMS
UKEPR-0002-073-I03
7.4
Issue 03 March 2011
EDRMS
UKEPR-0002-074-I03
7.5
Issue 00, March 2011
EDRMS
UKEPR-0002-711-I00
7.6
– Instrumentation, Issue 03 March 2011
EDRMS
UKEPR-0002-075-I03
7.7
– I&C Tools, Development Process and
Substantiation, Issue 03 March 2011
EDRMS
UKEPR-0002-076-I03
Page 89 of 230
Head Document
8
ELECTRICAL SUPPLY AND LAYOUT
8.1
Summary
Chapter 8 of HPC PCSR2 covers the electrical supply and layout to be installed at a UK
EPR unit and provides detailed information for this topic.
The electrical system of each unit at HPC is broadly divided into conventional island,
nuclear island and BOP electrical systems. There are a few common electrical systems
for the two units, such as the Operational Service Centre (OSC), radwaste buildings and
auxiliary boilers. These can be fed from either unit. However, all systems dedicated to
each unit are independent and do not have any interconnections between the two units:
x
The conventional island mainly comprises the turbine hall, power transmission
platform and the unclassified electrical building,
x
The nuclear island consists of all the SSCs supporting the reactor related systems,
x
The BOP mainly comprises the heat sink, galleries and marine works.
During normal operation the unit electrical system has the function of distributing
power to the plant auxiliary systems and of enabling power export from the main
generator to the National Grid electricity transmission network. This is achieved by one
main connection to the grid through a step-up transformer with two unit transformers
supplying the plant auxiliaries.
During emergency operation the system is required to supply power reliably to the
safety-related plant. To achieve the required reliability, the electrical system has been
segregated in four trains, known as ‘sections’ in the conventional island and ‘divisions’ in
the nuclear island. Each division is backed by an EDG to cope with a LOOP for a period
of 72 hours. Two of the divisions are also provided with UDGs to cope with a station
blackout (SBO) for a period of 24 hours. There is also an auxiliary connection to the grid
in case of loss of the main connection, avoiding operation of the diesel generators and
providing long-term power supply in case of long-term loss of the main connection.
There are also UPSs fed through continuously charged batteries in the plant for loads
that cannot tolerate any interruptions in the power supply.
The design of the electrical system is based on deterministic principles and probabilistic
safety assessment, and provides ‘defence in depth’. In the DBA this is achieved by a
preferred power supply that can be sourced from the main generator, the main grid
connection or the auxiliary grid connection. On a loss of the main grid connection,
turbine run through is attempted by reducing output to house load, and if that fails a
switch over to the auxiliary grid connection occurs. If this fails, the preferred power
supply is lost and the EDGs will be started in order to supply power to safety classified
loads. If all the EDGs fail to start, the DBA is exceeded and a DEC has been specified
as a RRC-A function that requires a manual start-up of an UDG. During this whole
sequence, the 2-hr UPS will supply electrical loads that cannot tolerate any interruptions
in the power supply. If the above fails, additional ‘defence in depth’ is provided by a
further DEC specified as a RRC-B function consisting of an independent 12-hr UPS
system that powers only loads intended to prevent a high-pressure core melt and ensure
the isolation of containment. There is a provision for emergency interconnection between
divisions in this operational mode.
The AC main power supply voltages for the plant are 10kV, 690V, 400V and 230V. The
DC voltage used for power supply is 220V.
Page 90 of 230
Head Document
Provision is made for maintenance by interconnection of electrical divisions and trains on
the plant, using mechanical interlocks to maintain independence.
Specific design principles used on the electrical system such as cable segregation,
separation of cableways, earthing and lightning protection system, and protection coordination ensure that power is continuously supplied to the plant. HPC PCSR2
discusses the integrity, reliability and robustness of the electrical system, which will be
further substantiated in a future safety submission.
As a support system the electrical system supplies power to safety equipment required
to fulfil the MSFs (i.e. control of fuel reactivity, fuel heat removal and containment of
radioactive material).
As described in Sub-chapter 8.3, the nuclear island's emergency power supply is
required to supply power to the loads that perform safety functions, within acceptable
static and dynamic voltage limits, in all operating modes and transient conditions, i.e:
8.2
x
Operation at power,
x
Power supply by the main generator (house load) after load reduction,
x
Power supply by the main network,
x
Power supply by the auxiliary network,
x
Power supply by on-site emergency power sources (EDGs - also referred to as main
diesel generators within the PCSR),
x
Power supply by on-site ultimate emergency power sources (UDGs - also referred to
as station black out diesel generators within the PCSR),
x
Power supply by severe accident dedicated batteries (after loss of all off-site and onsite sources),
x
During and after external hazards.
The detail of this topic is given in HPC PCSR2 Sub-chapters 8.1 and 8.2 and in
Consolidated GDA PCSR 2011 Sub-chapters 8.3-8.6. Figure 9 illustrates the document
Sub-chapter 8.6 of Consolidated GDA PCSR 2011 is applicable and therefore adopted
for HPC PCSR2. Minor inaccuracies have been identified in Consolidated GDA PCSR
2011 Sub-chapters 8.3, 8.4 and 8.5, which will be corrected for the Final GDA PCSR.
The information from Sub-chapters 8.1 and 8.2 of Consolidated GDA PCSR 2011 has
been updated with additional site-specific and UK-specific information for HPC PCSR2.
In Consolidated GDA PCSR 2011 Sub-chapter 8.3 (which has been adopted for HPC
PCSR2) a piece of information presented under Section 1 System Architecture is
inaccurate. A severe accident dedicated 12-hour battery is available in Divisions 1 and 4
and not all divisions as implied in Consolidated GDA PCSR 2011. The terminology ‘static
switch’ will be used in place of ‘static contactor’ throughout the document to ensure
consistency with other chapters. In addition, the source of the two redundant
uninterruptible supplies under Section 5 will be clarified at the Final GDA PCSR.
Page 91 of 230
Head Document
In Consolidated GDA PCSR 2011 Sub-chapters 8.4 and 8.5 (which have been adopted
for HPC PCSR2) information relating respectively to the earthing system and location of
batteries within the conventional island will be updated in the Final GDA PCSR. This
updated information will then be utilised within the production of HPC PCSR3.
The revised HPC PCSR2 Sub-chapter 8.1 supplies new information relating to the
preferred connection point of the auxiliary connection - direct connection - to the grid and
compliance with the grid code. The revised HPC PCSR2 Sub-chapter 8.2 has been
updated to include site-specific power requirements; specifically the Auxiliary boilers,
and their functional role.
Chapter 8 of Consolidated GDA PCSR 2011 presents the generic envelope and the
fundamental underlying principles of the electrical system design of the UK EPR.
Consolidated GDA PCSR 2011 does not provide substantiating analyses to support the
safety case. This will be provided in a future safety submission.
Consolidated GDA PCSR 2011 does not cover operation and maintenance practices.
NNB GenCo will develop operational documentation and maintenance schedules
covering process, procedures and practices based on the requirements of the equipment
manufacturer and the safety function fulfilled by the equipment. These will ensure that
the designed equipment safety requirements, reliability requirements and operating life
are met. These schedules will be summarised within future safety submissions, and will
be in place at the time of issuing the POSR.
The following list shows the GDA Out-of-scope Items in the electrical topic area
[Ref. 8.1]:
1)
Detailed design of the following items:
a) Electrical systems,
b) Verification of electrical transient analyses,
c) Verification of the electrical distribution robustness regarding fast transients:
Loss of one line of defence in case of external lightning impulse,
d) Verification of the electrical distribution robustness regarding fast transients:
Ferro resonance phenomenon in internal network.
2)
Implementation of the medium voltage and low voltage protections selectivity.
3)
Grid connections and coordination with the protection systems on the grid.
NNB GenCo has established a working group that is responsible for addressing these
items. Significant progress has been made with the site-specific items. Ongoing
engagement with the regulators will ensure these are adequately addressed in future
safety submissions within appropriate timescales. In addition there exist a number of
cross-cutting GDA Out-of-scope Items that indirectly relate to this topic area. NNB
GenCo will be developing arrangements to address these items within the respective
topic areas.
8.3
Route Map
Chapter 8 of HPC PCSR2 describes the electrical supply and layout of the UK EPR
electrical system including its safety functional requirements, main design features, key
safety features and main analyses substantiating safety. The chapter comprises six subchapters and is organised as follows:
Page 92 of 230
Head Document
x
Sub-chapter 8.1 External Power Supply [Ref. 8.2] describes the external power
supply for HPC, its functional role, design description and the different means of
connecting the plant to the grid. The main and auxiliary connections, their functional
roles, design basis and design description are further described, including the HPCspecific connection scheme design to the grid. A description of the unit step-down
transformer and auxiliary transformer transfer mode, its operating role and
operational requirements is presented that takes into account the plant transient as a
unit moves from power operation to shutdown. This sub-chapter also details the UK
grid code compliance process implemented with the National Grid.
x
Sub-chapter 8.2 Power Supply to the Conventional Island and Balance of Plant
[Ref. 8.3] describes the power supply to the conventional island and BOP, including a
brief definition of conventional island and BOP, and an overview of their electrical
distribution systems. The main elements of their distribution system and power
supply to the emergency boards within the nuclear island are also detailed. This subchapter also describes the functional requirements, design basis and design
description of emergency and non-emergency power supplies used within the
conventional island and BOP.
x
Sub-chapter 8.3 Nuclear Island Power Supply [Ref. 8.4] gives a description of the
nuclear island power supply, covering the safety functions and safety requirements of
the system. The scope includes the design requirements and specific requirements
arising from safety classification, Single Failure Criterion, emergency power supply,
qualification, periodic testing and hazards. It also presents the electrical system
architecture within the nuclear island and its interface with the conventional island,
including the simplified electrical single line diagram. A more detailed electrical single
line diagram for HPC is available [Ref. 8.5]. Information on the EDGs and UDGs,
including their safety requirements, design basis and operational requirements is
presented. Additional information on the system description of the diesel generators
can be found in Sub-chapter 9.5.2 of HPC PCSR2. Description of the emergency
power and the normal power distribution systems are presented, including their
operating role, design basis, system description and operational requirements.
Qualification of electrical equipment for normal and accident conditions is covered
within this sub-chapter. Additional information of qualification under accident
conditions can be found in Sub-chapter 3.6 of HPC PCSR2.
x
Sub-chapter 8.4 Specific Design Principles [Ref. 8.6] describes the specific design
principles including engineering safeguards required to ensure safety of personnel
and safe operation of the plant. In particular, it describes the general cabling design
principles and the requirements for separation between cableways. The
requirements for separation are based on the voltage level of the cable, safety
classification of the equipment supplied and independence of the electrical divisions.
This sub-chapter also presents the earthing and lightning protection systems, their
main functional role and safety requirements, and the different electrical protective
measures and devices used in the design of the electrical system.
x
Sub-chapter 8.5 Installation [Ref. 8.7] provides information on the main features of
the electrical installations in the nuclear island, conventional island and BOP. It
describes how installations are geographically separated thereby contributing to the
safety functions they perform and their availability requirements. It also provides
information on the location of safety-related electrical and control equipment within
the different divisions on the plant.
x
Sub-chapter 8.6 Prevention and Protection against Common Cause Failure [Ref. 8.8]
presents the preventive and protective measures against CCFs on the electrical
Page 93 of 230
Head Document
system. The scope of protection includes events arising from external and internal
hazards, transients on the electrical network, human factors and component failure
due to ageing or manufacturing faults. These include mitigation of risks of CCFs
during design, manufacture, operation and maintenance of electrical
equipment/systems.
This chapter also has an interface with the Sub-chapter 13.1 External Hazards
Protection.
8.4
Conclusions
The electrical system of each unit at HPC is designed to ensure that during normal
operation the unit electrical system has the function of distributing power to the plant
auxiliary systems and of enabling power export from the main generator to the National
Grid electricity transmission network. During emergency operation the system is
designed to ensure a reliable supply of electrical power to the safety equipment required
for control of fuel reactivity, fuel heat removal and containment of radioactive material.
The design of the electrical system is broadly divided into conventional island, nuclear
island and BOP systems. To ensure the integrity of the electrical supply, the system has
been segregated in four trains, known as ‘sections’ in the conventional island and
‘divisions’ in the nuclear island. Each division is backed by an EDG to cope with a LOOP
for a minimum of 72 hours. Two of the divisions are also provided with UDGs to cope
with a SBO for a minimum of 24 hours. There are also UPSs fed through continuously
charged batteries in the plant for loads that cannot tolerate any interruptions in the
power supply.
The analysis of the electrical systems provided within Chapter 8 has shown that there is
sufficient reliability, diversity of supply and ‘defence in depth’. This provides the
assurance that a suitable safety justification for the electrical systems has been provided
for this stage of the design process. The design for the electrical system is sufficiently
well developed to support moving into the construction phase, and the design basis
described in HPC PCSR2 provides an adequate baseline safety justification to support
this.
8.5
Ref
References
Title
Location
Document No.
8.1
Reference Design Configuration, UKEPR-I-002 Revision
11, September 2011, EDF/AREVA.
EDRMS
HPC-NNBOSL-U0-000INS-000001
8.2
HPC PCSR Sub-chapter 8.1 External Power Supply,
Issue 1.0, Feb 2012 NNB
EDRMS
8.3
HPC PCSR Sub-chapter 8.2 Power Supply to the
Conventional Island and Balance of Plant, Issue 1.0,
June 2012 NNB
EDRMS
8.4
Consolidated GDA PCSR Sub-chapter 8.3 - Nuclear
Island Power Supply, Issue 03, March 2011
EDRMS
UKEPR-0002-083-I03
8.5
Single Line Diagram - Nuclear and Conventional Island
UKX-CNEPEX-U0-000-DRW-000001, June 2009,
CNEPE
EDRMS
8.6
Consolidated GDA PCSR Sub-chapter 8.4 - Specific
Principles, Issue 03, March 2011
EDRMS
UKEPR-0002-084-I03
8.7
Consolidated GDA PCSR Sub-chapter 8.5 - Installation,
EDRMS
UKEPR-0002-085-I03
Page 94 of 230
Head Document
Ref
Title
Location
8.8
Consolidated GDA PCSR Sub-chapter 8.6 - Prevention
and Protection against Common Cause Failure, Issue 00,
March 2011
EDRMS
Document No.
UKEPR-0002-086-I00
Page 95 of 230
Head Document
9
AUXILIARY SYSTEMS
9.1
Summary
This section of the Head Document summarises the safety functional roles, components,
and chemistry of the Auxiliary Systems as described in Chapter 9 of HPC PCSR2.
The safety functional roles of the auxiliary systems are summarised under the following
headings.
9.1.1.1 Fuel Handling Systems
The various parts of the fuel handling systems provide different safety functions.
The new fuel dry storage rack is required to ensure the fuel is subcritical at all times
under all abnormal and accident conditions. It must also be designed to protect and
maintain the fuel cladding under all situations.
The underwater fuel storage rack must be designed to ensure the fuel is always
maintained in a subcritical state, especially under conditions of inadvertent boron
dilution, or even in pure water. It must also not prevent or hinder the free circulation of
pool water, so that fuel heat can be removed at all times. The rack must be designed to
protect and maintain the integrity of the fuel cladding at all times.
The Fuel Pool Purification and Cooling System (PTR [FPPS/FPCS]) supports all three
MSFs:
x
The characteristics of the SFP water must control fuel reactivity to maintain
subcriticality in temporary storage accident configurations (assembly lying on rack or
positioned between the rack and the pool wall). In particular, the pitch between the
fuel assembly storage cells must be sufficient to prevent the risk of criticality under all
circumstances. In addition, the characteristics of the IRWST water must maintain
core subcriticality after the reactor vessel is opened,
x
The PTR [FPPS/FPCS] system removes heat from fuel assemblies stored in the
SFP,
x
The PTR [FPPS/FPCS] system contributes towards the containment of radioactive
material by ensuring capability for isolation of the Fuel Building. Moreover, in the
event of the accidental drainage of the SFP, the PTR [FPPS/FPCS] prevents the fuel
in the storage rack, as well as a fuel assembly during handling, from being even
partially uncovered.
The Fuel Handling System (PMC [FHS]) provides the following safety functions:
x
Control of fuel reactivity to maintain subcriticality of fuel under all conditions,
x
Enabling continuous fuel heat removal,
x
Containment of radioactive material by protecting the integrity of the fuel cladding.
The fuel transfer tube and its isolation valves provide one of the means of maintaining
the integrity of the containment isolation.
The Spent Fuel Cask Transfer Facility (SFCTF) must be designed to ensure that a
criticality accident cannot result from any dropped load or other hazard-based accident
involving a cask. The SFCTF must ensure that heat can be removed from the fuel at all
Page 96 of 230
Head Document
stages of the handling process, and must be designed to prevent damage to the fuel
assembly during the transfer operations.
The polar crane does not have any direct safety functional role. However it does feature
in dropped load assessment, which presents one of the major hazards in assessing
equipment in the Reactor Building. Consequently the polar crane will be designed and
constructed in such a way as to minimise and mitigate this hazard (see Chapter 13 for a
detailed description of the design process for the mitigation of internal hazards, including
dropped loads).
The watertight pool liner supports two MSFs:
x
Control of fuel reactivity by prevention of leaks so that the water level in the pool is
maintained to prevent exposure of the fuel,
x
Containment of radioactive material by preventing escape of radioactive materials
into the concrete.
9.1.1.2 Water Systems
The water systems provide various safety functions.
The Essential Service Water System (SEC [ESWS]) provides cooling for the Component
Cooling Water System (RRI [CCWS]). The RRI [CCWS] contributes to removal of fuel
heat via the RIS/RRA [SIS/RHRS] in the reactor normal cooling phase or in accident
conditions, or the (PTR [FPPS/FPCS] during incident or accident conditions. The
RRI [CCWS] also contributes to heat removal from the Safety Chilled Water System
(DEL [SCWS]). In addition the RRI [CCWS] contributes to the containment of radioactive
material by providing a barrier between systems containing radioactive material and
service water discharged outside the plant (SEC [ESWS]), and by maintaining the
reactor coolant inventory by cooling the seals of the primary pumps.
The Nuclear Island Demineralised Water Distribution System (SED [NIDWDS] supplies
degassed water for make-up of the reactor system and the nuclear auxiliary systems. It
also has a function to supply make-up for the ISFS. The demineralised water provided to
the SED [NIDWDS] system is produced by demineralisation of towns’ water by the SDA
system.
The water intake filtering system (pre-filtering (SEF [PFS]) and filtering (CFI [CWFS]))
does not directly provide a functional safety role, although it is a significant part in
systems that provide water to allow cooling of other safety functional systems such as
the RRI [CCWS] or EVU [CHRS].
The Ultimate Cooling Water System (SRU [UCWS]) is necessary to remove residual
heat from the EVU [CHRS] under accident conditions, including cooling of the third
PTR [FPPS/FPCS] train. It is fitted with a diversified water supply in case of loss of the
water intake filtering system.
9.1.1.3 Primary Auxiliary Systems
The primary auxiliary systems contribute to safety functions as described below.
The REN [NSS] contributes to the control of fuel reactivity by monitoring the boron
content of the primary coolant and ensuring the correct level of fuel reactivity control is
maintained. It also provides information on the degree of boration in the spent fuel pools
and PTR [FPPS/FPCS] ensuring stored fuel is always maintained in a subcritical state.
The REN [NSS] and RES [SGSSS] also contribute to the containment of radioactive
material through their containment isolation function (primary and secondary lines), and
Page 97 of 230
Head Document
by providing sampling for the KRT [PRMS] that helps ensure the integrity of the steam
generators by detecting leaks across the primary and secondary circuits.
The RCV [CVCS] contributes to control of fuel reactivity by adjusting the level of coolant
boration during normal operation, start-up, shutdown and power changes. The system
also has a role under accident conditions to mitigate homogeneous boron dilution
accidents (PCC-2) and prevent heterogeneous boron dilution accidents (PCC-4).
The RCV [CVCS] also supports the safety function of fuel heat removal in managing the
water inventory of the RCP [RCS] by adjusting the balance between the charging flow
rate and the letdown flow rate.
The RCV [CVCS] also ensures the capability of the auxiliary spray to the pressuriser if
the normal spray function is unavailable or not sufficient.
In case of Steam Generator Tube Rupture (SGTR), the RCV [CVCS] contributes to the
depressurisation of the RCP [RCS], and the prevention of the steam generators
overfilling. This helps to prevent unacceptable radioactive releases.
The RCV [CVCS] can mitigate small LOCA events in conjunction with the
REA [RBWMS] by maintaining water inventory in the primary circuit to maintain fuel heat
removal, and under post-accident conditions it provides isolation of the pressure circuit
boundary.
The RCV [CVCS] provides many mitigating functions to ensure containment of
radioactive material:
x
It provides seal water to the reactor cooling pumps,
x
It controls the primary circuit chemistry to prevent corrosion of the fuel cladding,
x
It removes radioactive products from the circuit and contains them,
x
In post-accident situations it maintains containment isolation and, in the event of a
break downstream of the (CPP [RCPB]) isolation valves, the RCV [CVCS] must
ensure isolation of the CPP [RCPB].
The Coolant Storage and Treatment System (TEP [CSTS]) provides containment for
radioactive materials that are treated within it. It plays no direct role in any other safety
function.
The REA [RBWMS] contributes to the control of fuel reactivity by adjusting the boron
concentration of the RCV [CVCS] and hence the primary circuit. It also contains
radioactive material and as such provides a containment of radioactive material.
9.1.1.4 Heating and Ventilation Systems
The various ventilation systems provide containment of radioactive materials by
removing airborne material, filtering it and reducing emissions to acceptably low values.
The other significant role they perform is maintaining ambient and acceptable conditions
for staff and equipment in safety critical roles. Therefore systems can be divided into two
groups.
x
Those that work in and control potentially contaminated areas such as:
o Operational
Building
(DWB [OBCRVS]),
Contaminable
Room
Ventilation
System
o Fuel Building Ventilation System (DWK [FBVS]),
o Controlled Safeguard Building Ventilation System (DWL [CSBVS]),
o NAB Ventilation System (DWN [NABVS]),
Page 98 of 230
Head Document
o Effluent Treatment Building Ventilation System (DWQ [ETBVS]),
o Access Building (Controlled Area) Ventilation System (DWW [ABVS]),
o Containment Sweep Ventilation System (EBA [CSVS]),
o Reactor Building Internal Filtration System (EVF).
x
Those areas where there is safety critical plant such as:
o Control Room Air Conditioning System (DCL [CRACS]),
o Diesel Building Ventilation System (UDG and EDG) (DVD [DBVS]),
o Electrical Division of Safeguard Building Ventilation System (DVL [SBVSE]),
o Circulating Water Pumping Station Ventilation System (DVP [CWPSVS])11,
o Containment Cooling Ventilation System (EVR [CCVS]),
o Safety Chilled Water System (DEL [SCWS]),
o Fuel Building Ventilation System (DWK [FBVS]),
o Controlled Safeguard Building Ventilation System (DWL [CSBVS]).
There are also specific areas such as the boron rooms where a minimum temperature is
required to prevent solidification of boric acid solution, which, if it occurred, could lead to
a safety significant hazard through blockage of the pipelines and failure of the
REA [RBWMS].
The discharges from the nuclear island ventilation systems are collected and discharged
through the nuclear island stack. The design height of the HPC Unit 1 and Unit 2 stacks
is 70 metres above the site platform level (+14.0m OD) [Ref. 9.1].
9.1.2 Other Supporting Systems
The supporting systems provide various secondary safety roles as described below.
The Fire Protection Systems and equipment, including Fire Detection System
(JDT [FDS]) and Fire Fighting Systems (JPI [NIFPS]), provide the function of
safeguarding safety significant classified systems.
The Fire Fighting Water Supply System (JAC [FFWSS]) contributes to fuel heat removal
by providing reserve water for the ASG [EFWS] tanks. The JAC [FFWS] system, through
the JPI [NIFPS] fire fighting system, is used for the make-up of the SFP following a
postulated breach, in particular on the PTR [FPPS/FPCS] cooling line, with a view to
guaranteeing the removal of heat from fuel assemblies and ensuring they remain
covered. The JAC [FFWS] system also provides the water for the JPI [NIFPS] fire
fighting system.
The Smoke Confinement System (DFL) provides a safety role in that fire sectors use
dampers to prevent the spread of fire and smoke, thus safeguarding safety significant
plant and activities.
The Door Monitoring System prevents the spread of fire and maintains the segregation
of safety significant trains.
The communications and lighting systems provide conditions under which safety
significant activities can be carried out within reasonable timescales under the safety
case.
11
It should be noted that there is not yet sufficient detail in the design to state if there is reliance on the DVP system for preventing
freezing of the drum screens and band screens.
Page 99 of 230
Head Document
The gas distribution systems (Oxygen Distribution System (SGO [ODS]), Hydrogen
Distribution System (SGH [HDS]) and Nitrogen Distribution System (SGN [NDS])) have
no specific safety functions except the SGN [NDS] that contributes to the containment
penetration isolation.
9.1.3 Chemistry Control
Chemistry/radiochemistry control is vital to the functioning of the primary circuit (see
Sub-chapter 5.5). Chemistry and radiochemistry also play an essential role in fulfilling
auxiliary system functions.
The control of chemistry and radiochemistry in the many auxiliary systems contributes to
safety functions primarily by:
x
Fuel reactivity control through boric acid injection,
x
Mitigation of the effects of fission product release in order to ensure minimal impact
on discharges,
x
Containment of radioactive material by preventing material corrosion to ensure
containment integrity and radioactive substance mitigation,
x
Prevention and mitigation of hazard conditions.
The chemical/radiochemical parameters of the primary circuit and the auxiliary systems
vary as a function of the operating conditions. The following criteria are identified for
each system:
x
Anion concentrations (such as chlorides, fluorides and sulphates) having a direct
impact on the potential material corrosion of the auxiliary systems components,
x
Oxygen having a direct effect on the material corrosion of the auxiliary systems
components and leading to a potential risk of fire or explosion in the case of
degassing and accumulation in biphasic tanks,
x
Cations (such as sodium, magnesium, calcium and aluminium). While sodium is an
impurity directly linked with the potential corrosion risk of the auxiliary systems
components, the risk associated with magnesium, calcium and aluminium is due to
their transfer and deposition on the fuel cladding as zeolites,
x
Silica that can be transferred from the auxiliary systems components to the primary
circuit leading to crud deposition and associated consequences,
x
Suspended solids directly related to the erosion/corrosion of materials used within
the auxiliary systems,
x
Hydrogen gas concentration, particularly in comparison to the inflammability limit.
9.1.4 Construction Design Code
In accordance with the requirements detailed in Sub-chapter 3.2, the equipment of the
auxiliary systems are designated an appropriate class associated with their nuclear
safety function, and in some cases their potential to cause damage to other higher
classified components. As such, each component is subject to the design requirements
of the appropriate mechanical design code for classified equipment (see Sub-chapter
3.8). Other codes and standards are used for specific equipment; for example the
German standard KTA for handling equipment; or the Book of Technical
Specifications/Rules for HVAC equipment.
Page 100 of 230
Head Document
the mechanical equipment, for HPC PCSR2 the 2007 version with 2008, 2009 and 2010
addenda will be used. See Chapter 3 for further details on the use of codes and
standards during the design and construction of the units. These codes will be used
may be used provided that an adequate justification is made within the appropriate
safety case documentation.
The mechanical properties are defined in accordance with Volume 1 Appendix ZI and
In general there is a move towards reducing the use of cobalt-based hard materials such
as Stellite for components connected to the primary circuit, and manufacturers will be
encouraged to use alternative hard metals for components such as valve seats and
guide bushes.
The quality of manufacture is ensured through the GQAS [Ref. 9.2].
9.1.4.2 In-Service Inspection (ISI)
fracture, etc.) and on operating experience in specific areas. The exact details of
frequencies specified within the ISI programme will form part of the maintenance and
inspection schedule.
9.2
The detail of this topic is given in Consolidated GDA PCSR 2011 Sub-chapters 9.1, 9.3
and 9.5 and in HPC PCSR2 Sub-chapters 9.2, 9.4 and 9.6. Figure 10 illustrates the
document structure for Chapter 9.
The information presented in Chapter 9 of Consolidated GDA PCSR 2011 is applicable
to HPC in the case of Sub-chapters 9.1, 9.3 and 9.5 [Refs. 9.3, 9.4 & 9.5]. Sub-chapter
9.3 does not refer to the 0TEN system. Site-specific changes made to Sub-chapter 11.4
introduce this system.
The information in Sections 1, 3, 4 and 6 in Sub-chapter 9.2, and Section 12 in Subchapter 9.4 has been updated for HPC PCSR2 to include site-specific information
relating to the heat sink system and the HVAC system’s ability to handle the site-specific
extreme hot air temperature. In addition the safety classifications quoted in Sections 1,
3, 4 and 6 in Sub-chapter 9.2, and Section 12 in Sub-chapter 9.4 of HPC PCSR2 is more
up to date than those quoted in Sub-chapter 3.2 of Consolidated GDA PCSR 2011.
Page 101 of 230
Head Document
Regarding Sub-chapter 9.2, the site data value for extreme seawater temperature from
Chapter 2 has not yet been applied to the different system and heat exchanger designs
for the SEC [ESWS], SRU [UCWS] and RRI [CCWS], which may be subject to an
elevated maximum sea water temperature for PCC-1, RRC-A and RRC-B events. A
Forward Work Activity has been added under Chapter 13 within the Forward Work
Activities report [Ref. 9.6] that covers this issue.
A new Sub-chapter 9.6 [Ref. 9.9] has been produced for HPC PCSR2 that covers the
detailed issues of chemistry control for the systems presented in Chapter 9. Gaps are
identified, and Forward Work Activities to address these gaps are summarised.
A summary document has been produced to look at the design of the heat sink
[Ref. 9.10]. This report describes the current design for the HPC heat sink and shows
how it satisfies both functional requirements and site-specific constraints. The protection
provided by the heat sink design against internal and external hazards is also presented.
The capability of the heat sink at the HPC site to reliably deliver sufficient cooling water
for operation and nuclear safety is demonstrated by the robustness of the open circuit
design against extreme hazards including low sea water levels, clogging, freezing and
silting.
The fundamental heat sink design options applicable to the twin-unit HPC site have
been examined through a structured ALARP process. The findings support the decision
to adopt an open circuit system with two intake tunnels and two link tunnels between the
forebays [Ref. 9.10].
The heat sink concept design is sound and provides a firm basis for the subsequent
basic design and detailed design stages. Items of ongoing work have been identified in
this report that will finalise and substantiate certain aspects of the design and the safety
case.
A further question considered is why the Sizewell B (SZB) design was required to
include a diverse Reserve Ultimate Heat Sink (RUHS), while a RUHS is not deemed to
be necessary for HPC. In answering this question, NNB GenCo has recognised that SZB
was required to consider a consequential large break LOCA or MSLB following a 10-4/y
seismic event. This is despite the argument that such a seismic event could not credibly
lead to either of these events in the Reactor Building due to the seismic qualification of
the relevant systems. The ESWS (outside the Control Building) and intake structures at
SZB are not seismically qualified to a sufficient level (i.e. the 10-4/y seismic event), and
therefore a diverse seismically qualified system capable of rejecting the heat generated
by a large break LOCA or MSLB was required (i.e. the RUHS). For HPC, the
SEC [ESWS] system with its forebays, liaison galleries and intake structures are SC1
structures (i.e. qualified against the 10-4/y seismic event).
The availability of the required heat sink capacity under all fault conditions is further
assured through the forebay link tunnels and the SEC [ESWS] diversification pipeline
from the discharge pond providing two additional diverse sources of water. The
SEC [ESWS] diversification line is currently not claimed in fault studies. However,
classification of this line is identified as an ongoing item in the HSSD [Ref. 9.10].
In addition the SRU [UCWS] system is available for beyond design basis accident
mitigation (RCC-A and RCC-B).
The consequences of loss of heat sink are described in more detail in Section 4.1.2 of
the HSSD.
The HSSD reviews and compares the fundamental design options to demonstrate that
the adopted design will render the nuclear safety risks ALARP.
Page 102 of 230
Head Document
A further version of the HSSD will be presented prior to construction as part of HPC
PCSR3. This will incorporate design updates, the closure of ongoing items and the new
safety classification system.
Chapter 9 of Consolidated GDA PCSR 2011 covers the auxiliary systems to be installed
at both UK EPR units at HPC. Apart from a small number of design developments and
modifications to the detailed design assessed as part of the GDA, it is anticipated that
the generic envelope of the design presented in Consolidated GDA PCSR 2011 will be
applicable to the UK EPR units at HPC.
From the GDA Out-of-scope Items [Ref. 9.11], the following are relevant to Chapter 9:
x
Civil Engineering topic area:
o Item 9 Detailed design of the pool liners.
x
Fault studies topic area:
o Item 1 Details of fault studies in systems not considered in the GDA:
1) Site-specific calculations for radiological consequences (methodology is
in GDA scope),
2) Control and limitation functions (with the exception of Pellet Clad
Interaction (PCI) limitation, which is in GDA scope),
3) Operating Technical Specifications (OTS) documents.
x
Mechanical Engineering topic area:
o Item 1 Nuclear island stack height,
o Item 4 Heat sink characteristics.
These out-of-scope items will all be addressed as part of the detailed design process.
9.2.3 Classification of systems
The classification of systems is the subject of GDA Cross-cutting Issue GI-UKEPR-CC01 which is not complete at the time of issuing HPC PCSR2. Therefore the system
classifications presented within Chapter 9 sub-chapters do not implement the UK
classification methodology.
9.3
Route Map
x
Sub-chapter 9.1 Fuel Handling and Storage [Ref. 9.3] deals with the fuel handling
and storage systems in the nuclear island (Reactor Building and Fuel Building). This
covers fuel storage, the PTR [FPPS/FPCS]), the PMC [FHS], Handling Equipment
and Plant for the Fuel Building [DMK], the DMR [PC] and the fuel pool liners.
x
Sub-chapter 9.2 Water Systems [Ref. 9.7] describes the water systems including the
SEC [ESWS], the RRI [CCWS], the various demineralised water systems – the
Demineralised Production System (SDA [DPS]), the SED [NIDWDS]12 and the
Conventional Island Demineralised Water Distribution System (SER [CIDWDS]) - the
12
It should be noted that HPC PCSR2 Sub-chapter 9.2 requires update to properly reflect the classification of the N part of the SED
[NIDWDS].
Page 103 of 230
Head Document
Circulation Water Filtration System (CFI [CWFS]), the Potable Water Systems
(SEP [PWS]) and the SRU [UCWS]. In addition to the information given in the update
of Sub-chapter 9.2, the HSSD [Ref. 9.10] provides a summary of the heat sink design
including a description of the protection of the heat sink systems against hazards (it
should be noted that the SEC [ESWS], CFI [CWFS] and SRU [UCWS] which are part
of the heat sink systems and form part of Sub-chapter 9.2, have omitted to consider
the extreme high air temperature hazard, which is considered in Sub-chapter 13.1 of
HPC PCSR2, resolution of this issue is planned for the next update, but the
contribution of this hazard to the heat sink case is considered to be very small).
9.4
x
Sub-chapter 9.3 Primary System Auxiliaries [Ref. 9.4] describes the primary system
auxiliary systems including the REN [NSS], the Steam Generator Secondary
Sampling System (RES [SGSSS]) and Effluent Treatment Building Sampling System
(TEN [ETBSS]), the RCV [CVCS], the TEP [CSTS] and the REA [RBWMS].
x
Sub-chapter 9.4 Heating, Ventilation and Air Conditioning Systems [Ref. 9.8]
describes the various HVAC systems including the nuclear island discharge (vent)
stack (it should be noted that the DVP [CWPSVS] which is part of the heat sink
system and forms part of Sub-chapter 9.4, has omitted to consider external fire and
extreme high air temperature, which are considered in Sub-chapter 13.1 of HPC
PCSR2, resolution of this issue is planned for the next update, but the contribution of
this hazard to the heat sink case is considered to be very small).
x
Sub-chapter 9.5 Other Supporting Systems [Ref. 9.5] considers the remaining
supporting systems including the Fire Protection Systems: JDT [FDS];
JAC [FFWSS]); Fire Fighting System – Non-Classified (buildings) (JPD [FFS-NC]);
Fire Fighting System for the Turbine Hall Oil Tanks (JPH [FFS-THOT]); JPI [NIFPS];
fire protection of the Effluent Treatment Building [8JPI]; Fire Fighting Water
Distribution System for the site (JPS [FFEDW]); Transformer Fire Protection System
(JPT [TFPS]); Diesel Building Fire Protection System (JPV [DBFPS]). Other systems
include the DFL, the Diesel Systems Main & SBO, the Compressed Air Systems Compressed Air Production System (SAP [CAPS]), the Compressed Air System
(SAR [CAS]) and the Service Compressed Air Distribution System (SAT [SCADS]) the Communication Systems, the Lighting Systems and the Gas Distribution Systems
- SGN [NDS], SGO [ODS] and SGH [HDS].
x
Sub-chapter 9.6 Auxiliary Systems Chemistry Control [Ref. 9.9] deals with chemistry
and radiochemistry control in the auxiliary systems it itemises. In addition to the
specification of the water chemistry of the RCV [CVCS], SFP and TEP [CSTS], it also
discusses the mitigation of process generated hazards such as hydrogen and
airborne radioactive contaminants. In addition, the use of the KRT [PRMS] to detect
radioactive releases is discussed. Further chemistry information can be found in Subchapter 5.5 Reactor Chemistry, Sub-chapter 10.7 Secondary System Chemistry and
the new Sub-chapter 6.9 Containment and Safeguard Systems Chemistry Control.
Conclusions
The auxiliary systems have been divided into the categories of fuel handling, water,
primary auxiliary, heating and ventilation, chemistry control and other systems. These
systems are designed to ensure the safe operation of the units and contribute to fulfilling
the three MSFs of fuel heat removal, containment of radioactive materials and control of
fuel reactivity.
The MSFs of the plant have been specified for each of the systems. On the basis of the
design it is considered appropriate to proceed with the development of the detailed
Page 104 of 230
Head Document
design for the auxiliary systems and the associated safety justifications for their design
and operation. The design for the auxiliary systems is sufficiently well developed to
support moving into the construction phase, and the design basis described in HPC
9.5
Ref
References
Title
Location
Document No.
9.1
Justification of the Hinkley Point C EPRs stack
height – ECUK100585, Revision A, Dec 2010
EDRMS
HPC-NNBOSL-U0-000-RET000017
9.2
Applicable to UK EPR Contracts, Rev C, Sept
2011
EDRMS
ECUK100053
9.39.5
Consolidated GDA PCSR, Issue 03, March 2011
Sub-chapter 9.1 - Fuel Handling and Storage
Sub-chapter 9.3 - Primary System Auxiliaries
Sub-chapter 9.5 - Other Supporting Systems
EDRMS
9.6
Nov 2012
EDRMS
9.79.9
HPC PCSR2
Sub-chapter 9.2 - Water Systems, Issue 1, Sept
2012
Sub-chapter 9.4 - Heating, Ventilation and Air
Conditioning Systems, Issue 1, September 2012
Sub-chapter 9.6 - Auxiliary Systems Chemistry
Control, Issue 1, July 2012
EDRMS
9.10
HPC PCSR2 – Heat Sink Summary Document
Version 2.0, Jan 201213
EDRMS
9.11
Areva/EDF letter to ONR;
“Agreed List of Out of Scope Items for the UK
EPR for GDA” dated 15 April 2011
EDRMS
ND(NII) EPR00836N, but
replaced by UKEPR-I-002, the
GDA reference design, which
includes the out of scope items.
UKEPR0002-091-I03
UKEPR0002-093-I03
UKEPR0002-095-I03
HPC-NNBOSL-U0-00-RES000082
13
This document formed PCSR2 Early Submission Batch 5 and therefore was complete prior to the completion of HPC PCSR2 SubChapters 9.2, 9.4 and 9.6. Therefore this document utilises the information from the Consolidated GDA PCSR 2011 versions of these
sub-chapters. This update to the sub-chapters is not felt to substantively change any of the safety arguments presented within the
Heat Sink Summary Document [Ref. 9.9].
Page 105 of 230
Head Document
10
STEAM AND POWER CONVERSION SYSTEMS
10.1
Summary
This section of the HPC PCSR2 Head Document summarises the function of the Steam
and Power Conversion Systems in the removal of heat and its conversion into electrical
power, as described in Chapter 10.
The systems provide a means of operation in normal and start/standby modes for heat
removal from the reactors by the steam generators. In the event of an abnormal
occurrence or fault condition e.g. turbine or reactor trip, alternative heat removal paths
have been incorporated into the design of the UK EPR. The systems whose functions
have safety requirements are the Main Steam Relief Train (VDA [MSRT]), the Steam
Generator Blowdown System (APG [SGBS]), the Main Feedwater System
(ARE [MFWS]), the Main Steam Supply System (VVP [MSSS]) and the Turbine
Protection System (GSE).
Work on the classification of SSCs and the applicability of the classification scheme
beyond the nuclear island plant is ongoing and, as such, the list of SSCs within the
Steam and Power Conversion plant may be subject to change in future safety
submissions.
The design is sufficiently well developed and stable, and the design basis described in
HPC PCSR2 provides an adequate baseline safety justification for the Steam and Power
Conversion Systems to support moving into the construction phase.
As detailed in Sub-chapter 6.8 and Sub-chapter 10.4 respectively, the VDA [MSRT]
system and the APG [SGBS] support the following MSFs of the UK EPR:
x
Fuel heat removal,
x
As detailed in Sub-chapter 10.6 and Sub-chapter 10.3 respectively, the ARE [MFWS]
and the VVP [MSSS] support the following MSFs of the UK EPR:
x
Fuel heat removal,
x
x
As detailed in Sub-chapter 10.2, the turbine trip system supports the following plant level
safety function of the UK EPR:
x
Maintain core criticality control by limiting primary circuit cooling.
The functional roles that are performed by each of these systems in supporting the
MSFs are described under the system summaries below.
10.1.2 Turbine Generator
The turbine generator set has no specific nuclear safety claim. A preliminary safety
analysis has been performed to assess the risk from missile ejection, fire and explosion.
The design addresses turbine and generator protection. The GSE trips the turbine in an
event (e.g. loss of lubrication, overspeed and overpressure) by closure of the GSE
Page 106 of 230
Head Document
isolating valves thus isolating steam supply. The Generator Protection System protects
against internal faults by opening of the 400kV coupling breaker and external faults by
the opening of the 400 kV line breaker. A reactor trip will lead to a turbine trip.
10.1.3 Steam Systems
The safety requirements of the VVP [MSSS] during normal, start/standby and fault
operating conditions are described and include fuel reactivity control by limiting the
steam flow rate, controlling the fuel heat removal and containment of radioactive
material.
Fuel heat removal is controlled by transferring steam either to atmosphere via the
VDA [MSRT], or to the condenser via the Main Steam Bypass GCT [MSB] when
available. In the event of a secondary side break, the VVP [MSSS] system must limit
cooling so that the brittle fracture temperature limit of the pressure vessel is not reached.
Containment of radioactive material is ensured by isolating the affected steam generator
in the event of a SGTR, limiting the pressure during a MSLB (within containment),
overpressure protection of the steam generators and VVP [MSSS] isolation in an RCC-B
event. The safety analysis addresses the Single Failure Criterion, internal and external
hazards, classification requirements and the break preclusion concept.
The GCT [MSB] system is not required to perform a safety function. During transient
conditions/power changes and SGTR events the GCT [MSB] (when it is available)
removes steam to the condenser, limiting demand on the VDA [MSRT] system and
discharge to the atmosphere.
The APG [SGBS] performs two safety functional roles:
x
Containment of radioactive material by isolation of the affected steam generator
under SGTR conditions,
x
Fuel heat removal in the event of loss of feedwater supply by isolation of the affected
steam generator (preventing loss of emergency feedwater).
The APG [SGBS] is considered an extension of the secondary containment barrier. The
Single Failure Criterion, equipment qualification, systems’ classifications, hazards and
emergency power supplies have also been addressed. The radioactive characteristics
and chemistry is monitored by the REN [NSS]/KRT [PRMS].
10.1.4 Feedwater Systems
The main function of the feedwater system during normal operation is to maintain the
level of water in the steam generators, providing and regulating primary circuit cooling;
contributing to the removal of fuel heat from the reactor core.
In accident conditions the ARE [MFWS] must rapidly isolate feed to prevent primary
system overcooling. In the event of a reactor coolant pipe break, the feedwater system
inside the Reactor Building must be designed to remain intact and to form part of the
containment boundary. In case of a break on the RCP [RCS] inside the containment, the
sections inside the Reactor Building are considered as an extension of the third
containment barrier. In the event of a SGTR or similar, the ARE [MFWS] must rapidly
isolate the affected steam generator and contain the primary circuit coolant, providing
radioactive release mitigation. In the case of a secondary break inside the Reactor
Building, the ARE [MFWS] must limit pressurisation of the containment. Details on
redundancy and independence of feedwater lines are provided in Sub-chapter 10.6. The
break preclusion concept does not apply to the ARE [MFWS] as the implications of a
pipework break on the feedwater lines do not require it to be designated as a HIC.
Page 107 of 230
Head Document
The Start-up and Shutdown Feedwater System (AAD [SSS]) does not perform a safety
function, but in the event of a switch between unit transformer and auxiliary transformer
the AAD [SSS] pump starts up to avoid demand on the steam generator ASG [EFWS].
10.1.5 Tertiary Cooling Systems
The main cooling system or Circulating Water System (CRF) is required to trip in the
event of a significant water level difference (between upstream and downstream
sections) or low water level downstream of the CFI [CWFS], retaining sufficient margin
for availability/operation of the SEC [ESWS]. A trip will also occur when a high water
level in the turbine hall condenser pit and/or the Conventional Island Liquid Waste
Discharge System (SEK [CILWDS]) pit is detected, preventing flooding in the turbine
hall.
10.1.6 Break Preclusion Concept
Break preclusion for the VVP [MSSS] lines inside and outside the Reactor Building
containment is addressed in Sub-chapter 10.5. The requirement relating to the
demonstration of the break preclusion and the approach taken to demonstrate further
levels of ‘defence in depth’ are described. The areas of application of the break
preclusion concept, the details of preventative measures, the surveillance measures, the
first line of ‘defence in depth’ and the second line of ‘defence in depth’ are presented.
The break preclusion concept applies to the 30" sections of the safety classified steam
lines; the limits of application of the break preclusion concept are the steam generator
nozzles and the supports located downstream of the Main Steam Isolation Valve
(VIV [MSIV]). Implementation of the break preclusion concept allows a guillotine break of
a VVP [MSSS] line to be excluded from the design basis.
Preventative measures with respect to material properties, design basis, loads and
defects are detailed in Sub-chapter 10.5. Surveillance measures are provided for the
break preclusion sections of the main steam lines. The ‘defence in depth’ approach
relates to mitigation through a demonstration of tolerance to through-wall thickness
defects and the application of a leak detection system (for the pipework inside the
containment), along with further analytical studies investigating the consequences of a
rupture. The analytical studies used include the postulated rupture outside the break
preclusion area on the VVP [MSSS] lines downstream of the main steam isolation valves
or a rupture on the ARE [MFWS] lines. Other pipe ruptures are also postulated to assess
the effect on connected components, containment integrity and reactor core reactivity
behaviour, and to define bounding equipment qualification parameters. Despite
implementation of the break preclusion concept, a double-ended break is postulated at
the outlet point of the steam generator to provide a very conservative assessment of the
reactor core response.
10.1.7 Chemistry
HPC PCSR2 Sub-chapter 10.7 provides a description of how the secondary chemistry
strategy, along with the choice of secondary circuit materials, allows the minimisation of
corrosion, corrosion product transport, accumulation of corrosion products in the steam
generators, and the subsequent protection of the integrity of the primary-secondary
interface (the second barrier) and the nuclear safety role of the steam generators.
The secondary side chemistry is also optimised to limit the impact to the environment
and to improve plant performance and availability.
Page 108 of 230
Head Document
Flow Accelerated Corrosion (FAC) is primarily eliminated by the use of stainless or highchrome steels in the areas of high and medium risk. Low risk areas, where carbon steel
is the chosen material, are protected through an optimised, high-pH, amine and
hydrazine chemistry regime, which minimises general corrosion of materials.
The removal of copper-containing materials permits operation at elevated pH using one,
or a combination of species (ethanolamine, morpholine, ammonia). The use of alloy
690TT for steam generator tubing also contributes to the minimisation of corrosion,
steam generator tube support plate fouling and clogging (sludge), and subsequent
failure of the second barrier.
Chemical additives are injected by the secondary circuit chemical injection system (SIR).
Impurity control also allows for the minimisation of corrosion, and this is ensured by a
tight, reliable condenser, quick detection of impurities through the feed water Chemical
Sampling and Monitoring System (SIT) and purification systems (APG [SGBS], and the
Start-up Condensate and Feedwater Purification System [ATD].
Sodium, chloride, sulphate, silica and oxygen are all monitored and measured as part of
the secondary circuit sampling strategy, as well as the concentrations of secondary
circuit additives mentioned above.
The choice of materials for secondary systems is a key parameter ensuring the safe
operation of the unit. Taking into account this choice, the chemistry is optimised to
ensure the integrity of materials and to reduce radiation fields. The main chemistry
parameters are described and justified, including the design optimisation that provides
the means to achieve the objectives of nuclear safety, radiation protection, material and
equipment integrity, minimisation of environmental impact, hazard protection and
operational performance.
10.1.8 Design Code
In accordance with the requirements detailed in Sub-chapter 3.2, certain equipment of
the steam and power conversion systems are designated an appropriate class
associated with their nuclear safety function, and in some cases their potential to cause
damage to other higher classified SSCs. As such, each component is subject to the
design requirements of the appropriate mechanical design code for classified equipment,
e.g. RCC-M.
the mechanical equipment, for HPC PCSR2 the 2007 edition with 2008, 2009 and 2010
addenda will be used. (See Chapter 3 for further details on the use of codes and
standards during the design and construction of the units.) These codes will be used
10.1.8.1.1 Material Properties and Quality of Manufacture
may be used provided an adequate justification is made within the appropriate safety
case documentation.
The quality of manufacture is ensured through the GQAS [Ref. 10.1].
Page 109 of 230
Head Document
10.1.8.1.2 In-Service Inspection (ISI)
fracture, etc.) and on operating experience in specific areas. The exact details and
frequency of the ISI programme will form part of the maintenance and inspection
schedule.
10.2
The detail of this topic is given in Consolidated GDA PCSR 2011 Sub-chapters 10.1,
10.3, 10.5 and 10.6, and in HPC PCSR2 Sub-chapters 10.2, 10.4 and 10.7. Figure 11
illustrates the document structure for Chapter 10 of HPC PCSR2.
Sub-chapters 10.1, 10.3, 10.5 and 10.6 of Consolidated GDA PCSR 2011 are applicable
to HPC. HPC PCSR2 site-specific Sub-chapters 10.2, 10.4 and 10.7 have the following
differences with respect to Consolidated GDA PCSR 2011:
x
Sub-chapter 10.2 Turbine Generator Set is absent from Consolidated GDA PCSR
2011 due to its site-specific nature. Information has been added as discussed above,
x
Sub-chapter 10.4 Other Features of the Steam and Power Conversion Systems has
been modified to insert information on systems not covered by Consolidated GDA
PCSR 2011 (e.g. condenser, condenser extraction system, turbine gland system and
some of the feedwater plant systems); it also includes a site-specific update for the
CRF,
x
The new Sub-chapter 10.7 Secondary System Chemistry comprises information from
Consolidated GDA PCSR 2011 Sub-chapter 5.5 with minor amendments pertaining
to ‘sufficient chromium content in secondary side materials’ where flow assisted
corrosion may be prevalent.
Chapter 10 of Consolidated GDA PCSR 2011 [Refs. 10.2-10.5] covers the steam
systems to and from the steam generators and the turbine generator for both units at
HPC. Consolidated GDA PCSR 2011 encompasses the design details for the ARE
[MFWS], secondary system break preclusion concept and the VVP [MSSS]. The main
exceptions not covered in Chapter 10 of the Consolidated GDA PCSR 2011 are for the
turbine generator set and other features of the steam and power conversion systems.
Revised site-specific Sub-chapters 10.2 and 10.4 have been produced.
Secondary system chemistry is covered in Consolidated GDA PCSR 2011 Sub-chapter
5.5. However a new HPC chemistry sub-chapter was created in Chapter 10 of HPC
PCSR2 in order to consolidate information relating to the secondary system chemistry
control within the secondary system chapter.
There are a number of GDA Out-of-scope Items [Ref. 10.6] relevant to Chapter 10 of
HPC PCSR2. They include:
x
Probabilistic Safety Assessment (PSA).
Page 110 of 230
Head Document
Relevant incorporation of the design of the conventional island into PSA will be
completed as part of the Forward Work Activities to risk-inform the detailed design of
the plant (as detailed in Section 15).
x
Instrumentation & Control (I&C).
For I&C automation systems, the commissioning and site manuals providing the
specification and the execution of the site tests, encompassing the manual used for
on-site maintenance and testing for all I&C automation systems, will be detailed and
justified in the appropriate pre-commissioning safety report.
Systems that are not used in the monitoring, control and safety of the plant: turbine
I&C; fire detection and protection I&C; fatigue, leakage, loose part or vibration
monitoring; are subject to further detailed design and will be detailed and justified in
the appropriate safety report.
x
Reactor Chemistry.
NNB GenCo are undertaking a systematic review of UK EPR systems to ensure that
all systems for which chemistry control is needed in ensuring safety and
environmental protection are adequately addressed in the safety case.
x
Mechanical Engineering.
Equipment qualification reports for SSCs in the Steam and Power Conversion area
are supplier dependent and will be detailed and justified in the appropriate safety
report.
x
Management of Safety & Quality Assurance (QA).
The QA arrangements for manufacturing activities are under development as part of
the contract specifications for the plant within the Steam and Power Conversion area
and will be detailed and justified in the appropriate safety report.
Project specific QA arrangements for knowledge transfer between designer and
operator are not specific to the Steam and Power Conversion area. The project
processes enabling NNB GenCo to demonstrate its capability as an Intelligent
Customer are highlighted in Section 21.
x
Structural Integrity.
UK EPR project-specific detailed design documents for the main components
including requisitions, final stress and fast fracture specifications and reports, will be
produced as detailed design progresses and will be detailed and justified in the
appropriate safety report.
The detailed inspection (PSI and ISI) reports to be produced during the construction,
installation and commissioning of the plant within the Steam and Power Conversion
area will be detailed and justified in the appropriate pre-commissioning safety report.
The detailed specifications of fracture toughness tests for avoidance of fracture
demonstration are under development as part of the contract specifications for the
plant within the Steam and Power Conversion area and will be detailed and justified
in the appropriate safety report.
Specific end of manufacturing NDT qualification processes for component zones
other than the prototype application for avoidance of fracture demonstration are
under development as part of the contract specifications for the plant within the
Steam and Power Conversion area and will be detailed and justified in the
appropriate safety report.
Page 111 of 230
Head Document
x
Classification.
The GDA scope is limited to that consistent with other GDA topic scopes (civil
structure, C&I, etc.) in terms of functions and SSCs covered. In particular sitespecific SSC classification is out-of-scope of GDA (pumping station, etc.). As
identified in Section 10.1, work on the classification of SSCs is ongoing and so the
list of SSCs within the Steam and Power Conversion plant may be subject to change
in future safety submissions.
10.3
Route Map
Chapter 10 of HPC PCSR2 comprises seven sub-chapters:
x
Sub-chapter 10.1 General Description [Ref. 10.2] gives the general description of the
secondary steam system. This sub-chapter also introduces those systems whose
functions have safety-related roles. Currently this list includes the VDA [MSRT], the
ARE [MFWS], the VVP [MSSS] and the turbine trip system.
x
Sub-chapter 10.2 Presentation of the Turbo-Generator Set [Ref. 10.7] describes the
turbine generator set, where the design takes into account turbine protection,
generator protection and fire protection requirements. Further information on
hazards, including turbine missiles can be found in Chapter 13 Hazard Protection.
The sub-chapter also discusses the redundancy/diversity and backup of lubricating
oil pumps, detection systems and electrical supplies.
x
Sub-chapter 10.3 Main Steam System (Safety Classified Part) [Ref. 10.3] describes
the role that the VVP [MSSS] plays in removing heat during normal and fault
conditions. This sub-chapter discusses the VIV [MSIV], related I&C, maintenance
requirements and fast fracture analysis, and introduces related hazards. Further
information can be found in Sub-chapter 6.8 Main Steam Relief Train System
(VDA [MSRT]). The qualification requirements of the VVP [MSSS] are supplied in
Sub-chapter 3.6.
x
Sub-chapter 10.4 Other Features of Steam and Power Conversion Systems
[Ref. 10.8] describes other features of the steam and power conversion systems;
namely the condenser and the Condensate Extraction Systems (CEX [CCES]), the
GCT [MSB] system, the Feedwater Plant Systems (Low Pressure Feedwater and
Heater System (ABP), the Feedwater Tank and Gas Stripper System (ADG), the
Motor Driven Feedwater Pump System (APA), High and Medium Pressure
Feedwater Plant and Heater System (AHP), the AAD [SSS]), the CRF, the Turbine
Gland Steam System (CET [TGS]) and the APG [SGBS]. Information on the
ASG [EFWS] can be found in Sub-chapter 6.6. The safety requirements and the
design features on each system have been addressed. Information on the
APG [SGBS] for normal, start/standby and fault operating conditions is presented.
x
Sub-chapter 10.5 Implementation of the Break Preclusion Principle for the Main
Steam Lines Inside and Outside the Containment [Ref. 10.4] describes the break
preclusion for the VVP [MSSS] lines inside and outside the Reactor Building
containment. This sub-chapter includes analytical studies on the VVP [MSSS] lines
downstream of the VIV [MSIV] and on the ARE [MFWS] lines. Further information on
break preclusion concepts not contained within this sub-chapter may be found within
Sub-chapter 5.2 Reactor Coolant System and Sub-chapter 3.4 Mechanical Systems
and Components.
x
Sub-chapter 10.6 Main Feedwater System [Ref. 10.5] describes the role the
ARE [MFWS] plays in maintaining appropriate primary circuit cooling during normal
Page 112 of 230
Head Document
and accident conditions; limiting primary circuit overcooling. This sub-chapter
addresses the safety functions, design requirements, design parameters, operational
requirements and testing requirements of the ARE [MFWS] inside and outside the
Reactor Building.
x
10.4
Sub-chapter 10.7 Main Steam and Feedwater Lines, Secondary System Chemistry
[Ref. 10.9] contains information originally found in Consolidated GDA PCSR 2011
Sub-chapter 5.5 Reactor Chemistry; specifically Section 2 and Section 3 Secondary
Chemical Parameters during Normal Power Operation – Preliminary Values table
and the related references. Sub-chapter 10.7 Section 2 provides information on the
chemistry regime for EPR secondary side water chemistry. Further chemistry
information can be found in Sub-chapter 5.5 Reactor Chemistry, the new Subchapter 6.9 Containment and Safeguard Systems Chemistry Control and the new
Sub-chapter 9.6 Auxiliary Chemistry Control.
Conclusions
The various steam and power conversion systems identified within this chapter are
designed and operated to contribute to fulfilling the three MSFs of fuel heat removal,
containment of radioactive materials and control of fuel reactivity. This chapter
demonstrates that the design codes, the materials of manufacture, the operational
chemistry control and the relevant ISI will ensure that the various Steam and Power
Conversion Systems meet the safety requirements made on them under normal
operating and abnormal conditions.
The design for the Steam and Power Conversion Systems is sufficiently well developed
to support moving into the construction phase, and the design basis described in HPC
10.5
Ref
References
Title
Location
EDRMS
10.1
Applicable to UK EPR Contracts, Rev C, Sept
2011
EDRMS
10.210.5
Consolidated GDA PCSR Issue 02 and 03 as
marked, March 2011 :
Sub-chapter 10.1 - General Description
Sub-chapter 10.3 - Main Steam System
Sub-chapter 10.5 - Implementation of the Break
Preclusion Principle for the Main Steam Lines
Inside and Outside the Containment
Sub-chapter 10.6 - Main Feedwater System
Document No.
ECUK100053
UKEPR0002-101-I02
UKEPR0002-103-I03
UKEPR0002-105-I02
UKEPR0002-106-I03
10.6
Reference Design Configuration, UKEPR-I-002
Revision 11, September 2011, EDF/AREVA.
10.7
HPC PCSR2 Sub-chapter 10.2 - TurboGenerator Set, Issue 1, April 2012
EDRMS
HPC PCSR2 Sub-chapter 10.4 - Other Features
of Steam and Power Conversion Systems, Issue
1, April 2012
EDRMS
10.8
HPC PCSR2 Sub-chapter 10.7 - Main Steam
and Feedwater Lines Secondary System
Chemistry, Issue 1, May 2012
EDRMS
10.9
EDRMS
Page 113 of 230
Head Document
11
DISCHARGES AND WASTE/SPENT FUEL
11.1
Summary
This section of the Head Document summaries the safety functional roles, discharges
and disposals, and gives an overview of facilities and systems, related to radioactive
waste and interim storage of solid waste and spent fuel, as described in Chapter 11 of
HPC PCSR2. It relates to operational discharges and wastes (and not those arising from
decommissioning, which are covered in Chapter 20).
The liquid and gaseous radioactive waste management systems ensure that activity
released to the environment complies with the permitted discharge limits, and so
contribute to the MSF of containment of radioactive material during normal operation and
fault conditions. These treatment systems also minimise operator exposure to radiation
during normal operation, shutdowns and post-accident situations.
In addition, the Nuclear Vent and Drain System (RPE [NVDS]) and the TEG [GWPS]
form part of the third containment barrier. They ensure containment isolation at the
containment penetrations (for the TEG [GWPS] these are the parts of the system
connected to the pressuriser and the Reactor Building primary effluent tank). The
TEG [GWPS] also limits the hydrogen concentration in connected systems to prevent
the formation of explosive mixtures.
The solid waste systems and facilities allow the safe handling, conditioning, packaging
and interim storage of solid waste pending off-site disposal, and so contribute to the
MSF of containment of radioactive material during normal operation and fault conditions.
These packages, systems and facilities must also minimise operator exposure to
radiation.
The ISFS supports all three MSFs:
x
Control of fuel reactivity to ensure subcriticality,
x
Fuel heat removal,
x
11.1.2 Discharges and Disposals
The limits and levels for radioactive liquid and gaseous discharges are described in the
NNB GenCo submission applying for a Radioactive Substances Regulations (RSR)
permit [Ref. 11.1]. For the discharge of liquid and gaseous chemical effluents, the
standards to be met are set out in the Water Discharge Activity (WDA) and the
Combustion Activity permit applications respectively [Refs. 11.2 & 11.3]. As such,
Chapter 11 of HPC PCSR2 merely recaps the information primarily presented
elsewhere.
For solid waste the activities and volumes of ILW and Low Level Waste (LLW) have
been conservatively estimated. Assurance of disposability in principle has been obtained
for the various LLW streams. The transfer of LLW off-site is captured within the
Integrated Waste Strategy (IWS) [Ref. 11.4] and as part of the RSR submission, and is
summarised for HPC PCSR2.
Page 114 of 230
Head Document
ILW and spent fuel will be stored on site in interim storage facilities until a Geological
Disposal Facility (GDF) becomes available. Thus for ILW, a conditioning proposal is
necessary to demonstrate that waste packages will be compatible with the future
planned disposal options. This is submitted through the Letter of Compliance process
with the NDA Radioactive Waste Management Directorate (RWMD). NNB GenCo has
commenced the first stage of this process for HPC. Again, Chapter 11 of HPC PCSR2
merely recaps the information primarily presented elsewhere.
The number of spent fuel assemblies arising from 60 years operation of two units at
HPC and the resulting number of disposal canisters has also been estimated, dependent
on fuel burn-up. This has been the subject of a disposability assessment by RWMD
during the GDA process, and is summarised in Sub-chapter 11.5 of HPC PCSR2
[Ref. 11.5].
11.1.3 Overview of Facilities and Systems14
11.1.3.1 Treatment Systems
Waste treatment systems inside the nuclear island buildings – except the Effluent
Treatment Building (ETB) and OSC – are dedicated to a single unit and are unchanged
from Consolidated GDA PCSR 2011 at the site-specific level. Therefore the following
systems are present on both Unit 1 and Unit 2:
x
Segregation of liquid effluents in the -RPE [NVDS],
x
Primary coolant treatment in the -TEP [CSTS],
x
Gaseous effluent treatment in the -TEG [GWPS],
x
Waste collection and sorting, filter handling and spent resin transfer by the Solid
Waste Treatment System (-TES [SWTS]),
x
Ventilation systems of the buildings.
The waste treatment systems in the ETB and/or OSC are designed for two units at the
generic UK EPR stage and are also unchanged at the site-specific level. The following
systems are present in the ETB:
x
Segregation of liquid effluents in 9RPE [NVDS],
x
The primary effluent
(9TEU [LWPS]),
x
The conditioning of solid waste by the 9TES [SWTS] shared by both units,
x
Ventilation systems of the buildings.
treatment
in
the
Liquid
Waste
Processing
System
The following ETB areas are also common to the two units:
x
Conditioning rooms and tools,
x
Buffer storage of LLW before despatching off site,
x
Buffer storage of ILW during grout drying before interim storage in the ILW building.
14
Note: systems or part of systems located within HPC unit buildings are prefixed by the appropriate unit number or, to denote the
same set of components across all units, no prefix or the prefix “-“ is used. The systems or parts of a system located within HPC sitespecific buildings are denoted by “0”, and those residing within buildings which are shared by the two units (ETB and OSC notably)
are prefixed by a “9” if shared by units 1 and 2, and “8” if shared by unit 3 and 4, and “7” if shared by units 6 and 7.
Where relevant references for shared systems are taken from Flamanville 3, systems or parts of a system residing within buildings
which are shared by two units are prefixed by “8” because the prefix “9” has already been used for systems or parts of a system
residing within buildings which are shared by the two units FLA1 and FLA2. In all other respects, except the numbering prefix, these
references are deemed applicable to HPC.
Page 115 of 230
Head Document
This allows the sharing of facilities and equipment as much as possible, and
consequently the number of areas in which radioactive waste is stored and handled is
limited.
The above is explained further in Sub-chapter 11.4 [Ref. 11.6].
11.1.3.2 Effluent Treatment Building
The ETB adjoins the EPR Unit 1 NAB, which ensures a direct transfer of radioactive
spent filters from Unit 1 into the conditioning room (9TES [SWTS]) by the Filter Handling
Machine. The ETB comprises two connected buildings, HQA and HQB. Due to layout
constraints on the site it is not possible to adjoin the ETB to the second EPR unit’s NAB
as well. Thus, it has been determined through specific ALARP studies [Refs. 11.7 &
11.8] that resins will be flushed through piping in a gallery between Unit 2 and the ETB,
and solid radioactive waste (LLW and ILW, including spent filters) will be transported
from the Unit 2 NAB (2TES [SWTS]) to the conditioning room of ETB (9TES [SWTS]).
This is consistent with Consolidated GDA PCSR 2011, which is for an ETB that is
sufficiently sized to service two units. In order to transport the containers safely and
avoid any spillage of radioactive material, pre-conditioning of solid ILW will be performed
in a dedicated building to be constructed adjacent to Unit 2 that will duplicate a part of
the standard ETB. This will be considered part of the 2TES [SWTS] system. This
building is known as HQC and is described in Technical Specification – Waste
Treatment Building of Unit 2 (HQC) [Ref. 11.9]. The final conditioning of ILW
(encapsulation) will then be performed in the ETB adjacent to Unit 1 (9TES [SWTS]).
Further information on the site-specific buildings, such as the HQC, can be found in
Chapter 3 and the HPC Building and Structures Safety Classification Summary Report
[Ref. 11.10]; their location on the plot plan is indicated within HPC PCSR2 Sub-chapter
2.3 [Ref. 11.11].
11.1.3.3 Other Shared Facilities
The laundry and hot decontamination workshop are also shared between Unit 1 and Unit
2, known as the 0SBE system. These are two separate facilities within the HVL and HVD
Buildings respectively. Further detail is provided in Sub-chapter 11.4 [Ref. 11.6].
The laundry, hot decontamination workshop and the liquid effluent storage tanks building
have their own sampling system (0TEN) and (0RPE [NVDS]). Further details of the
0RPE [NVDS] can be found in Sub-chapter 11.4 [Ref. 11.6].
11.1.3.4 Liquid Effluent Storage and Discharge Tanks
The liquid effluent storage and discharge tanks are shared between the two units and
are accommodated in the HXA Building. Sizing studies have determined that the
following are required:
x
Three Liquid Radwaste Monitoring and Discharge System (0KER [LRMDS]) tanks for
primary effluent from 9TEU [LWPS], APG [SGBS], 0SBE and the ISFS,
x
Two 0SEK [CILWDS] tanks for secondary effluent from the conventional island, floor
drains 3 from RPE [NVDS] and effluent from the ASG [EFWS],
x
Three Additional Liquid Waste Discharge System (0TER [ExLWDS]) tanks provided
as backup storage capacity for 0KER [LRMDS] and 0SEK [CILWDS], which also
allow transfer to the 9TEU [LWPS] for further treatment.
This is further explained in HPC PCSR2 Sub-chapter 11.4, and detail on the HXA
Building can be found in the Overall Description of KER-TER-SEK tanks building (HXA)
[Ref. 11.12].
Page 116 of 230
Head Document
11.1.3.5 Liquid Discharges
Liquid discharge takes place from the storage and discharge tanks in the ‘discharge
pond’, where it is mixed with the main heat sink cooling water before it reaches the sea.
The design of the storage tanks discharge outlet is site-specific, as it is related to the
location of the tanks and on the heat sink design itself. The tanks’ discharge pipes will
be installed in a buried concrete gallery leading to a surface concrete trench until they
reach the discharge pond. The design studies for the galleries and discharge pond of
HPC will be part of the Technical Galleries and outfall structures design [Ref. 11.13].
This is further explained in Sub-chapter 11.4 [Ref. 11.6].
Proposed limits for liquid discharges in operation are presented in Sub-chapter 11.3
[Ref. 11.14].
11.1.3.6 Gaseous Discharges
Gaseous discharge is linked to the process by the TEG [GWPS] and the HVAC systems
for each of the buildings. The TEG [GWPS] is further described in Sub-chapter 11.4
[Ref. 11.6]. The gaseous discharge to atmosphere is made through the nuclear island
stack. The nuclear island stack height depends on the site environment and is given in
Section 9 of this document; the stack and HVAC systems are described in Sub-chapter
9.4 [Ref. 11.15].
Proposed limits for gaseous discharges in operation are presented in Sub-chapter 11.3
[Ref. 11.14].
11.1.3.7 Solid Radioactive Waste
The treatment of solid waste is divided between TES [SWTS] and 9TES [SWTS]. A short
summary is provided below with further detail provided in Sub-chapter 11.4 [Ref. 11.6].
Filter handling and spent resin transfer from the NAB to the ETB are carried out by the
TES [SWTS]. As Unit 2 and the ETB are not adjacent, the 2TES [SWTS] also comprises
a pre-conditioning unit located in HQC. Here wastes are placed in concrete drums
closed with a temporary biological plug or metallic boxes (these may be shielded
depending on dose rates). On both units the TES [SWTS] also contains a glove box to
sort operational waste.
The conditioning of solid waste is carried out by the 9TES [SWTS], which is located on
Unit 1 within the ETB. This conditioning may involve the installed encapsulation cell, or a
mobile encapsulation machine known as MERCURE (used specifically for resins). The
9TES [SWTS] also includes two storage tanks for spent resins and two storage tanks for
evaporator concentrates arising from the operation of 9TEU [LWPS]. In addition
9TES [SWTS] provides a shredder and a compactor.
At HPC 9TES [SWTS] will also accommodate the facility for conditioning evaporator
concentrates and sludges, but this is still subject to further design work from the GDA
reference case. A solution is available from the EDF 900MW fleet that involves some
minor modifications to the encapsulation cell (described in HPC PCSR2 Sub-chapter
11.4) or alternatively a mobile process could be adopted.
The two tables below summarise the HPC systems involved and the off-site disposal
route for each waste stream (for LLW and ILW respectively).
Page 117 of 230
Head Document
For LLW:
LLW waste stream
HPC systems involved in
treatment/storage
Off-site disposal route
Air filters
Sorting, shredding and/or
compaction as required
Supercompaction & then Low Level
Waste Repository (LLWR)
LLWR
Water filters
Operational waste
(combustible and noncombustible)
Fuel Handling Machine followed
by sorting, shredding and/or
LLWR
Sorting, shredding and/or
LLWR
Incineration
Supercompaction & then LLWR
Incineration
Resins
Transfer into ‘big bags’
Very Low Level Waste (VLLW)
landfill site (if route available)
Transfer into plastic drums
Incineration
9TES modification (metal drum)
LLWR
Mobile process (to be defined)
LLWR
9TES modification (metal drum)
LLWR
Mobile process (to be defined)
LLWR
Engineering wastes/scraps
HVD
Metal recycling
Oil and solvents
Packaging for off-site transfer
Incineration
Sludges
Evaporator concentrates
Grey text indicates design development required from GDA reference case
For ILW:
ILW waste stream
HPC systems/buildings involved in
treatment/storage
Off-site disposal route
Water filters
Fuel Handling Machine, 9TES, HHI #
GDF
Operational waste
Sorting, 9TES, HHI
Resins
Transfer to MERCURE, HHI
GDF
Sludges
1. 9TES modification, HHI
GDF
2. Mobile Process, HHI
GDF
Note:
#
GDF
#
a subset of waste may be selected for unconditioned decay storage in HHI for future processing as
LLW (see LLW table)
Grey text indicates design work required from GDA reference case
11.1.3.8 LLW
LLW will be collected, segregated according to waste activity categorisation, and stored
at dedicated locations in the ETB. It will be stored in these areas only until sufficient
quantities have accumulated for an on-site treatment campaign to start or for shipment
off site.
Page 118 of 230
Head Document
Treatment on site may involve shredding, compacting or conditioning.
Off-site shipment will be to the most appropriate facility for treatment (such as
supercompaction, metal recycling or incineration) or to the LLW Repository (LLWR) near
Drigg in Cumbria for disposal.
The LLW strategy is discussed further in Sub-chapter 11.2 [Ref. 11.16]. For each LLW
stream the table above identifies the HPC systems involved in treatment and processing
appropriate to the preferred off-site disposal route.
11.1.3.9 ILW and the Interim ILW Store
The ILW produced during reactor operation will be stored in the ETB until packaging and
conditioning has been performed. This conditioning will be on a campaign basis in the
ETB. It involves the use of a polymer for ion-exchange resins and cementitious grouts
for other ILW wastes (e.g. filters, dry active waste) to encapsulate the ILW within
concrete containers. Self-shielding concrete containers, C1PG and similar but smaller
C4PG (reduced diameter), are proposed for the packaging of ILW at HPC. After
encapsulation the concrete containers will be dried for about one month in the ETB. The
ILW strategy is discussed further in Sub-chapter 11.2 [Ref. 11.16]. For each ILW stream
the table above summarises the HPC systems involved in treatment and processing
appropriate to the preferred final off-site disposal route.
Thereafter, ILW will be transferred to an Interim ILW Store, to be constructed on site,
until a GDF is available. Sub-chapter 11.5 [Ref. 11.5] presents a conceptual design for
such an ILW building, which can store the ILW from 60 years operation of two EPR
units. This building is known as HHI. The facility is discussed in detail within Sub-chapter
11.5 (Section 1) [Ref. 11.5].
For lower activity waste (filters, dry active waste) that is ILW at the point of production,
but could be safely stored and re-processed as LLW over a reasonable timescale, the
option of unconditioned decay storage in suitable packages in the Interim ILW Store is to
be considered for implementation. This has benefits in terms of waste volume
minimisation and the possibility to adopt alternative disposal routes for such waste once
decayed to LLW (e.g. compaction, incineration, LLWR). The impacts on the ILW building
and the 9TES [SWTS] require further study. The Forward Work Activities for this facility
are detailed in Sub-chapter 11.5 (Section 1) [Ref. 11.5].
11.1.3.10
Spent Fuel and the Interim Spent Fuel Store (ISFS)
Spent fuel from the two units at HPC will need to be managed from the time it is
discharged from the reactor until it can be disposed. This will involve storing the spent
fuel for a period in the Fuel Building and thereafter in a dedicated interim facility until it
can be emplaced within a GDF.
A wet ISFS will be built on the HPC site, having the capability to store for about
100 years the spent fuel arising from the operation of the two EPR units. This storage
building is known as HHK. The design is currently at a conceptual level. The latest HPC
developments on the ISFS are reported in detail within Sub-chapter 11.5 (Section 2)
[Ref. 11.5].
The ISFS will have its own liquid effluent collection and treatment systems, but will rely
on the site storage tanks and site discharge until the end of generation at HPC. Gases
from the ISFS will be extracted via the ISFS ventilation system and exhausted via the
ISFS stack. Regarding solid waste from the ISFS, ion exchange resins will be
conditioned within the ISFS (using the MERCURE mobile conditioning plant), and during
generation at HPC dry solid waste will be transferred by road vehicles to the ETB for
treatment in temporarily sealed concrete containers. This is justified in Sub-chapter 11.5
Page 119 of 230
Head Document
(Section 2), where details can also be found regarding the autonomous phase of ISFS
operation following the end of generation at HPC.
11.2
The detail of this topic is given in Consolidated GDA PCSR 2011 Sub-chapter 11.0
[Ref. 11.17] and in HPC PCSR2 Sub-chapters 11.2-11.5 [Refs. 11.16, 11.14, 11.6 &
11.5]. Consolidated GDA PCSR 2011 Sub-chapter 11.1 [Ref. 11.19] deals with sources
of radioactive materials; this information has been relocated (see Section 11.2.1 below)
and there is no equivalent sub-chapter within HPC PCSR2. Figure 12 illustrates the
Only Consolidated GDA PCSR 2011 Sub-chapter 11.0 Safety Requirements is
applicable to HPC PCSR2. It is noted however that safety aspects related to spent fuel
are not covered. These are now dealt with in replacement HPC PCSR2 Sub-chapter
11.5. It is noted that safety aspects for effluent and waste treatment systems are detailed
in HPC PCSR2 Sub-chapter 11.4. References to UK regulations and classifications are
not always completely up to date within the GDA sub-chapter.
The text related to source terms from Consolidated GDA PCSR 2011 Sub-chapter 11.1
Sources of Radioactive Material has been moved to Chapter 12, specifically HPC
PCSR2 Sub-chapter 12.2. This was considered a more logical alignment as the data are
primarily used in worker dose and radiological consequences assessments. Any isotope
information relevant to radioactive discharges is now incorporated within the
replacement HPC PCSR2 Sub-chapter 11.3.
Consolidated GDA PCSR 2011 Sub-chapter 11.2 Details of the Effluent Management
Process has been updated for HPC PCSR2 in respect of text on solid waste and spent
fuel strategy. In addition, a discrepancy between Sub-chapters 5.5 and 11.2 in the
discussion of circuit conditioning has been addressed. The GDA PCSR title has been
changed as radioactive waste in all its forms is addressed (not just liquid and gaseous
forms as implied by ‘effluents’). Information on chemical effluents is not a nuclear safety
issue but is included in Sub-chapter 11.2 for completeness/consistency with
Consolidated GDA PCSR 2011. Any polluted secondary circuit water in the steam
generators is drained via the APG [SGBS] and will be treated appropriately.
Consolidated GDA PCSR 2011 Sub-chapter 11.3 Outputs for the Operating Installation
has been rewritten and renamed for HPC PCSR2 to reflect the proposed HPC limits in
the RSR permit application for liquid and gaseous waste [Ref. 11.1]. The update also
includes the proposed HPC limits in the Combustion Activity and the WDA permit
applications [Refs. 11.3 & 11.2]. It now also gives the site-specific solid waste volumes in
line with the NNB GenCo IWS [Ref. 11.4]. Information on chemical effluents is not a
nuclear safety issue but is included in Sub-chapter 11.3 for completeness/consistency
with Consolidated GDA PCSR 2011.
Consolidated GDA PCSR 2011 Sub-chapter 11.4 Effluent Waste Treatment Systems
has been updated in the HPC PCSR to include all the site-specific system differences for
HPC. Some site-specific aspects and systems described are not yet part of the
reference design definition, but the sub-chapter was updated with the fullest design
description available to date.
GDA Sub-chapter 11.5 Interim Storage Facilities and Disposability for the UK EPR has
been rewritten and renamed to reflect the latest HPC developments on disposability and
the interim storage facilities (ISFS and Interim ILW Store). In respect of hazards, HPC
Page 120 of 230
Head Document
PCSR2 Sub-chapter 11.5 and its supporting references were produced before HPC
PCSR2 Chapter 13 was finalised and as such the list of hazards is not completely
aligned for the ISFS. This will be corrected during the ISFS basic design stage.
Consolidated GDA PCSR 2011 Chapter 11 is identical in content to Chapter 6 of the
GDA Pre-Construction Environmental Report (PCER). As such the data presented
therein was submitted for assessment by the ONR and the EA.
There are six items in the GDA Out-of-scope letter of April 2011 [Ref. 11.18] that are
relevant to the waste and spent fuel area. These are listed below, along with the NNB
GenCo position on how these are being carried forward:
x
Detailed design of Waste Treatment Building and NAB.
An update on the design progress for the Waste Treatment Building (referred to as
Effluent Treatment Building (ETB)), and the systems within it, is provided in HPC
PCSR2 Sub-chapter 11.4. Interfaces with the NAB are also identified.
x
Stack calculations (height/characteristics).
An update on the NAB stack height is provided in Section 9 of the this document. An
update on the stacks for the interim storage facilities is provided in HPC PCSR2 Subchapter 11.5 Sections 1 and 2.
x
Choice of waste conditioning options.
An update on the waste conditioning options is provided in HPC PCSR2 Sub-chapter
11.4 and the solid waste strategy is summarised in Sub-chapter 11.2.
x
Licensing and detailed design of interim storage facilities.
An update on the design progress for the interim storage facilities is provided in HPC
PCSR2 Sub-chapter 11.5 Sections 1 and 2.
x
Letter of Compliance process with RWMD.
A short update on this item is provided in HPC PCSR2 Sub-chapter 11.5 Section 3
for completeness. However the process for achieving full Letter of Compliance 1 to 3
is outside the remit of the PCSR and subsequent safety reports.
x
Laundry.
An update on the design progress for this facility is provided in HPC PCSR2 Subchapter 11.4.
11.3
Route Map
The HPC PCSR2 Chapter 11 route map shows the following sub-chapters:
x
Sub-chapter 11.0 Safety Requirements [Ref. 11.17] gives the main requirements and
safety aspects related to the waste treatment systems.
x
Sub-chapter 11.2 Details of the Radioactive Waste Management Process and
Strategy [Ref. 11.16] gives an overall description of how effluent/waste is collected,
treated and discharged, depending on its characteristics. It is an overview of the
‘collect-treatment-discharge’ process.
Page 121 of 230
Head Document
11.4
x
Sub-chapter 11.3 Waste Generation, Discharges and Disposals from HPC
[Ref. 11.14] gives the amounts of solid waste (volume and types) produced and the
proposed performances and limits of liquid and gaseous effluents.
x
Sub-chapter 11.4 Effluent and Waste Treatment Systems [Ref. 11.6] gives a detailed
description of all systems concerned with the collection and/or treatment and/or
discharge of effluent/waste.
x
Sub-chapter 11.5 Interim Storage Facilities and Disposability [Ref. 11.5] is a UKspecific sub-chapter that gives the principles of the solid radioactive waste and spent
fuel management strategy.
Conclusions
The liquid and gaseous radioactive waste management systems contribute to the safety
function of containment of radioactive material by limiting the release of radioactive
effluents to comply with permitted discharge limits. Solid waste systems and facilities
provide for safe handling, conditioning, packaging and interim storage.
NNB GenCo has presented justifications for its waste and spent fuel strategies, and has
demonstrated disposability in principle for solid LLW and ILW.
A strategy for transferring spent resins and solid waste (including filters) from Unit 2 to
the ETB has been determined through specific ALARP studies. Furthermore, a technical
specification has been developed for the Unit 2 Waste Treatment Building (HQC), which
will pre-condition solid ILW, and studies have determined requirements for the
KER-TER-SEK Tanks Building (HXA) and the associated discharge routes.
Within the 9TES [SWTS] the conditioning of evaporator concentrates and sludges is
subject to further design work. Also NNB GenCo has plans to further develop the design
and safety case for the interim storage facilities for waste (including the requirement to
store unconditioned ILW) and spent fuel (incorporating lessons from the Fukushima
accident).
Progress on continuing design work for site-specific waste and spent fuel facilities is
given in HPC PCSR2 Chapter 11.
NNB GenCo is confident that the safety functions of the effluent and waste systems can
be met, that the design is sufficiently well developed and the design basis described in
HPC PCSR2 gives an adequate baseline safety justification to support this.
11.5
Ref
References
Title
Location
Document No.
11.1
Radioactive Substances Regulations (RSR)
permit application – Submission Summary,
Issue 2, July 2011
EDRMS
NNB-OSL-REP-000169
11.2
Water Discharge Activity (WDA) permit
application, Issue 1, Sept 2011
EDRMS
NNB-OSL-REP-000347
11.3
Combustion Activity (CA) permit application,
Issue 1, July 2011
EDRMS
NNB-OSL-REP-000252
11.4
Integrated Waste Strategy, Issue 1, July 2011
EDRMS
NNB-OSL-STR-000015
11.5
Sub-chapter 11.5 - Interim Storage Facilities
and Disposability, Issue 1, Sept 2012
EDRMS
11.6
Sub-chapter 11.4 - Effluent and Waste
Treatment Systems, Issue 1, Sept 2012
EDRMS
Page 122 of 230
Head Document
Ref
Title
Location
Document No.
11.7
ALARP Demonstration for ILW Transfers from
HQC Unit 2 to HQA-HQB Unit 1, Revision B,
Oct 2010
EDRMS
11.8
ALARP Demonstration for Resin Transfer
from Unit 2 to the ETB, Revision D, Oct 2011
EDRMS
11.9
Technical Specification – Waste Treatment
Building of Unit 2 (HQC), Revision C, July
2012
EDRMS
11.10
EPR-HPC Building and Structures Safety
Classification Summary Report, Rev A
EDRMS
ECEIG111827
11.11
EDRMS
HPC-NNBOSL-U0-ALL-RET000001
11.12
Overall Description of KER-TER-SEK tanks
building (HXA), Revision A, March 2011
EDRMS
11.13
EPR UK HINKLEY POINT C - Discharges of
KER, SEK liquid waste into the cooling water
outfall structure – Layout, Revision A, April
2011
EDRMS
11.14
Sub-chapter 11.3 - Waste Generation,
Discharges and Disposals from HPC, Issue 1
Sept 2012
EDRMS
11.15
Sub-chapter 9.4 - Heating, Ventilation and Air
Conditioning Systems, Issue 1 Sept 2012
EDRMS
11.16
HPC PCSR2 Sub-chapter 11.2 - Details of the
Radioactive Waste Management Process and
Strategy, Issue 1 Sept 2012
EDRMS
11.17
Consolidated GDA PCSR Sub- chapter 11.0,
EDRMS
UKEPR-0002-110-I03
11.18
th
EPR for GDA, Dated 15 April 2011
EDRMS
ND(NII) EPR00836N
11.19
Consolidated GDA PCSR Sub-chapter 11.1
EDRMS
UKEPR-0002-111-I03
Page 123 of 230
Head Document
12
RADIOLOGICAL PROTECTION
12.1
Summary
The Ionising Radiations Regulations 1999 [Ref. 12.1] and supporting Approved Code of
Practice [Ref. 12.2] provide the framework for the radiological protection of workers and
members of the public in the UK. They include a duty to keep exposures ALARP and
among other requirements set legal limits on individual exposures.
The underpinning concept in radiation protection is a hierarchy of control measures and
design principles for restricting exposures. First and foremost this involves appropriate
engineering controls and design features, then supporting systems of work and lastly
personal protective equipment.
Radiation protection in Consolidated GDA PCSR 2011 is founded on the safety case
that is derived from the significant operational experience feedback from EDF’s French
PWR fleet. The UK EPR is an evolutionary design that incorporates design optimisation
and engineering control improvements (e.g. primary circuit materials selection and water
chemistry control; shielding devices; improved serviceability of components) to reduce
exposures to ALARP levels. Information is presented to substantiate these conclusions,
and a collective dose target of 0.35 man-sieverts per reactor per year has been set.
Systems of work and personal protective equipment are operational matters that will be
developed and implemented by NNB GenCo at the appropriate times as part of the site
licence requirements. These will be underpinned by policy standards and processes
based on national and international best practice and guidance, as well as legislative
compliance, for ensuring the safety of workers and that any exposure to ionising
radiation will be adequately managed and kept ALARP.
Radiation protection at HPC will be compliant with NNB GenCo’s NSDAPs [Ref. 12.3],
which incorporate SDOs that are consistent with regulatory requirements for judging
whether radiological hazards are adequately controlled and risks are ALARP.
12.2
Radiation protection for the UK EPR design is presented in Consolidated GDA PCSR
2011 Sub-chapters 12.0-12.5 [Refs. 12.4-12.9]. For HPC PCSR2, Sub-chapter 12.2 has
been revised [Ref. 12.10] and a new sub-chapter introduced on doses to the public for
normal operation [Ref. 12.11]. Figure 13 illustrates the document structure for
Chapter 12.
Consolidated GDA PCSR 2011 Sub-chapters 12.0, 12.1, 12.3, 12.4 and 12.5 are
applicable to HPC, albeit with the following noted:
x
Sub-chapter 12.0 Section 1 tabulates regulatory dose limits, but does not include
limits for all classes of person. There are other legal limits for specific groups of
people,
x
NNB GenCo is reviewing the radiation protection zoning scheme defined in Subchapters 12.0 and 12.3 (see HPC PCSR2 Forward Work Activities report
[Ref. 12.12]).
Page 124 of 230
Head Document
x
Sub-chapters 12.1 and 12.4 omit reference to zinc injection for primary circuit
conditioning (although this is included in Sub-chapter 5.5). Zinc injection will be
referenced in the Final GDA PCSR.
x
Passivation of the primary circuit before initial start-up is mentioned in Sub-chapter
12.1 as a source term reduction measure. A GDA Assessment Finding (although not
in the radiation protection topic area) has been raised on the subject of passivation
for the UK EPR design and work is ongoing to clarify the means and conditions by
which passivation will be achieved.
x
Sub-chapter 12.3 omits reference to the KRT [PRMS] requirements associated with
the HXA tanks and the laundry. This is because these facilities are in site-specific
buildings.
HPC PCSR2 Sub-chapter 12.2 has been developed from Consolidated GDA PCSR
2011 Sub-chapter 12.2. Introductory text and Section 1 have been revised with the
objective of consolidating primary circuit source term information for HPC PCSR2 within
this sub-chapter. It incorporates information on source term definition from Consolidated
GDA PCSR 2011 Sub-chapter 11.1 (Introductory text and Section 1) and references two
recent supporting documents [Refs. 12.13 & 12.14] that respectively provide analyses to
substantiate the primary circuit source term and how the source term is used in the
different safety case topic areas.
GDA Out-of-scope Items in the radiation protection topic area are the following
[Ref. 12.15]:
1)
Operator dependent items:
a) Operating equipment selection and comparison of existing suppliers,
b) Operation and maintenance practices (e.g. use of jumpers in high radiation
locations),
c) Decontamination practices,
d) Temporary shielding and optimisation of maintenance work.
2)
Topics with no design requirements:
a) Individual dose and its optimisation,
b) Optimisation of dose in accidents.
3)
Protection of the public (doses in normal operation and during accidents and
optimisation, other than from direct shine).
4)
Site-specific Level 3 PSA.
For items 1 and 2, NNB GenCo has started to establish a company radiological
protection framework. This includes a radiological protection policy statement and
standards as a model for developing a programme and procedures for delivering training
and supervision, for developing arrangements for access into radiological areas affecting
contamination control, and for establishing a dose restriction level for workers
[Ref. 12.16]. NNB GenCo will be developing radiological protection procedures and
arrangements for meeting its commissioning and operational needs within the
appropriate timescales.
Page 125 of 230
Head Document
NNB GenCo will operate HPC site-specific buildings (i.e. those not included in GDA) to
the same radiological protection principles as the nuclear island, with levels of control
and other requirements proportionate to the risks.
For item 3, doses to the public for normal operation, including from direct shine, are
given in a new Sub-chapter 12.6. Doses to the public from accidents are addressed in
Sub-chapter 14.6 and Chapter 16.
For item 4, Sub-chapter 15.5 addresses Level 3 PSA (on-site and off-site risks and
societal risk) due to postulated accidents.
12.3
Route Map
Radiation protection for the UK EPR is presented in HPC PCSR2 Chapter 12, arranged
as follows:
x
Sub-chapter 12.0 Radiation Protection Requirements [Ref. 12.4] describes the UK
regulatory framework and requirements relating to radiation protection.
x
Sub-chapter 12.1 Radiation Protection Approach [Ref. 12.5] describes the principles
underpinning the approach to radiation protection.
x
Sub-chapter 12.2 Definition of Radioactive Sources in the Primary Circuit [Ref. 12.10]
presents the primary circuit radioactive source terms that are the basis of dose rate
calculations and radiation exposures, as well as the radiological consequences of
accidents described in Sub-chapter 14.6. Sub-chapter 5.5 includes additional
information on the origin of radionuclides that make up the primary circuit source
terms, and describes in more detail the design and operational improvements
selected to optimise primary circuit chemistry, and hence the primary circuit
inventory. The chemical and material improvements for the auxiliary systems are
provided in new Sub-chapters 6.9 and 9.6 of HPC PCSR2.
x
Sub-chapter 12.3 Radiation Protection Measures [Ref. 12.7] describes the radiation
protection measures used to restrict radiation exposure of workers. It covers the
radiological zoning scheme and classification of rooms, design rules, radiation
shielding provisions, ventilation and monitoring.
x
Sub-chapter 12.4 Normal Operation Dose Optimisation for Workers [Ref. 12.8]
describes the approach to collective dose optimisation and the effects that
developments implemented in the UK EPR design have on dose uptake. It also
summarises the dose uptake results from the optimisation study.
x
Sub-chapter 12.5 Post-Accident Accessibility [Ref. 12.9] defines the systems and
their components for which access is required in long-term post-accident situations
and specifies accessibility conditions.
x
Sub-chapter 12.6 Normal Operation Dose Assessment for Public [Ref. 12.11] gives
public doses for normal operation of HPC and demonstrates how design optimisation
has included deploying techniques and arrangements to ensure doses are ALARP.
Doses to individual members of the public from HPC and the Hinkley Point site as a
whole are shown to meet regulatory constraints and to comply with NNB GenCo’s
NSDAPs SDO-3. This new sub-chapter addresses GDA Out-of-scope Item 3 for
radiation protection.
Cross-referencing to related information in new HPC PCSR2 sub-chapters is not present
in those Chapter 12 sub-chapters that are unchanged from Consolidated GDA PCSR
2011.
Page 126 of 230
Head Document
12.4
Conclusions
The radiation protection of workers and members of the public is framed by UK
legislation that sets limits on individual exposures and includes a duty to keep exposures
ALARP.
The UK EPR incorporates various design optimisation and engineering control
improvements (including those to control the primary circuit radioactive inventory) to
reduce exposures to ALARP levels. Site-specific buildings at HPC will be operated to the
same radiological protection principles as the nuclear island.
Operational control measures (systems of work and personal protective equipment) for
ensuring the safety of workers, and for complying with the ALARP principle for any
exposure, are to be developed for meeting commissioning and operational needs.
The demonstration of design optimisation and the radiation protection measures and
analysis presented in Chapter 12 provide confidence that the SDO numerical targets laid
out in the NSDAPs will be met for HPC.
12.5
Ref
References
Title
Location
Document No.
12.1
The Ionising Radiations Regulations 1999.
Statutory Instruments 1999 No. 3232.
http://www.legislation.gov.
uk/id/uksi/1999/3232
N/A
12.2
Work with ionising radiation. Ionising Radiations
Regulations 1999 Approved Code of Practice
and guidance, HSE.
http://www.hse.gov.uk/pub
ns/books/121.htm
N/A
12.3
NNB GenCo Nuclear Safety Design Assessment
Principles (NSDAPs), Issue 1, Feb 2012
EDRMS
12.412.9
Consolidated GDA PCSR Issue 03, March 2011,
EDF/AREVA
Sub-chapter 12.0 - Radiation Protection
Approach
Sub-chapter 12.2 – Definition of Radioactive
Sources in the Primary Circuit
Measures
Sub-chapter 12.4 - Normal Operation Dose
Optimisation for Workers
Sub-chapter 12.5 - Normal Operation Dose
Assessment for Public
EDRMS
12.10
Sub-chapter 12.2 - Definition of Radioactive
Sources in the Primary Circuit, Issue 1, June
2012
EDRMS
12.11
HPC PCSR2 Sub-chapter 12.6 - Normal
Operation Dose Assessment for Public , Issue 1,
June 2012
EDRMS
12.12
Nov 2012
EDRMS
12.13
Analysis of UK EPR¥ source term:
identification, quantification and characterisation,
ECEF110448 Revision A, 2011, EDF.
EDF NNB V
ECEF110448
12.14
Use of source term in the different GDA areas,
ECEIG101686 Revision B, 2010, EDF.
EDF NNB V
ECEIG101686
12.15
EDRMS
NNB-OSL-STA-000003
UKEPR-0002-120-I03
UKEPR-0002-121-I03
UKEPR-0002-122-I03
UKEPR-0002-123-I03
UKEPR-0002-124-I03
UKEPR-0002-125-I03
Page 127 of 230
Head Document
Ref
Title
Location
12.16
NSC Paper NNB GenCo Radiological Protection
Policy, NNBOSL-PAP-000061 Version 1.0, 2011,
NNB GenCo.
EDRMS
Document No.
NNBOSL-PAP-000061
Page 128 of 230
Head Document
13
HAZARDS PROTECTION
13.1
Summary
The hazards protection section of HPC PCSR2 presents the baseline safety justification
for why the proposed NPP is protected against both external and internal hazards that
may credibly occur at the HPC site (see Sub-chapters 13.1 & 13.2 respectively).
External hazards are those natural or man-made hazards that originate externally to the
site and its processes, and where NNB GenCo may have very little or no control over the
initiating event. Terrorist or other malicious acts are not assessed as they are part of a
dedicated security assessment that does not form part of the HPC PCSR2.
Internal hazards are those hazards to plant and structures that originate within the site
boundary and that have the potential to cause adverse conditions or damage inside
safety classified buildings. Moreover, events originating in other buildings, or outside
buildings, within the site boundary, are also considered as internal hazards.
The NSDAPs require that all internal and external hazards liable to affect reactor safety
should be taken into consideration at the design stage. The NSDAPs show that these
hazards should be considered at a return period of 10,000 years (natural hazards) or
100,000 years (man-made hazards), and that no near cliff-edge effects should be
observed. The hazards protection process ensures that all external and internal hazards
that could affect the plant are identified, and provisions are made within the design to
protect against the hazard, and to mitigate the consequences should the hazard occur.
This ensures that the risks posed by a hazard are reduced to ALARP and are, at the
very least, commensurate with the overall frequency and release targets specified within
the NSDAPs.
The general approach comprises the following steps:
x
Hazard identification with consideration of credible hazard combinations and a
hazard identification and screening process have been used to identify any potential
hazards specific to the HPC site that have not been identified within the GDA
process. This work [Ref. 13.1] demonstrates that, for the purposes of HPC PCSR2,
the newly derived external and internal hazards lists are complete and that the
process used to establish them complies with best practice,
x
Establishment of basic safety requirements,
x
Hazard consequence assessment (e.g. specific loads and environmental conditions)
and setting of design basis load cases to ensure protection of SSCs,
x
Design verification against hazards to confirm that the safety requirements laid out
within the PCSR have been fulfilled. This will be systematically performed on a caseby-case basis with the use of deterministic studies. These studies will concern
building and equipment responses, and functional impact analyses that will include
consideration of consequential internal faults (e.g. identification of internal faults
induced by an initiating internal fire hazard). This process is completed by
probabilistic analysis of relevant hazards. This design verification can lead to design
feedback.
The hazard design approach is used to determine prevention and protection features for
protecting the safety classified SSCs. The aim is to prevent a hazard from being the
cause of the loss of a safety function required to bring the reactor to a safe shutdown
state and limit radiological releases. Moreover a design objective is to prevent hazards
Page 129 of 230
Head Document
from triggering PCC-3 or PCC-4 events (PCC as taken into account in the DBA - see
HPC PCSR2 Chapter 14). Analyses need to be provided to demonstrate that, in the
event of a hazard, the functions required to bring the reactor to a safe shutdown state
and to limit radiological releases can be carried out satisfactorily. In practice protection is
achieved by appropriate sizing, redundancy, diversity and segregation, and applying
relevant good practice and relevant codes and standards.
Hazards are postulated to occur during normal operating conditions. The combinations
of hazards considered within the UK EPR design include three scenarios:
x
Combinations of physical phenomena inherent in the hazard,
x
Combinations of the hazard considered with potentially dependent internal or
external events or hazards,
x
Combinations of the hazard and independent internal or external initial conditions.
Where hazards directly affect the operator (e.g. toxic gases), the consequences are
addressed independently of the operating conditions. Whereas for hazards causing
damage to the equipment, the design philosophy is to ensure that the safety-related
functions required for meeting the safety objectives discussed in HPC PCSR2 Subchapter 3.1 are not unacceptably affected.
Development of the hazards protection safety assessment
HPC PCSR2 Sub-chapter 13.1 External Hazards Protection was developed from
Consolidated GDA PCSR 2011 Sub-chapter 13.1. This GDA work was produced for a
generic single unit site, and therefore the HPC PCSR2 external hazards protection
assessment also considers HPC-specific buildings/structures and hazards that were not
assessed within the GDA. Note however that hazards presented by the Interim ILW
Store and the ISFS have not been assessed yet due to their early stage of design. The
external hazards protection assessment will be undertaken during the detailed design
phase for those facilities.
Consolidated GDA PCSR 2011 Sub-chapter 13.2 Internal Hazards Protection [Ref. 13.3]
provides the description of protection against internal hazards identified within the GDA
PCSR. This sub-chapter sets out the overall objective of internal hazards protection,
which is to ensure that equipment required for performing the three MSFs (i.e. control of
fuel reactivity, fuel heat removal and containment of radioactive material) is suitably and
adequately protected against the adverse effects of internal hazards.
The design and installation objectives are to ensure that internal hazards do not:
x
Prevent F1 functions being fulfilled, even if the functions are not required after such
an event,
x
Trigger PCC-3/PCC-4 events (i.e. such events must be avoided where reasonably
practicable),
x
Jeopardise the divisional separation of safety trains.
The current GDA safety classification (F1 etc.) is based on the FA3 classification
scheme and will be reviewed and amended following resolution of the associated GDA
Issue (see the HPC PCSR2 Forward Work Activities report [Ref. 13.4]).
As a result of these requirements it follows that an internal hazard must not adversely
affect:
x
More than one element of a set of redundant F1 systems,
x
The stability/integrity of the:
Page 130 of 230
Head Document
o RCPB (except in the case of LOCA),
o Reactor internals, including the fuel assemblies,
o Main steam and feedwater water pressure boundary,
o SFP and its internal structures, including the fuel assemblies,
o Safety Class 1 structures and fire barriers,
o Components whose failure is excluded by design (HICs - see Sub-chapter 3.1).
In general terms, a sufficient number of safety functions must remain operational to
enable a safe shutdown to be achieved.
Consolidated GDA PCSR 2011 was produced for a generic single unit site, and
therefore an Internal Hazards Protection Summary Document [Ref. 13.2] has been
produced to supplement Consolidated GDA PCSR 2011 Sub-chapter 13.2 and to
address the site-specific characteristics. This notes that the HPC site:
x
Will contain two UK EPR units in close proximity (not the single generic EPR),
x
Includes an Interim ILW Store and an ISFS common to both units,
x
Will in future contain two units in different lifecycle stages or modes of operation (e.g.
HPC Unit 1 is in commissioning/operation while HPC Unit 2 is still in construction),
x
Will contain specific structures such as the pumping station, marine structures, as
well as various non-safety-related buildings.
This Internal Hazards Protection Summary Document [Ref. 13.2] presents the
consolidated list of internal hazards for the HPC site. It demonstrates that the
assessment of internal hazards is bounded by the approach and, where possible, the
assessment presented in Consolidated GDA PCSR 2011 Sub-chapter 13.2. Where the
HPC site-specific studies cannot be shown to be bounded by Consolidated GDA PCSR
2011, due to ongoing work in the GDA PCSR assessment itself or further HPC data
being required, the gap between the GDA and HPC designs is discussed and the
requirements for further analyses are identified. However, Reference 13.2 does not
address in detail the hazards to HPC Unit 1 presented by the construction of HPC Unit 2,
the Interim ILW Store and the ISFS. These issues will be addressed in future studies,
and will be included in the CSJs and in HPC PCSR3.
More information about the hazards protection in the safety report, its interfaces and the
corresponding Forward Work Activities are presented in the following sub-sections
separately for external hazards and internal hazards, and in the HPC PCSR2 Forward
Overall, the hazard protection philosophy is to design the plant to withstand the
applicable hazards wherever this is reasonably practicable. Where damage cannot be
prevented, the design ensures that there is redundancy and/or diversity in provision of
the required safety functions. It is considered that for the current stage of design the
management for hazards reduces risks to ALARP by applying the protection hierarchy,
seeking to eliminate, reduce, isolate, and control reasonably foreseeable hazards. In
particular the main safeguard systems have quadruple redundancy, and are segregated
and geographically separated in four Safeguard Buildings on three sides of the Reactor
Building. Furthermore, this four train design ensures adherence to the Single Failure
Criterion (whereby if one train is disabled due to maintenance and one train has failed,
there are still two redundant trains available to ensure plant withstand against a further
single failure). In addition, the aircraft protection shell provides protection for the Reactor
Buildings, Fuel Buildings, two of the four Safeguard Buildings on each unit, two trains of
Page 131 of 230
Head Document
the cooling water pump house for each unit and the ISFS. This constitutes an
improvement over previous designs on which the EPR is based.
GDA Assessment Findings and Resilience Enhancements Related to Hazards
Protection
The work undertaken to develop HPC PCSR2 Sub-Chapters 2.2 and 13.1 has included
addressing GDA Assessment Findings AF-UKEPR-CE-001, 002, 003, and 051, and
some of the ONR Chief Inspector’s recommendations following the Fukushima events.
Further work is ongoing to develop the hazards analysis for the UK EPR and the HPC
site in light of this incident (see the HPC PCSR2 Forward Work Activities report
[Ref. 13.4]).
13.1.1 HPC External Hazards List
The hazard identification process has used the results of the GDA process and
incorporated the results of the site-specific hazard identification [Ref. 13.1]. The table
below shows the source of these hazards (i.e. GDA PCSR or specific to the HPC site):
GDA
Hazard list
PCSR
Specific to the
HPC site
Earthquake:
x Short-period ground motion
9
x Long-period ground motion (LPGM)
9
x Liquefaction (as a result of earthquake)
9
x Capable faulting
9
Aircraft crash
9
Hazards associated with the industrial environment and
transport routes (which includes adjacent nuclear sites):
x Explosion
9
(in air)
9
(underwater)
x Missiles
9
x Off-site fire
9
x Chemical release (including radiological release)
9
x Ship collision
x Animal infestation
9
External flooding:
9
x Coastal flooding
9
x Rainfall and surface run-off
9
x High groundwater level
9
x Cooling Water System trip – surge event in the forebay
9
Extreme climatic conditions:
x Snow and frost
9
Page 132 of 230
Head Document
GDA
Hazard list
PCSR
Specific to the
HPC site
x Wind
9
x Snow and wind combined
x Wind generated missiles
9
x Tornado and waterspout
x Extreme cold (air and sea)
9
x Extreme heat (air and sea)
9
x Drought/low heat sink water level
9
x Mist/humidity
9
x Hail
9
x Freezing rain
9
x Fog
9
x Weather-induced LOOP
9
Lightning and EMI:
9
9
x Lightning
9
x EMI (anthropogenic/man-made and natural sources)
9
Heat sink specific hazards:
x Marine clogging
9
x Silting
9
x Frazil ice and freeze-up
9
x Hydrocarbon pollution
9
x Slope instability
9
x Collapse, subsidence or uplift
9
x Soil liquefaction
9
x Behaviour of foundation materials
9
x Site erosion
9
Ground engineering hazards:
The hazards list used in the HSSD is very similar but not identical to the final list of
hazards that evolved for Chapter 13, as the heat sink document was completed before
the PCSR2 Chapter 13 hazards list was finalised.
13.1.2 HPC Internal Hazards List
On the basis of the Consolidated GDA PCSR 2011 hazards list, and accounting for HPC
site conditions, a hazard screening exercise was performed [Ref. 13.1]. The list of
internal hazards considered for HPC is:
Page 133 of 230
Head Document
13.2
x
Internal missiles (due to failures of pressurised components and rotating
equipment15),
x
Pipework leaks and breaks,
x
Failures of tanks, pumps and valves,
x
Dropped or impacting loads,
x
Direct vehicular impacts from heavy transport within site,
x
Internal explosions,
x
Internal EMI/Radio Frequency Interference (RFI),
x
Internal fire,
x
Internal flooding,
x
Release of hazardous chemicals or noxious substances (from on-site sources).
The detail of this topic is given in HPC Sub-chapter 13.1 and Consolidated GDA PCSR
2011 Sub-chapter 13.2. Figure 14 illustrates the document structure for Chapter 13.
13.2.1.1 External Hazards
Sub-Chapter 13.1 of Consolidated GDA PCSR 2011 [Ref. 13.5] has been augmented
with site-specific information in order to produce site-specific Sub-chapter 13.1 for HPC
PCSR2. Section 13.2.2.1 provides a brief explanation on how the site-specific
information and GDA information has been amalgamated in order to provide the
complete external hazards protection baseline safety justification.
13.2.1.2 Internal Hazards
For the purposes of HPC PCSR2 the entirety of Consolidated GDA PCSR 2011 SubChapter 13.2 [Ref. 13.3] is applicable, but should be considered in conjunction with this
HPC PCSR2 Head Document section and all its associated supporting references.
13.2.2.1 External Hazards
The methodology and the design principles of protection against the external hazards
are based on Consolidated GDA PCSR 2011.
In the majority of cases the characterisation of the extreme event and the design of the
relevant site protection are out-of-scope of the GDA PCSR and therefore subject to sitespecific studies. There are some exceptions; in particular the DBE used for the design of
the buildings and structures covered by the GDA is that in Consolidated GDA PCSR
2011. The remaining safety classified buildings and structures will be designed using the
site-specific DBE (see HPC PCSR2 Sub-chapter 13.1.2 for details).
13.2.2.2 Internal Hazards
The GDA process details a single UK EPR plant operating on a generic site. However, in
addition to the UK EPR nuclear island systems, the GDA design makes generic
15
To include turbine missiles.
Page 134 of 230
Head Document
assumptions regarding the protection against internal hazards for particular site-specific
systems to enable safety analysis on the basis of a complete plant. The design of these
site-specific systems is developed on the basis of those generic assumptions, and
considers any additional interfaces with other site-specific buildings and/or structures.
As previously discussed, the proposed HPC site differs from the GDA generic site in a
number of aspects. Therefore the internal hazards safety assessments provided for the
GDA [Ref. 13.3] have been supplemented by internal hazards safety assessments for
the additional site-specific buildings/structures inherent to a twin UK EPR plant at the
HPC site [Ref. 13.6].
13.3
Route Map
13.3.1 External Hazards
Sub-chapter 13.1 External Hazards Protection of HPC PCSR2 [Ref. 13.7] provides the
description of protection against external hazards. It includes:
x
The HPC external hazard list,
x
The general principles of protection against external hazards,
x
For each external hazard: safety requirements; applicable codes and standards; the
intended methodology for design verification; areas for further work.
It is based on the information provided in HPC PCSR2 Sub-chapter 2.1 Site Description
and Data and Sub-chapter 2.2 Verification of the Bounding Character of the GDA Site
Envelope, which are used to define the hazard magnitudes for a majority of external
hazards. For a limited number of external hazards (i.e. lightning and EMI) the approach
is to use the best industrial practice for defining the relevant design protection. HPC
PCSR2 Sub-chapter 2.1 refers to several supporting references that address site data
and in some cases contain safety analysis of protection against hazards. This
supplements the analysis in HPC PCSR2 Chapter 13.
Outputs from HPC PCSR2 Sub-chapter 13.1 are used by the following sub-chapters or
chapters:
x
HPC PCSR2 Sub-chapter 3.3 Design Of Safety Related Civil Structures,
x
HPC PCSR2 Chapter 14 Design Basis Analysis,
x
HPC PCSR2 Chapter 15 Probabilistic Safety Assessment (especially Sub-chapter
15.2 covering hazards PSA),
x
HPC PCSR2 Sub-chapter 18.1 Human-Machine Interface,
x
HPC PCSR2 Sub-chapter 18.3.4 Emergency Preparedness.
The twin-reactor aspect is addressed in a supporting document [Ref. 13.6] that presents
the qualitative assessment for the risk of two reactors on the same site in place of a
single unit as in the GDA PCSR.
13.3.2 Internal Hazards
The internal hazards protection topic is dealt with through the current version of
Consolidated GDA PCSR 2011 Sub-chapter 13.2 and the supplementary safety
assessments covering those internal hazards caused by the additional HPC-specific
structures/buildings. This includes:
Page 135 of 230
Head Document
x
The internal hazards parts of this HPC PCSR2 Head Document section that provides
a summary of the initial substantiation underpinning the internal hazards protection
strategy to be adopted for the HPC site,
x
The entirety of Consolidated GDA PCSR 2011 Sub-chapter 13.2 [Ref. 13.3],
x
The relevant links to, or inputs from, Consolidated GDA PCSR 2011 Sub-chapters
3.1, 7.2, 8.4 and HPC PCSR2 Sub-chapter 15.2,
x
The internal hazards protection, design basis and verification summary document
[Ref. 13.2], (it should be noted that this reference is inconsistent with Sub-chapter
13.2 in its description of the definition of fire compartments, fire cells, physical
separation, geographical separation and vulnerability approach at the same level as
prevention, mitigation and control for the design basis of the plant regarding internal
fires. The internal hazards protection summary document [Ref. 13.2] also covers
vehicle impact, toxic and radiological release and EMI which are not covered in Subchapter 13.2. This inconsistency between the two references will be resolved in a
future safety submission, where only one document will be produced to describe
internal hazards protection),
x
Various internal hazards related safety assessments and other site-specific analyses
for the HPC site, including:
o The qualitative assessment of the risk generated by the installation and
operation of two UK EPR reactor units on the same site [Ref. 13.6] in place of a
single unit as in the GDA,
o The presentation of the HPC site plot plan [Ref. 13.8],
o Analyses of the risk from turbine disintegration within the HPC site [Ref. 13.9].
As part of the detailed design process a complete assessment has to be performed for
all internal hazards for both units and site-specific SSCs. This will be strongly dependent
on the layout of the plant. This requirement is included in the HPC PCSR2 Forward
The assessment of combined and consequential internal hazards included in report
[Ref. 13.2] should be considered as incomplete, and will be finalised after the
outstanding issues for the individual internal hazards have been addressed. This will be
addressed in an update to the report and to HPC PCSR2.
13.4
Conclusions
The internal and external hazards that may affect the proposed UK EPR units at HPC
have been identified and characterised using information from both the GDA and the
site-specific hazard identification and characterisation studies. Assessments have been
made of the adequacy of the protection and mitigation measures that will exist within the
proposed design of the UK EPR units. The hazard protection philosophy is to design
plant to withstand the applicable hazards, wherever this is reasonably practicable.
Where damage cannot be prevented the design ensures that there is redundancy and/or
diversity in provision of the required safety functions.
Forward Work Activities (see the HPC PCSR2 Forward Work Activities report
[Ref. 13.4]) have been proposed for HPC PCSR2 Chapter 13 that will ensure the
detailed design process incorporates all hazard protection and mitigation requirements
for each of the safety classified SSCs. The Forward Work Activities also provide further
detail on the combination of reasonably foreseeable hazards. This process will ensure
Page 136 of 230
Head Document
that the risks from hazards will be reduced to ALARP for the design of the UK EPR units
at HPC.
13.5
Ref
References
Title
Location
Document No.
13.1
UK EPR Hinkley Point Project: “Hazard Listing
Identification and Confirmation”, Issue 4 (July 2012).
EDRMS
13.2
Hinkley Point C - Internal Hazards Protection Summary
Document. Issue 5 (August 2012).
EDRMS
13.3
Consolidated GDA PCSR Sub-Chapter 13.2, “Internal
Hazards Protection”. Issue 03 March 2011.
EDRMS
UKEPR-0002-132
13.4
HPC PCSR2 Forward Work Activities, Issue 1.0, Nov
2012
EDRMS
13.5
Consolidated GDA PCSR Sub-Chapter 13.1, “External
Hazards Protection”, Issue 03 March 2011.
13.6
UK EPR Hinkley Point Project: “Identification and Review
of the Safety Implications of a Twin Reactor Design for
HPC”, Issue 6 May 2012.
EDRMS
13.7
HPC PCSR2 Sub-chapter 13.1 External Hazards
Protection, Issue 2.0 July 2012.
EDRMS
13.8
HPC PCSR2 Sub-chapter 2.3 – “Site Plot Plan Summary
Document.” Revision 2.0 June 2012.
EDRMS
HPC-NNBOSL-U0-ALLRET-000001
13.9
Assessment of Turbine Missile Impact Frequencies on
Hinkley Point C Building Structures. Issue E-BPE
(12/04/2011).
NNB Network
Drives
NNB Network
Drives
UKEPR-0002-131
16281-709-HPC-RPT-001
Page 137 of 230
Head Document
14
DESIGN BASIS ANALYSIS
14.1
Summary
This section summarises the contents of HPC PCSR2 Chapter 14 sub-chapters, which
for the purposes of HPC PCSR2 are the same as those of Consolidated GDA PCSR
2011. No HPC site-specific DBA is presented for HPC PCSR2. Instead statements are
presented to substantiate that the Consolidated GDA PCSR 2011 DBA is representative
of future HPC site-specific DBA, including its applicability to a twin-reactor site. Highlevel Forward Work Activities for the production of HPC site-specific DBA are presented
in the HPC PCSR2 Forward Work Activities report [Ref. 14.1].
The DBA forms part of the UK EPR general safety principles defined in HPC PCSR2
Sub-chapter 3.1. Its purpose is to demonstrate that there are appropriate design
features and functions (including ‘defence in depth’) to protect against and mitigate
faults, and to show that the radiological consequences of reasonably foreseeable events
remain within acceptable limits. The safety analysis of such events has also informed the
deterministic design of the safety systems. Faults have been identified from a
combination of sources, including standard lists based on guidance used in the French
nuclear fleet and international operational experience from many decades, and adapted
to the UK EPR. The events presented in HPC PCSR2 are aligned with the PSA initiating
events in Consolidated GDA PCSR 2011 (see Section 15).
The DBA is based on a deterministic safety approach, complemented by probabilistic
analyses, using the concept of ‘defence in depth’. In the approach used, representative
conditions that bound situations that could be encountered during reactor operation are
identified and grouped into categories known as PCCs according to their frequency of
occurrence.
PCC-116: Normal Operating Transients
PCC-2: Design Basis Transients (1x10-2/y <f)
PCC-3: Design Basis Incidents (1x10-4 < f < 1x10-2/y)
PCC-4: Design Basis Accidents (1x10-6 < f < 1x10-4/y)
The list of PCC faults covers faults affecting the core and the SFP. The GDA fault
schedule also includes a representation of faults in the conventional island and BOP.
But they are included as losses of function only (black box) rather than specific faults
and associated frequencies. The list has been identified systematically for initiating
events within the nuclear island. For initiating events arising outside the nuclear island it
is based on loss of functional capability of services to the nuclear island. Faults affecting
inventory in the ISFS and Interim ILW Store are not yet assessed because of the early
stage of design (see Section 11); however in the HPC Site Submission of General Data
for Article 37 of the Euratom Treaty the bounding nature of the DBA of the plant for the
ISFS and Interim ILW Store was provided [Ref. 14.2]. Because the ISFS and Interim ILW
Store are not integral parts of the power production facility, their design and assessment
do not need to be completed prior to commencement of construction of the NPP. Faults
are assessed with the application of the Single Failure Criterion and consideration of a
co-incident LOOP.
The PCC faults (PCC-2, PCC-3 and PCC-4) contain events caused by the failure of one
component, the failure of one I&C system, one operator error or LOOP. Examples of
16
PCC-1 events are classified as normal operating transients and are addressed in Sub-chapter 3.4 of the HPC PCSR2 submission.
Page 138 of 230
Head Document
PCC faults addressed include spurious reactor trips, LOCAs, reactivity faults such as
uncontrolled control rod withdrawal and overcooling faults. The list of PCC faults is given
in HPC PCSR2 Sub-chapter 14.0, which is unchanged from Consolidated GDA PCSR
2011.
The fault and protection schedule within Sub-chapter 14.7 [Ref. 14.3] shows the
protection in the current design for each identified PCC fault.
The acceptability of the consequences of the PCC faults is determined through
adherence to acceptance criteria that are assigned to each PCC fault or family of faults.
Compliance with these acceptance criteria ensures that the safety objectives relevant to
the PCC faults are met. Different acceptance criteria apply depending on whether the
fault affects the reactor or the nuclear island SFP.
For faults affecting the reactor the acceptance criteria are divided into safety criteria and
decoupling criteria.
Safety Criteria: Safety criteria are defined in terms of radiological limits. They must be
met in the safety analysis. The most stringent criteria apply to the most probable events,
i.e. those of PCC-2. For PCC-2 transients the annual dose limit for an individual off-site
is the same as for normal operating transients (PCC-1) at 0.3mSv/y. For PCC-3 and
PCC-4 the targets are an effective dose of 10mSv and equivalent thyroid dose of
100mSv (based on ICRP guidance). More detail on the safety criteria, and the dose
calculations completed for assessment against these criteria is given in Sub-chapter
14.6.
Decoupling Criteria: In addition to safety criteria, decoupling criteria are defined that
are applied to the thermal-hydraulic and neutronic calculations. This allows the
calculations to be decoupled and carried out separately from the radiological
calculations. Decoupling criteria are defined so that meeting them ensures that safety
criteria, i.e. the radiological limits, will also be met.
The decoupling criteria include limits on:
x
Clad oxidation,
x
Clad temperature,
x
Departure from Nucleate Boiling (DNB),
x
Linear power density,
x
Fuel melting (% by volume),
x
Fuel burn-up,
x
Fuel enthalpy rise,
x
Primary and secondary system overpressure.
For LOCAs there are additional criteria on hydrogen generation, core geometry and
long-term core cooling provisions.
The type and value of the criteria applied is dependent on the type (e.g. LOCA, cool
down) and frequency (PCC-2, PCC-3, PCC-4) of the fault. The list of criteria with
accompanying technical details is provided in HPC PCSR2 Sub-chapter 14.0.
For the nuclear island SFP the acceptance criteria are:
x
Permanent maintenance of subcriticality,
x
Avoidance of exposure of fuel assemblies,
Page 139 of 230
Head Document
x
Maintenance of pool temperature below 80oC during PCC-2 events.
The DBA are performed on a conservative basis so that the safety systems are designed
with appropriate design margins. Where no UK EPR-specific GDA DBA has been
performed alternative statements are presented, the consequences of which are
demonstrated to be bounding or to provide sufficient information for inferring results for
any UK EPR-specific analyses. Consequences have been calculated using a
conservative methodology. A study [Ref. 14.4] shows that the consequence analysis is
representative for the HPC site (see Sub-chapter 14.6).
DBA radiological consequences calculations are presented and used to demonstrate
that under fault conditions the discharge of radioactive material outside the plant leads to
public doses that are within the selected deterministic dose limits, and hence do not
have unacceptable consequences.
14.2
The detail of this topic is given in Consolidated GDA PCSR 2011 Sub-chapters
14.0-14.7 and appendices. Figure 15 illustrates the document structure for Chapter 14.
14.2.1.1 Sub-chapter 14.0 – Assumptions and Requirements for the PCC Accident
Analysis [Ref. 14.5]
Sub-chapter 14.0 of Consolidated GDA PCSR 2011 is applicable to HPC based on the
following:
x
The categories of DBA faults identified in Consolidated GDA PCSR 2011 are
applicable to HPC. However, the details of specific DBA faults may change or new
faults could be added in future submissions as a result of HPC PSA development
and GDA Issues and GDA Assessment Findings resolution. The impact of such
changes on the list of PCC faults will be assessed in a systematic manner.
x
HPC site-specific DBA will be performed using the same assessment methodology
as described in Chapter 14.0 of Consolidated GDA PCSR 2011. This means that it
will be performed on a conservative basis, with the application of the Single Failure
Criterion, consideration of co-incident LOOP with the same assumptions on
preventative maintenance. DBA faults involving the nuclear island SFP will be
analysed using the methodology and assumptions stated in Sub-chapter 14.0
Section 2.10.
x
The consequences of HPC site-specific DBA will be assessed against the same
acceptance criteria as used for the GDA PCSR. The results of equivalent HPC DBA
faults, and hence margins to the acceptance criteria, may differ from those of
equivalent DBA faults in the GDA PCSR; the extent of which will depend on the exact
fuel management strategy selected for HPC. While in the absence of HPC sitespecific DBA the variation of these margins cannot yet be defined, the consequences
of HPC site-specific DBA faults will remain within the acceptance criteria defined in
the GDA PCSR.
x
No new HPC site-specific DBA faults have so far been identified as a result of HPC
being a twin-reactor site. The HPC fault list will be reviewed and any changes to the
fault schedule that are specific to HPC will be included in the DBA. The potential
number of new DBF initiators as a result of HPC being a twin-reactor site is judged to
be small given the relative independence of the two reactor units. Any new initiators
will arise as a result of faults involving the shared services between the two reactors.
Page 140 of 230
Head Document
x
HPC being a twin-reactor site will not impact on the DBA modelling assumptions or
assessment methodologies for DBA faults involving an internal initiating event on a
single unit as identified in Consolidated GDA PCSR 2011. The potential
consequences of DBA and RRC-A faults whose initiating event affects both reactors
on the HPC site are addressed under the Sub-chapter 14.6.
x
There is confidence that the Consolidated GDA PCSR 2011 analysis of PCC/RRC-A
faults with conventional island initiators is applicable, and that the assumptions for
the faults already identified will not be challenged by proposed or future HPC
conventional island system designs. This is on the basis that:
o Such faults with conventional island initiators are treated generically in
Consolidated GDA PCSR 2011 since the conventional island system designs
are site-specific. In most cases the conservative analysis assumptions with
respect to plant availability mean that the acceptability of the fault
consequences is independent of conventional island system design or
responses,
o Where conventional island systems/components perform a safety function in
the GDA, the safety classifications of equivalent HPC-specific conventional
island systems/components will be the same or higher,
o The means by which the PCC faults are analysed are largely independent of
the Initiating Event Frequency (IEF). As long as the HPC-specific IEF of each
PCC fault is consistent with the frequency band to which it is assigned in
Consolidated GDA PCSR 2011, then the analysis is applicable. If a fault is
found to fall into a different PCC due to its site-specific frequency, it will be
reassessed accordingly.
ISFS & ILW Fault Analysis
The ISFS is at the conceptual design stage and thus no fault analysis will be available
for submission as part of HPC PCSR2. However it can be stated that the ISFS design
will:
x
Be in accordance with the 27 design safety principles that were identified as part of
Consolidated GDA PCSR 2011 [Ref. 14.6],
x
Be in accordance with the NNB GenCo NSDAPs,
x
Account for the principles of ‘defence in depth’ and the Single Failure Criterion and
be suitably robust against the risk of common mode failure.
A safety case for the ISFS, including the DBA faults, will be submitted at an appropriate
time.
The Interim ILW Store is at the conceptual design stage and thus no ILW fault analysis
will be available for submission as part of HPC PCSR2. However, it can be stated that
the Interim ILW Store design will:
x
Be in accordance with the 25 design safety principles that were identified as part of
GDA [Ref. 14.7],
x
Be in accordance with the NNB GenCo NSDAPs,
x
Account for the principles of ‘defence in depth’ and the Single Failure Criterion, and
be suitably robust against the risk of common mode failure.
A safety case for the Interim ILW Store, including the DBA faults, will be submitted at an
appropriate time.
Page 141 of 230
Head Document
More details on the design assumptions and facility descriptions for both the ISFS and
Interim ILW Store are presented in Sub-chapter 11.5.
Operator Action Times
Two operator ‘grace periods’ are defined in Consolidated GDA PCSR 2011:
x
Manual action from the MCR is assumed to take place 30 minutes after the first
significant information is transmitted to the operator,
x
Local manual action, i.e. a manual action that must be performed outside the MCR,
is assumed to take place one hour after the first significant information is transmitted
to the operator.
Where the safety case relies on manual actions to reach the controlled state the
operator ‘grace periods’ need substantiation. Since the ability to successfully complete
Operator Actions will be subject to local conditions, a HPC site-specific assessment and
justification will be required.
However the 30 minute and one hour ‘rules’ are widely accepted in the nuclear industry
as they give sufficient time for the operators to undertake ‘knowledge-based’ analysis
with a good probability of success and operator reliability.
These human-based safety claims will be assessed and substantiated using Human
Reliability Assessment (HRA) and PSA techniques as part of the Forward Work
Activities [Ref. 14.1].
14.2.1.2 Sub-chapter 14.1 – Plant Characteristics Taken into Account in the
Accident Analyses [Ref. 14.8]
The plant characteristics of the UK EPR reference design used in the DBA are
presented in Consolidated GDA PCSR 2011. For the purposes of HPC PCSR2, the UK
EPR design characteristics in Sub-chapter 14.1 of Consolidated GDA PCSR 2011 are
applicable to those that will be used in HPC site-specific DBA given that HPC is closely
based on the UK EPR reference design.
In future safety submissions HPC DBA will use either HPC site-specific plant
characteristics or justify the use of UK EPR Reference Design values. As in
Consolidated GDA PCSR 2011 the plant characteristics will be applied as DBA inputs on
a suitably conservative basis in the HPC site-specific DBA.
While the detailed plant characteristics that are used in the HPC-specific DBA are not
yet fully defined, they will be established so that the consequences of the HPC sitespecific DBA will reside within the acceptance criteria defined in Consolidated GDA
PCSR 2011.
14.2.1.3 Sub-chapter 14.2 – Analysis of the Passive Single Failure [Ref. 14.9]
HPC will be designed in compliance with the Single Failure Criterion as defined in Subchapter 14.0. This criterion includes either an active single failure in the first 24 hours
after the occurrence of a PIE or a passive single failure at the PIE occurrence. For DBA
faults involving the nuclear island SFP, only active single failures are considered with
respect to the pool water cooling system.
Future HPC site-specific demonstrations of compliance with the Single Failure Criterion
will employ the same methodology, assumptions and scope as that described in Subchapter 14.2 of Consolidated GDA PCSR 2011.
Page 142 of 230
Head Document
14.2.1.4 Sub-chapter 14.3, 14.4 & 14.5 – Analyses of PCC Events [Refs. 14.10, 14.11
& 14.12]
The DBA presented for PCC-2, PCC-3 and PCC-4 events in Consolidated GDA PCSR
2011 Sub-chapters 14.3, 14.4 & 14.5 respectively is representative of the scope and
assessment methodology of future HPC site-specific DBA safety submissions. DBA
faults in addition to those in the GDA PCSR will be included in future submissions as a
result of HPC PSA development and GDA Issues and Assessment Findings resolution.
14.2.1.5 Sub-chapter 14.6 – Radiological Consequences of DBFs [Ref. 14.13]
When complete, the HPC site-specific DBA radiological consequences will be either
bounded by, or be sufficiently similar to, the Consolidated GDA PCSR 2011 radiological
consequences as to represent an acceptable level of risk. Therefore no HPC sitespecific DBA radiological consequence calculations have been performed at this stage,
and the calculations and deterministic dose targets are the same as those in Subchapter 14.6 of Consolidated GDA PCSR 2011.
The following supports this position:
x
The reactor core activity inventory in Consolidated GDA PCSR 2011 is determined
using very conservative operating assumptions that are bounding of the operating
parameters planned for HPC. As a result, the Consolidated GDA PCSR 2011 reactor
core activity inventory bounds that for HPC. In addition, the report on the Applicability
of Consolidated GDA PCSR 2011 Radiological Consequences Assumptions to HPC
[Ref. 14.14] confirms that the release fraction data given in the GDA PCSR
calculation will be applicable (bounding) for HPC. The very conservative GDA PCSR
assessment of activity release is therefore considered bounding of the HPC activity
release for DBA faults.
x
Activity release from the containment to the environment is calculated using a very
conservative leak rate of 1% of containment atmosphere volume per day, compared
with the maximum allowable leak rate of 0.3% of volume per day.
x
The dose assessment is based on two phases – the calculation of atmospheric
dispersion and the dose calculation:
o The Consolidated GDA PCSR 2011 atmospheric dispersion calculation is
generic. It has been compared with a UK methodology dispersion calculation
using HPC site-specific weather conditions [Ref. 14.4]. This showed that the
Consolidated GDA PCSR 2011 dispersion assessment was bounding for all
weather conditions at 500m from the site boundary and 98% of conditions at
10km relative to the UK dispersion model using HPC site-specific metrological
conditions over a five-year period.
o The dose calculation for Consolidated GDA PCSR 2011 used generic French
habitation data. While it is assumed that the HPC site-specific habitation data
will not differ greatly from this, there is potential for the HPC dose assessment
to be slightly different to the generic Consolidated GDA PCSR 2011 dose
assessment.
The combination of the very conservative activity release calculation and the generic
dose assessment is considered overall to be conservative for HPC.
x
The calculated radiological consequences of PCC and RRC-A faults for a reactor on
a twin-reactor site are the same as those for a single stand-alone reactor for faults
involving an internal initiating event (such as a LOCA). There is potential for an
increase in the radiological consequences of initiating faults that could
Page 143 of 230
Head Document
simultaneously affect both reactors planned for the HPC site. However, margins to
the dose targets given in Sub-chapter 14.6 are such that doubling the radiological
consequences of relevant faults (such as ‘multiple failure of systems in the NAB
under earthquake boundary condition’) would not challenge the deterministic dose
targets [Ref. 14.14].
Future safety cases may present additional representative DBA faults, in particular those
related to site-specific buildings such as the ISFS and Interim ILW Store. However, the
list of representative DBA faults for which calculations were completed in Consolidated
GDA PCSR 2011 continues to be adequately representative for HPC PCSR2 at this
stage.
14.2.1.6 Sub-chapter 14.7 – Fault and Protection Schedule [Ref. 14.3]
No HPC site-specific fault and protection schedule has been produced for submission in
HPC PCSR2. For the purposes of HPC PCSR2, the content of the GDA fault and
protection schedule, which covers all the considered PCC faults including those specific
to the nuclear island fuel storage pool, is applicable to HPC. The GDA fault schedule
also includes representation of faults in the conventional island and BOP. This is on the
basis that:
x
The principles by which the PCC event list was developed will remain the same for
HPC. (Applicability statements on Consolidated GDA PCSR 2011 RRC-A and
RRC-B safety analysis are presented in Section 16),
x
The principles used for justification of the comprehensiveness of fault protection in
Consolidated GDA PCSR 2011 are applicable to HPC,
x
The level of protection that will be provided by the HPC I&C systems against the
faults considered in Consolidated GDA PCSR 2011 will be at least as comprehensive
as that presented in the Consolidated GDA PCSR 2011 fault and protection
schedule,
x
The ALARP discussions on the adequacy of the UK EPR design are applicable for
HPC.
Therefore the fault and protection schedule presented for HPC PCSR2 is the same as
that for Consolidated GDA PCSR 2011. Future HPC safety submissions will present a
suitably comprehensive HPC-specific fault and protection schedule accounting for HPC
PSA development and GDA Issues and GDA Assessment Findings resolution.
14.2.1.7 Sub-chapter 14 Appendix A - Computer Codes Used in Chapter 14
[Ref. 14.15]
The Forward Work Activities for HPC site-specific DBA [Ref. 14.1] proposes using the
same suite of computer codes as described in Chapter 14.0 Appendix A of Consolidated
GDA PCSR 2011. The justification of computer codes presented in Chapter 14 Appendix
A is applicable for HPC PCSR2.
The information provided in this Consolidated GDA PCSR 2011 sub-chapter
demonstrates that the proposed analysis codes are mature and well documented. The
code capabilities have been demonstrated through their utilisation in the Consolidated
GDA PCSR 2011 DBA and in wider studies internationally. This provides a suitable level
of confidence in the proposed analysis codes for use in the first phase of HPC sitespecific DBA.
The means by which NNB GenCo formally accepts the use of the analysis codes in HPC
site-specific DBA will be addressed as part of the Forward Work Activities [Ref. 14.1].
Page 144 of 230
Head Document
Such acceptance will also take cognisance of the outcome of related GDA Assessment
Findings.
14.2.1.8 Sub-chapter 14 Appendix B - 4900 MW Safety Analysis Used in Chapter 14
[Ref. 14.16]
The statements presented in Consolidated GDA PCSR 2011 as to the applicability of the
4900MWth analysis presented in Chapter 14.0 Appendix B to the UK EPR reference
design of 4500MWth are applicable to HPC. Equivalent HPC site-specific DBA of the
faults in this Appendix will be presented in future safety submissions.
14.2.1.9 Sub-chapter 14 Appendix C - Analysis of Single Failure for MSLB
[Ref. 14.17]
This analysis is applicable to HPC PCSR2. Its applicability for HPC PCSR2 is covered
by Sub-chapters 14.3, 14.4 and 14.5.
No site-specific DBA has been performed for submission in HPC PCSR2. Applicability
statements are made above confirming that the DBA presented in Consolidated GDA
PCSR 2011 is either directly applicable to or suitably representative of a HPC sitespecific DBA. These statements confirm the applicability of the overall GDA scope and
methodology, as well as confirming that the HPC twin-reactor site does not challenge
any of the GDA PCSR assumptions.
Changes to the scope of the DBA or PCC allocation presented in HPC PCSR2 may
arise as a result of the identification of new or revised event initiators during HPC PSA
development. This includes HPC PSA updates arising from conventional island fault and
hazard assessments. Future development of the HPC PSA is described in Section 15.
DBA in future HPC submissions will be consistent with the HPC PSA.
Three GDA Out-of-scope Items are listed against the fault studies topic [Ref. 14.18]:
14.3
x
Topic Area 5 Fault Studies Item 1 (Site-specific calculations for radiological
consequences). The section above relating to GDA Sub-chapter 14.6 discusses the
applicability of the GDA analysis for HPC PCSR2. The AF-UKEPR-FS-29 position
statement is discussed in the forward plan for radiological consequences (see the
HPC PCSR2 Forward Work Activities report [Ref. 14.1]).
x
Topic Area 5 Fault Studies Items 2 (Control and Limitation Functions) & 3
(Operating Technical Specification documents). HPC-specific PCI studies will
inform control and limitation function operation. HPC-specific fault studies will input
into the creation of HPC OTS documents. This activity relates to operations and does
not need to be resolved for construction to commence.
x
Topic Area 18 Cross-cutting Item 3 – Mid-loop level and nozzle dams safety case
will be derived as required. This activity relates to operations and does not need to
be resolved for construction to commence.
Route Map
The DBA for the UK EPR design is presented in Chapter 14 of Consolidated GDA PCSR
2011. For HPC PCSR2 the sub-chapters presented are the same as those for
Consolidated GDA PCSR 2011. The structure and content of the sub-chapters are as
follows:
Page 145 of 230
Head Document
x
Sub-chapter 14.0 Assumptions and Requirements for the PCC Accident Analyses
[Ref. 14.5] presents the assumptions and requirements for the DBA,
x
Sub-chapter 14.1 Plant Characteristics Taken into Account in the Accident Analyses
[Ref. 14.8] describes the plant characteristics taken into account in the DBA including
plant geometrical data, plant initial conditions, core characteristics, safety-related I&C
signals and safety systems characteristics,
x
Sub-chapter 14.2 Analysis of the Passive Single Failure [Ref. 14.9] specifies and
presents the analysis of the consequences of passive single failures at the time of
the PIE for PCC-2 to PCC-4,
x
Sub-chapter 14.3 Analyses of the PCC-2 Events [Ref. 14.10] presents DBA for
transients in the PCC-2 frequency category defined as faults with an initiating event
frequency greater than 1x10-2/y,
x
frequency of between 1x10-2 to 1x10-4/y,
x
frequency of between 1x10-4 to 1x10-6/y,
x
Sub-chapter 14.6 Radiological Consequences of Design Basis Accidents [Ref. 14.13]
presents DBA radiological consequences calculations,
x
Sub-chapter 14.7 Fault and Protection Schedule [Ref. 14.14] describes the fault and
protection schedule including the principles used to define the protection system
setpoints,
x
Sub-chapter 14 Appendix A Computer Codes Used in Chapter 14 [Ref. 14.15] ,
x
Sub-chapter 14 Appendix B 4900 MW Safety Analysis Used in Chapter 14
[Ref. 14.16],
x
Sub-chapter 14 Appendix C Analysis of Single Failure for Main Steam Line Break
[Ref. 14.17].
DBA interfaces with other HPC PCSR2 chapters are:
x
The DBA is a demonstration against the UK EPR general safety principles defined in
Sub-chapter 3.1,
x
Key parameters for future HPC-specific DBA relating to the fuel, core and fuel
management are stated in Section 4 of this document.
x
The DBA modelling assumptions inform the deterministic design criteria of the I&C
systems as defined in Chapter 7,
x
Hazards and their high-level relationship to the DBA are addressed separately in
Chapter 13 Hazards Protection,
x
The list of DBA faults informs the initiating events for assessment in the Level 1 and
Level 3 PSA in Sub-chapters 15.1 and 15.5,
x
The modelling assumptions and results for certain DBA faults, primarily PCC-4 –
Steam Line Break (SLB) inform the acceptability of fault studies assessments in Subchapter 16.4 Specific Studies,
Page 146 of 230
Head Document
14.4
x
The demonstration of the adequacy of the UK EPR design with respect to safety
function diversity for frequent faults is addressed in Sub-chapter 16.5 Adequacy of
the UK EPR Design Regarding Functional Diversity,
x
The DBA informs the safety and operating requirements as well as operating
procedures during both normal and abnormal conditions. These are addressed in
Sub-chapters 18.2 Normal Operation and Sub-chapter 18.3 Abnormal Operation
respectively.
Conclusions
The fault and protection schedule presented for HPC PCSR2 is the same as that for
Consolidated GDA PCSR 2011. There is confidence in the comprehensiveness of the
list of faults in the context of the GDA scope, since it is based on decades of analyses of
international operational experience and best practice, as well as being modified to
reflect UK EPR specific features. The GDA fault schedule also includes representation of
faults in the conventional island and BOP. Additional confidence is gained from the PCC
fault and PSA initiating event consistency review performed under Consolidated GDA
PCSR 2011. A small number of faults identified in the GDA await assessment but this
will be resolved within the scope of the GDA process as part of a GDA Issue. Future
HPC safety submissions will develop this into a comprehensive HPC-specific fault and
protection schedule accounting for HPC PSA development and GDA Issues and GDA
Assessment Findings resolution.
The fault and protection schedule shows that there is adequate ‘defence in depth’ for all
faults, except a small number identified in the GDA Issues that will be resolved within the
scope of the GDA process as part of a GDA Issue. All considered PCC faults have been
assessed and shown to meet the safety criteria. For the purposes of HPC PCSR2 the
HPC site-specific DBA radiological consequences when complete will be either bounded
by, or be sufficiently similar to, the Consolidated GDA PCSR 2011 radiological
consequences as to represent an acceptable level of risk. Faults associated with sitespecific systems/components may have variations in initiating event frequency from that
assumed in the GDA. However, the analysis is largely insensitive to this, and remains
valid unless deviations would move the fault to a different PCC.
Faults affecting the ISFS and Interim ILW Store have not yet been analysed, although in
the HPC Site Submission of General Data for Article 37 of the Euratom Treaty the
bounding nature of the DBA of the plant for the interim storage facilities was provided.
The ongoing design process will take due account of the design and protection
principles identified in Chapter 11.
Analyses are presented in this section to substantiate that the Consolidated GDA PCSR
2011 DBA provides a high level of confidence that viable HPC site-specific core designs
can be defined and justified within the constraints of the DBA acceptance criteria
presented in the GDA.
14.5
Ref
References
Title
Location
Document No.
14.1
Nov 2012
EDRMS
14.2
ILW and ISFS HPC Site Submission of General
Data as Applicable Under Article 37 of the Euratom
Treaty, Issue 1.0 Jan 2012
EDRMS
NNB-OSL-REP-001195
Page 147 of 230
Head Document
Ref
Title
Location
Document No.
14.3
Consolidated GDA PCSR Chapter 14 Sub-chapter
14.7 - Fault and Protection Schedule, Issue 02,
March 2011
EDRMS
UKEPR0002-149-I02
14.4
W048: Evaluation of Dispersion Using ADMS v.4
for Accidental Radiological Consequences
Assessment, AMEC Report Issue 4, March 2010
EDRMS
14.5
14.0 - Assumptions and Requirements for the PCC
Accident Analysis, Issue 03, March 2011
EDRMS
UKEPR-0002-140-I03
14.6
Spent Fuel Interim Storage Facility, Issue 01, Oct
2009
EDRMS
UKEPR-0009-001
14.7
ILW Interim Storage Facility, Issue 01, Oct 2009
EDRMS
UKEPR-0008-001
14.8
14.1 - Plant Characteristics Taken into Account in
the Accident Analysis, Issue 03, March 2011
EDRMS
UKEPR-0002-141-I03
14.9
14.2 - Analysis of the Passive Single Failure, Issue
03, March 2011
EDRMS
UKEPR-0002-142-I03
14.10
14.3 - Analysis of the PCC-2 Events, Issue 06,
March 2011
EDRMS
UKEPR-0002-143-I06
14.11
March 2011
EDRMS
UKEPR-0002-144-I07
14.12
March 2011
EDRMS
UKEPR-0002-145-I07
14.13
14.6 - Radiological Consequences of Design Basis
Accidents, Issue 05, March 2011
EDRMS
UKEPR-0002-146-I05
14.14
Applicability of 2011 GDA PCSR Radiological
Consequences Assumptions to HPC, Feb 2012
EDRMS
NNB-OSL-REP-001290
14.15
Consolidated GDA PCSR Chapter 14 Appendix A Computer Codes Used in Chapter 14 , Issue 03,
March 2011
EDRMS
UKEPR-0002-147-I03
14.16
Consolidated GDA PCSR Chapter 14 Appendix B 4900 MW Safety Analysis Used in Chapter 14,
EDRMS
UKEPR-0002-148-I05
14.17
Consolidated GDA PCSR Chapter 14 Appendix C Analysis of Single Failure for Main Steam Line
Break, Issue 00, March 2011
EDRMS
UKEPR-0002-001-I00
14.18
Letter from ONR to NNB
th
for GDA, Dated 15 April 2011
EDRMS
ND(NII) EPR00836N
Page 148 of 230
Head Document
15
PROBABILISTIC SAFETY ASSESSMENT
15.1
Summary
Chapter 15 provides the scope and results of the Probabilistic Safety Assessment (PSA)
carried out for HPC PCSR2 (known as the HPC PCSR2 PSA). It also provides oversight
of the PSA development yet to be implemented such that an adequate PSA will be
available for supporting the future HPC EPR design stages.
The NSDAPs [Ref. 15.1] present a number of numerical targets (SDOs); the PSA is
used to demonstrate compliance with these targets. The relevant targets for
consideration within PSA include:
x
Core Damage Frequency (CDF),
x
Large Release Frequency (LRF),
x
Large Early Release Frequency (LERF),
x
On-site worker risk (SDO-4 and SDO-5),
x
Off-site individual risk (SDO-6 and SDO-7),
x
Societal risk (SDO-8).
Performance against these targets is assessed by conducting Level 1 (Core damage),
Level 2 (Evaluation of radioactive releases outside of the containment boundary) and
Level 3 (On-site and off-site radiological consequences) PSA. A number of these targets
are based on total site risk, and [Ref. 15.2] presents the current method for assessing
the impact of the twin-reactor site at HPC when calculating the risk values. In addition to
comparison against numerical targets, an important role of the PSA is to risk inform the
design, and Chapter 15 identifies some of the key insights resulting from the
development of the PSA, including those from the current version of the HPC PCSR2
PSA.
The HPC PCSR2 PSA considers a range of internal initiating events, internal hazards
and external hazards. It considers the risk arising from potential radiological sources
(notably the reactor core and SFP in all plant states).
There are a number of assumptions as well as limitations that are identified throughout
the chapter. All assumptions identified within the PSA are presented in [Ref. 15.3]. A
PSA forward work plan [Ref. 15.4] summarises the additional future work required to
provide suitable and sufficient PSA17 in support of the future HPC EPR design stages.
This includes work resulting from identified limitations in the modelling. The impact of
these limitations on the risk targets is assessed in [Ref. 15.5], which provides a
judgement of the potential impact on risk expected from the missing internal events,
hazards and systems as well as other model limitations.
The HPC PCSR2 PSA has been updated from the model presented in Consolidated
GDA PCSR 2011 [Ref. 15.6] to incorporate a number of site-specific features, most
notably a site-based frequency for LOOP, the addition of the UHS that includes a revised
frequency for LUHS, and the addition of the extreme snow and wind hazard. A small
number of additional modelling changes have been made to fix errors, or to remove
excessive conservatisms, in the Consolidated GDA PCSR 2011 model. The impact of
these changes is mainly discussed in HPC PCSR2 Sub-chapters 15.1 [Ref. 15.8] and
17
The definition of “Suitable and Sufficient PSA” for the HPC site will be presented in [Ref. 15.7].
Page 149 of 230
Head Document
15.2 [Ref. 15.9]. A top level summary is provided in [Ref. 15.10] that explains the
differences between the Consolidated GDA PCSR 2011 PSA and the HPC PCSR2 PSA.
15.1.1 Level 1 PSA
The CDF calculated within the HPC PCSR2 PSA is 8.57x10-7 per reactor year (/r.y)
[Ref. 15.12], which meets the associated NSDAPs target of 1x10-5/r.y.
Long LOOP (2 – 24 hours) in plant states A and B (at power and hot shutdown) is the
initiating event that contributes most significantly to the CDF (with a relative contribution
to total CDF of about 25%). Additionally, if all contributions from LOOP events are
considered, including short LOOP, consequential LOOP and shutdown states, the
relative contribution to CDF will increase further (to about 36%). The second highest
contributor to CDF is the LOCC fault (contributing about 15% of total CDF), and the third
highest is LOCA (contributing about 13% of total CDF). The most significant individual
cutset corresponds to the total loss of the cooling chain during shutdown state D
(RCP [RCS] with vessel head off). This fault leads to the loss of the whole residual heat
removal system and the automatic make-up with the medium head safety injection
pumps. The initial fault is followed by the operator failure to perform make-up with the
low head safety injection cooled by diverse means. This represents 3.4% of the internal
event CDF.
It is evident that, with a small number of event groups providing a relatively high
contribution to CDF, the current PSA does not demonstrate a fully balanced design
across dose and frequency bands (i.e. no single fault group should dominate risk). The
PSA forward work plan [Ref. 15.4] captures the need to review whether there are ways
of specifically reducing risk from LOOP through either ALARP modifications or
demonstrating that the risk is less than currently predicted through improvements in the
modelling. The other high contributors (LOCC and LOCA) will also be further
investigated to review whether any reasonably practicable measures would reduce the
risk in those areas. As the PSA currently has a number of limitations (missing initiating
events and conservatisms) a more balanced risk profile might be demonstrated as the
HPC PSA is developed and limitations are removed. In the event that future
development of the HPC PSA cannot demonstrate that a single fault group does not
dominate risk, a justification will be made that the calculated risk associated with that
fault group has been reduced so far as is reasonably practicable. It is important to note
that despite the dominance of certain events the total CDF is low in comparison with the
NSDAPs target.
The key contributions to CDF have been reviewed (including top cutsets, importance
factors and contribution from operator actions). The key insights from this review are
that:
x
The dominant minimal cutsets include LOOP events and LOCA events (arising from
small breaks),
x
The key components based on importance factors include the conditional failure of
the reactor coolant pumps’ shaft seals, the EDGs and MHSI pumps,
x
The CCF of the EDGs and the MHSI pumps are the most significant CCFs based on
Fussell-Vesely assessment,
x
I&C is the most significant system, which includes failure of various I&C components;
most notably the common logic parts of the RPR [PS] and SAS, and the NCSS
(which is currently modelled by means of a single supercomponent),
Page 150 of 230
Head Document
x
The most significant operator actions (based on Fussell-Vesely) are the initiation of
Fast Secondary Cooldown (FSCD) within 30 minutes; and failure to start and control
the ASG [EFWS] using the NCSS.
These important factors will be further investigated subsequent to HPC PCSR2 to
assess whether it is reasonably practicable to reduce risk further. This requirement is
captured in the PSA forward work plan [Ref. 15.4].
The hazards assessment in HPC PCSR2 PSA covers:
x
Internal fire and flood,
x
Massive ingress of marine bodies,
x
Extreme snow and wind,
x
Contribution of hazards to LOOP within Level 1 PSA,
x
Aircraft impact and turbine disintegration in Level 3 PSA.
This scope is not exhaustive and further development of hazards in the PSA will be
performed. A screening exercise has been carried out to determine the full list of
hazards that should be addressed within the HPC PSA (noting that the implementation
of this modelling will be staggered). The screening exercise is reported in [Ref. 15.13].
The current contribution to CDF from internal and external hazards is 1.54x10-7/r.y
(about 18% of total CDF) with >60% of the relative contribution arising from the internal
fire at power hazard (9.43x10-8/r.y). An internal fire in a Safeguard Building event
significantly dominates the internal fire at power hazard contributing 7.46x10-8/r.y (about
9% of total CDF). The contribution from LUHS is 5.12x10-8/r.y (about 6% of total CDF),
which is a reduction from the contribution in GDA Step 4 PSA [Ref. 15.14]. The forward
work plan identifies the key areas for development of PSA hazards, as well as the
requirement to review further those hazards that currently present an elevated
contribution to risk, for determining whether any reasonably practicable risk reduction
measures are required or if modelling conservatisms need to be reduced (through
refinement of the PSA model).
The seismic hazard used for Consolidated GDA PCSR 2011 has been shown to be
bounding for HPC [Ref. 15.15], and hence the conclusions that can be drawn from the
GDA Seismic Margin Assessment (SMA) [Ref. 15.16] regarding an adequate margin to
safety equipment failure are applicable to HPC. More detailed PSA assessment of the
seismic hazard will be performed to determine the risk from seismic events and to gain
insights into plant design and operation. A seismic PSA strategy [Ref. 15.17] has been
developed that proposes a staged, integrated seismic PSA for HPC. The timescales for
implementation will reflect the degree of insight required to adequately risk inform the
various design stages of HPC and the data available to model the seismic hazard. This
action is captured in the forward work plan and will enable the GDA Assessment
Findings [Ref. 15.18] associated with the seismic hazard to be addressed (notably
AF-UK EPR-PSA-037 and AF-UK EPR-PSA-038).
The analysis of the contribution to risk from the SFP [Ref. 15.19] has been expanded
from GDA Step 4 PSA to include the contribution from LUHS. The global fuel damage
from events in the SFP calculated in the HPC PCSR2 PSA is 2.8x10-9/r.y. As
anticipated, the contribution from LUHS is extremely low (less than 0.1% of the fuel
damage frequency). The majority of the fuel damage calculated risk is from draining
events at 2.3x10-9/r.y (about 82% of the total fuel damage frequency). The calculated
risk of fuel pool water boiling has been calculated as 2.90x10-4/r.y. The key insight from
Page 151 of 230
Head Document
the SFP PSA analysis is the importance of the third train of the PTR [FPCS]; both its
specific components and its cooling chain.
15.1.2 Level 2 PSA
Within the HPC PCSR2 Level 2 PSA [Ref. 15.20], the LERF is calculated as
4.88x10-8/r.y (with 86% arising from plant states A and B). There are some changes from
the GDA Step 4 results (see Figure 6 of [Ref. 15.12]) due to an increase in the fraction
from long LOOP (from an increased site-specific initiating frequency) and a doubling of
the fraction due to SGTR. The change in SGTR impact on LERF (which also impacts
CDF and LRF) is due to damage sequences involving the loss of I&C systems combined
with operator action failure (due to the loss of the HMI). These changes are due to
changes implemented in the HPC PCSR2 PSA model. (The change in SGTR impact is
not a design evolution but a correction in the model adding the signal to start the
RCV [CVCS] pump [Ref. 15.10].)
The LRF is calculated as 1.79x10-7/r.y including the contribution from all reactor states
and the SFP (meeting the NSDAP requirement to be well below 10-6/r.y). About 95% of
LRF is from plant states A and B. At power, the main sequences included in the LRF are
severe accident sequences with long-term containment failure during and after debris
quench due to rupture, without Molten Core-Concrete Interaction (MCCI), with debris
flooding, but with no containment spray. A sensitivity analysis has demonstrated the
importance of operator actions (e.g. to close the containment isolation valves, to perform
feed and bleed, to perform primary fast cooldown, to start UDGs). When no account is
taken of the potential operator errors, the LERF decreases by 42% and LRF decreases
by 56%; demonstrating the impact of human actions on both the LRF and the LERF.
15.1.3 Level 3 PSA
The Level 3 PSA is reported in [Ref. 15.21]. A methodology for assessing worker risk
has been developed [Refs. 15.22 & 15.23], and worker risk has been calculated. The
methodology for societal risk (part of Level 3 PSA) is provided in [Ref. 15.24], and
calculations have been carried out using that methodology.
The calculated risk of an on-site worker fatality for HPC PCSR2 is 4.1x10-7/y, which
meets SDO-4 (i.e. less than 10-6/y). About 37% of this calculated risk arises from noncore damage accident sequences. However this is not unexpected, as core damage
sequences occur at a lower frequency. The frequencies of a single accident that could
lead to a dose to an on-site worker within each dose band (SDO-5) are presented in
Figure 15.1. All frequencies for single accidents are below the BSL for their dose band
but a small number are above the BSO. Sub-chapter 15.5 [Ref. 15.21] discusses the
acceptability of the results and demonstrates that, although results lie above the BSO,
no account has been taken of the probability that a worker is present when the accident
occurs. If account is taken of the time an operator spends in the Reactor Building (about
2%), the risk lies below the BSO.
The assessment for HPC PCSR2 of individual off-site risk of fatality, taking into account
the twin reactors at HPC, is 5.6x10-7/y, which meets SDO-6 (i.e. less than 10-6/y).
The assessment against SDO-7 requires that the total frequency of accidents in each of
the different dose categories (dose bands) is below the BSO, as presented in the
following table:
Page 152 of 230
Head Document
Off-site effective
dose band (DB)
(mSv)
DB5
Target frequencies
BSL (/y)
Calculated frequencies
BSO (/y)
-6
HPC PCSR2 (/y)
1x10
-4
1x10
1x10
-3
1x10-5
2.39x10-7
1x10
-2
1x10-4
1.35x10-6
1x10
-1
1x10-3
1.32x10-5
-2
1.43x10-3
1.84x10
-7
> 1000
DB4
100 - 1000
DB3
10 - 100
DB2
1 – 10
DB1
1
1x10
0.1 - 1
These results, demonstrating that the BSO is met for HPC PCSR2 for all dose bands,
are also presented in Figure 15.2.
The assessment of societal risk is made against SDO-8, which requires:
“the total predicted frequency of on-site accidents resulting in more than 100 fatalities
(either immediate or delayed) of members of the public to be below 1x10-7/y and/or
demonstrated as ALARP”.
For one unit, the total frequency of accidental releases that could lead to more than
100 deaths is 7.2x10-8/r.y. For the whole site at HPC, with two units, this frequency is
calculated as 1.4x10-7/y (see [Ref. 15.2] for current methodology for assessing twinreactor risk). The societal calculated risk value for two units is above the SDO-8 target.
However a number of potential options for reducing the risk have been identified
[Ref. 15.25]; these include potential plant modifications and operational improvements to
be considered against ALARP principles. Additionally it may be possible to demonstrate
that the calculated risk is less than currently predicted through improvements in the
modelling. The significant modelling conservatisms identified include the hydrogen flame
acceleration approach (Level 2 phenomenology) and the conservative assumption that,
in the event of total loss of digital I&C, the EVU [CHRS] will be unavailable. Any
measures taken to reduce the contribution from LOOP events would have a direct effect
on the societal risk value. The PSA forward work plan [Ref. 15.4] captures these options
for consideration as the PSA develops.
15.1.4 Risk Informed Design
The PSA has been used to develop the EPR design throughout its evolution. In addition
to the design developments captured during the UK EPR GDA project, HPC PCSR2
Sub-chapter 15.7 [Ref. 15.12] identifies two more recent design developments that have
been informed by the PSA. These are improved diversity in the HPC I&C processing
systems for the head loss and level sensors associated with the heat sink and the
diversification of battery supplies.
15.1.5 PSA Model Limitations
Although the HPC PCSR2 PSA provides valuable insights into the risks at the HPC site,
there are a number of limitations in the modelling. These limitations include unmodelled
Page 153 of 230
Head Document
systems, unmodelled internal initiating events, unmodelled hazards and various other
simplifications, optimisations and conservatisms. The potential impact that these
limitations could have on the HPC calculated risk has been assessed [Ref. 15.5]. The
potential increase or decrease in calculated risk that each limitation could cause has
been considered, taking into account insights from deterministic analysis, the risk gap
analysis performed for Consolidated GDA PCSR 2011 [Ref. 15.18] and other relevant
PSAs (e.g. US EPR, Flamanville 3 and Sizewell B). Although it is based on engineering
judgement, the assessment gives confidence that future removal of model limitations will
not lead to an excessive increase in overall risk. As the current CDF (8.57x10-7/r.y) is
more than an order of magnitude below the NSDAP target (i.e. 10-5/r.y), it is anticipated
that any increase due to removal of model limitations would retain a significant margin to
the NSDAP target. Although the assessment was mainly concentrated on the impact on
CDF, the impact of other non-core or Level 2 and 3 limitations on other NSDAP targets
was also considered. None of the limitations assessed are predicted to present an
unacceptable impact on these targets. As the design develops and further insights from
the developing PSA are gained, the assessment of the impact of model limitations on
risk may change. However, the ongoing process to risk inform the design should ensure
that reasonably practicable measures to manage the risk are taken.
15.2
The detail of the PSA is given in HPC PCSR Sub-chapters 15.0-15.5 and 15.7, and in
Consolidated GDA PCSR 2011 Sub-chapter 15.6. Figure 16 illustrates the document
The majority of the GDA Step 4 PSA is applicable to HPC. However all the Chapter 15
sub-chapters have been updated to reflect new PSA results following the modelling
changes and, in the case of Sub-chapter 15.5 Level 3 PSA the new methodologies for
Level 3 PSA. The only exception is Sub-chapter 15.6 Seismic Margin Assessment,
which is bounding for HPC.
A PSA was developed for the GDA PCSR and this has been adapted to add specific
HPC features. The majority of the GDA Step 4 PSA [Ref. 15.6] is unchanged and is
applicable to the HPC site or is justified as bounding for the HPC site. A number of
exceptions exist, and these are identified in the sub-chapters and/or the Forward Work
Activities report [Ref. 15.26].
There are a number of GDA Out-of-scope Items that apply to the PSA. These include:
x
Applicability of data supporting the PSA FMEAs (Failure Modes and Effects
Analyses) for initiating event completeness and applicability of reliability data with
regard to test interval data – these remain out-of-scope for HPC PCSR2. However
the forward work plan identifies the short-term progress planned for these two issues.
x
Documentation supporting PSA – the GDA documentation (currently aligned with
GDA Step 3 PSA model not GDA Step 4) should be updated; but this will not happen
on the timescales of HPC PCSR2. The HPC PCSR2 PSA therefore continues to use
the logbooks (documentation amendments and notes produced by the GDA
Requesting Parties) produced for GDA Step 4 PSA as the document trail for PSA
information.
Page 154 of 230
Head Document
15.3
x
Site-specific systems and conventional island systems – there are a number of
systems that are not yet modelled in the PSA. For the HPC PCSR2 PSA the heat
sink has been added, but other systems still need to be incorporated into the model,
and this activity is included on the PSA forward work plan [Ref. 15.4].
x
PSA processes and procedures – the arrangements for production of the GDA PSA
(in AREVA) are continuing to be used for the HPC PCSR2 PSA; therefore the GDA
processes for PSA are applicable. In addition, significant progress has been made on
agreeing on the requirements for processes and procedures for further developing
the PSA within the Architect Engineer. Development and implementation of these
and other PSA processes and procedures will continue beyond HPC PCSR2.
Route Map
Sub-chapter 15.0 Safety Requirements and PSA Objectives [Ref. 15.27] presents the
PSA safety requirements and objectives that are considered for PCSR2. The subchapter reflects the NSDAPs [Ref. 15.1] rather than the ONR SAPs numerical risk
targets [Ref. 15.28]. The targets considered within the NSDAPs are the same or more
conservative than the equivalent targets in the ONR SAPs. The list of initiating events
(notably hazards) has also been updated relative to the Consolidated GDA PCSR 2011
PSA.
Sub-chapter 15.1 Level 1 PSA [Ref. 15.8] presents the basis for the modelling in the
Level 1 PSA. It presents the calculation of the CDF for internal initiating events, and
describes the accident sequences and key contributors for each internal bounding
initiating event.
Sub-chapter 15.2 PSA for Internal and External Hazards [Ref. 15.9] presents the basis
for the modelling of hazards in the HPC PSA. It reports on a screening exercise to
determine the full list of hazards that should be modelled within the HPC PSA (noting
that the implementation of this modelling will be staggered). The screening exercise is
reported in [Ref. 15.13]. This sub-chapter presents the calculation of CDF for internal
and external hazards. The hazards section takes account of the HPC site data and
deterministic hazards assessment presented in HPC PCSR2 Chapters 2 and 13
respectively.
Sub-chapter 15.3 PSA of Accidents in the Spent Fuel Pool [Ref. 15.19] presents the
basis for the modelling of faults in the SFP. It includes the addition of the impact of
including the UHS as a support system as well as the impact of the LUHS initiating
event. This sub-chapter presents the calculation of fuel damage frequency for the SFP.
The system descriptions and deterministic case for the SFP are presented in Subchapter 9.1 [Ref. 15.29].
Sub-chapter 15.4 Level 2 PSA [Ref. 20] presents the basis for the modelling in the Level
2 PSA. It includes discussions on the phenomena associated with containment bypass
and severe accidents. There has been no significant change to Level 2 modelling over
the GDA PSA model; however the results have been updated to take account of
modelling changes in the Level 1 PSA. This sub-chapter presents the calculation of LRF
and LERF. Further details of severe accident phenomena and the deterministic case are
presented in Sub-chapter 16.2 [Ref. 15.30].
Sub-chapter 15.5 Level 3 PSA [Ref. 15.21] presents the methodologies and calculations
of the on-site worker risk and the off-site individual and societal risk. This sub-chapter is
substantially different from the Consolidated GDA PCSR 2011 sub-chapter as the
Level 3 analysis has developed significantly.
Page 155 of 230
Head Document
Sub-chapter 15.6 Seismic Margin Assessment is unchanged from the Consolidated GDA
PCSR 2011 sub-chapter [Ref. 15.16]. Sub-chapter 2.2 [Ref. 15.15] provides the
demonstration that the GDA PCSR seismic hazard is bounding for the HPC site. A
seismic PSA strategy [Ref. 15.17] has been developed that proposes a staged,
integrated seismic PSA is developed for HPC. More detail of the deterministic approach
to the seismic hazard is provided in HPC PCSR2 Sub-chapter 13.1 [Ref. 15.31].
Sub-chapter 15.7 PSA Discussion and Conclusions [Ref. 15.12] presents the overall
results from the HPC PSA as well as analysis of the significant cutsets, importance
factors and uncertainty analysis. A number of sensitivity studies are presented that
provide additional insights into modelling conservatisms, design options, long-term
scenarios (i.e. greater than 24 hours) and potential improved data. It identifies the key
insights from the HPC PCSR2 PSA that are being used to risk inform the HPC design.
15.4
Conclusions
A site-specific PSA for the HPC site has been developed and used to demonstrate
compliance with the numerical targets of the SDOs defined in the NSDAPs [Ref. 15.1].
The majority of the numerical targets are met for a twin-reactor site, putting the
calculated risk in the ‘Broadly Acceptable’ region, with the following exceptions:
x
The calculated value for SDO-8 (risk of >100 fatalities) for the twin-reactor site at
HPC has not met the numerical target,
x
The BSOs in SDO-5 (worker risk assessments) are not met for some individual
accident doses.
For both targets it has been demonstrated that the NSDAPs principles have been met by
demonstrating the actual risk is below the target or by providing an ALARP argument.
The NSDAPs are therefore met for HPC with regard to doses to workers and the public
during accident conditions.
It is evident that with a small number of event groups providing a relatively high
contribution to CDF the current PSA does not demonstrate a fully balanced design
across dose and frequency bands. The PSA forward work plan [Ref. 15.4] captures the
need to review ways of specifically reducing the modelled risk from those initiating
events that provide a disproportionately large contribution to CDF through either ALARP
modifications or modelling improvements. In the event that future development of the
HPC PSA cannot demonstrate that any single fault group does not dominate risk, a
justification will be made that the risk associated with that fault group has been reduced
so far as is reasonably practicable. It is important to note that despite the dominance of
certain events the total CDF is low in comparison with the NSDAPs target.
There are some limitations in the current PSA modelling e.g. simplifications, and
initiating events, hazards and systems that are not yet included. The potential impact
that these limitations could have on the HPC calculated risk has been assessed to
provide confidence their elimination in future development of the PSA will not lead to an
excessive increase in overall risk.
An iterative process to identify design improvements using PSA was implemented
throughout the development of the EPR design. Consolidated GDA PCSR 2011
presented the results of this process at the time, and additional examples of more recent
improvements are presented in this chapter. For the HPC EPR, it is intended that
probabilistic assessments will continue to be used to risk-inform the detailed design as
the HPC design develops.
Page 156 of 230
Head Document
The current assessment of risk (modelled and unmodelled), sensitivity analysis and
discussion presented in this chapter provide sufficient confidence that the plant design
proposed for HPC will meet the SDO numerical targets and requirements laid out in the
NSDAPs. The current assessment of risk also presents a basis on which to make
ALARP assessments and judgements on the proposed plant design for HPC.
The current assessment of calculated risk as presented and reviewed within this section
demonstrates that, with respect to the SDO numerical targets and the requirements laid
out in the NSDAPs, an adequate baseline safety justification has been made to support
moving into the construction phase.
15.5
Ref
References
Title
Location
Document No.
15.1
Nuclear Safety Design Assessment Principles,
Version 1.0, March 2012
EDRMS
NNB-OSL-STA-000003
15.2
Strategy to Assess the Impact of Twin Reactor Site
on the PSA, Version 2.0, Sept 2012
EDRMS
15.3
HPC PCSR PSA Assumptions
15.4
HPC PCSR2 PSA Forward Work Plan, Issue 1, Aug
2012
EDRMS
HPC-NNBOSL-U0-000-REP000045
15.5
Assessment of Impact on Risk from Limitations in
the HPC PCSR2 PSA Model, Issue 1, Sep 2012
EDRMS
15.6
Consolidated GDA PCSR Sub-chapter 15.1 – Level
1 PSA, Issue 04, March 2011, EDF/AREVA
EDRMS
UKEPR-0002-151-04
15.7
Definition of Suitable & Sufficient PSA for HPC,
Current Draft 0.6, Jan 2012
EDRMS
15.8
HPC PCSR2 Sub-chapter 15.1 – Level 1 PSA,
Issue 2, Aug 2012
EDRMS
15.9
HPC PCSR2 Sub-chapter 15.2 – PSA for Internal
and External Hazards, Issue 1, Oct 2012
EDRMS
15.10
Update to PSA Model for HPC PCSR2, Rev A, July
2012
EDRMS
ECESN120461
15.11
Summary of the overall risk assessment for the
HPC NSL application, Version A, April 2010
EDRMS
ENFC100014
15.12
HPC PCSR2 Sub-chapter 15.7 – PSA Discussion
and Conclusions, Issue 1, Aug 2012
EDRMS
15.13
Hazards Screening Process for Hinkley Point C
Probabilistic Safety Analysis, (EDF-700-00004),
Issue 4, January 2012, Rolls Royce
EDRMS
15.14
Consolidated GDA PCSR 2011 Sub-chapter 15.2
PSA Regarding Internal and External Hazards,
Issue 04, March 2011, EDF/AREVA
EDRMS
UKEPR-0002-152-I04
15.15
HPC PCSR2 Sub-chapter 2.2– Verification of
Boundary Character of GDA Site Envelope, Version
2.0, January 2012
EDRMS
15.16
Consolidated GDA PCSR Sub-chapter 15.6 –
Seismic Margin Assessment, Issue 05, March
2011, EDF/AREVA
EDRMS
UKEPR-0002-156-I05
15.17
Seismic PSA Strategy, Version 1.0, March 2012,
Risktec
EDRMS
-
ENFCFI120035
Page 157 of 230
Head Document
Ref
Title
Location
15.18
GDA – New Civil Reactor Build, Step 4 Probabilistic
Safety Analysis Assessment of the EDF and
AREVA UK EPR™ Reactor, ONR-GDA-AR-11-019,
Revision 0, November 2011, HSE
http://www.hse.g
ov.uk/newreacto
rs/reports/stepfour/technicalassessment/uke
pr-psa-onr-gdaar-11-019-r-rev0.pdf
15.19
HPC PCSR2 Sub-chapter 15.3 – PSA of Accidents
in the Spent Fuel Pool, Issue 2, Aug 2012
EDRMS
15.20
Issue 2, July 2012
EDRMS
15.21
Issue 1, July 2012
EDRMS
15.22
Methodology for Assessing Worker Risk for the UK
EPR – Head Document, ENFCFF100382, Revision
B, September 2011, SEPTEN
EDRMS
15.23
Methodology for Assessing Worker Risk for the UK
EPR – Worker Release Categories,
ENTEAG100429, Revision B, December 2011,
SEPTEN
EDRMS
15.24
Methodology for UK societal risk level 3 PSA,
ENFCFF090213, Revision C, October 2010,
SEPTEN
EDRMS
ENFCFF090213C
15.25
Assessment of Societal Risk Results for HPC,
Issue 1, June 2012
EDRMS
15.26
Nov 2012
EDRMS
15.27
HPC PCSR2 Sub-chapter 15.0 – Safety
Requirements and PSA Objectives, Version 2.0,
March 2012, NNB
EDRMS
15.28
Safety Assessment Principles for Nuclear Facilities;
2006 Edition; Revision 1; HSE
15.29
Consolidated GDA PCSR Sub-chapter 9.1 – Fuel
Handling and Storage, Issue 03, March 2011,
EDF/AREVA
EDRMS
UKEPR-0002-091-I03
15.30
Consolidated GDA PCSR Sub-chapter 16.2 –
Severe Accident Analysis (RRC-B), Issue 04,
March 2011, EDF/AREVA
EDRMS
UKEPR-0002-162-I04
15.31
HPC PCSR2 Sub-chapter 13.1 – External Hazards
Protection, Issue 2, Aug 2012
EDRMS
HSE Website
Document No.
ONR-GDA-AR-11-019
N/A
Page 158 of 230
Head Document
Figure 15.1: Frequency Dose ‘Staircase’ for Results against SDO-5
Worker Risk Assessment for the UK EPR
1.00E+00
5
Tolerable if ALARP region
L1 PSA:WRB5
L1 PSA:WRB4
L2 PSA:CD (WDB5)
BSO
EXRV-05
PCC4-03b
L2 PSA: CD (WDB4)
PCC3-02
L1 PSA:WSAB3
L1 PSA:WRB9
L1 PSA:WSAB2
L1 PSA:WSAB0
PCC4-03a
BSL
PCC4-01
PCC4-02
L1 PSA:WAC1
L1 PSA:WRB3
PCC3-01
4
Unacceptable region
L2 PSA: CD (WDB3)
1.00E-06
3
EXRV-09
L1 PSA: WSAB1
LOSA-01 LOSA-12
LOSA-23
2
L1 PSA: WRB11
1.00E-05
L1 PSA:WTH2
LOSA-17,18,19
1.00E-04
LOSA-22
1.00E-08
1.00E-09
L1 PSA:WRB7
Broadly Acceptable Region
L1 PSA:WRB8
1.00E-07
LOSA-04
Frequency (y -1)
1.00E-03
L1 PSA:WRB10
LOSA-21
1.00E-02
LOSA-25
1.00E-01
L1 PSA:WTH0
1
EXRV-06
0
1.00E-10
0.1
WDB1
2
WDB2
20
WDB3
Dose to worker (mSv)
200
WDB4
2000
WDB5
Page 159 of 230
Head Document
Figure 15.2: Comparison of the Individual Risk Assessment Results to SDO-7
Doseband Staircase Diagram for public off-site
1.0E+00
0.1
1
10
100
1000
10000
Frequency (/ry)
1.0E-01
1.0E-02
1.0E-03
1.0E-04
1.0E-05
1.0E-06
1.0E-07
Dose (mSv)
Page 160 of 230
Head Document
16
RISK REDUCTION AND SEVERE ACCIDENT ANALYSES
16.1
Summary
This document summarises the contents of the HPC PCSR2 Chapter 16 sub-chapters,
which for the purposes of HPC PCSR2, are the same as those of Consolidated GDA
PCSR 2011. The demonstration of risk reduction and severe accident analysis in HPC
PCSR2 will use the same methods and computer codes as used for Consolidated GDA
PCSR 2011. However it will consider in conjunction with a forward work plan measures
to confirm the Consolidated GDA PCSR 2011 results, address those currently out-ofscope of the GDA and take account of design changes and HPC site-specific
parameters (e.g. heat sink temperature). Chapter 16 covers assessments, either
deterministic or probabilistic, which address the reactor in abnormal conditions that are
considered as either beyond the design basis or as DECs. Conditions within the design
basis are addressed within Chapter 14.
The Consolidated GDA PCSR 2011 DBA (Chapter 14) is applicable to HPC since no
new HPC site-specific DBA faults have so far been identified. The faults themselves,
their initiating event frequency, plant characteristics, assumptions and assessment
criteria are unchanged from the GDA and the range of faults suitably represents HPC
scenarios. The report Identification and Review of the Safety Implications of a Twin
Reactor Design for HPC [Ref. 16.1] indicates that the twin reactors are largely
independent in terms of faults and the Consolidated GDA PCSR 2011 assumptions and
modelling is applicable. Additionally, the radiological consequences of DBFs on the twinreactor site show no increase compared to reactors in isolation.
The selection of severe accident scenarios and their assessment in Consolidated GDA
PCSR 2011 are applicable to HPC because the generic design features and design
criteria are unchanged for HPC. This will be confirmed when detailed design data
become available. The Consolidated GDA PCSR 2011 severe accident analysis also is
applicable for HPC in consideration of the three particular scenarios demonstrated to be
practically eliminated. The Consolidated GDA PCSR 2011 specific studies concerning
loss of coolant are considered applicable to HPC, and this will be confirmed by sitespecific fault studies where necessary.
16.1.1 Risk Reduction via Extended Design Conditions
In the UK EPR defence-in-depth approach discussed in Consolidated GDA PCSR 2011,
the RRC-A is introduced to complement the deterministic list of DBFs by considering a
set of DECs due to multiple failure events (see Sub-chapter 16.1). Sub-chapter 15.1
covers the Level 1 probabilistic analysis of internal initiating events, including the
multiple failure events relevant to the DECs. The analysis of DECs is performed using
both deterministic and probabilistic considerations and leads to the identification of
additional safety features (or RRC-A features) that make it possible to prevent the
occurrence of severe accidents in these complex situations. The RRC-A sequences are
studied in a deterministic manner, through best estimate RRC-A accident analysis, to
analyse the design of RRC-A features. The Consolidated GDA PCSR 2011 RRC-A
analysis concludes that either safety analysis criteria are met, or that in the case of loss
of spent fuel cooling the associated radiological release is negligible.
Page 161 of 230
Head Document
16.1.2 Severe Accident Analysis (RRC-B)
Sub-chapter 16.2 of Consolidated GDA PCSR 2011 reports the assessment of severe
accidents (RRC-B) for the UK EPR.
Severe accidents are analysed as RRC-B sequences, and such accidents are
characterised as those resulting in fuel rod failure, degradation of the structural integrity
of the reactor core and release of radioactive fission products into the reactor coolant
system or beyond. Such an event can only occur after the loss of multiple safety
functions and sustained loss of core cooling leading to elevated core temperatures
resulting from residual heat. The increased temperatures can lead to melting of the
reactor core and failure of the vessel, and ultimately can threaten the integrity of the
containment building to perform its confinement function.
The Consolidated GDA PCSR 2011 RRC-B results confirm that the dose rate due to
radiation from radionuclides deposited on the ground and the effective whole body dose
are much lower than the long term objectives.
16.1.3 Practical Elimination
In the EPR context, ‘practical elimination’ refers to the implementation of specific design
measures for reducing the risk of a large early release of radioactive material to the
environment to an insignificant level. To achieve practical elimination each type of
accident sequence that could lead to a large early release of radioactivity is examined
and addressed by design measures. Demonstration of practical elimination of an
accident sequence may involve deterministic and/or probabilistic considerations, and
takes into account uncertainties due to the limited knowledge of physical phenomena
involved in severe accident analysis. Consolidated GDA PCSR 2011 concludes that the
following scenarios are practically eliminated:
x
Certain situations related to severe accidents:
o HPCM accident and DCH,
o Steam explosions leading to failure of the containment,
o Hydrogen combustion processes endangering containment integrity.
x
Rapid reactivity insertion,
x
Containment bypass,
x
Fuel damage in the SFP.
16.1.4 Specific Studies
Studies presented in Consolidated GDA PCSR 2011 Sub-chapter 16.4 assess fault
scenarios that have in the past been considered for PWR designs. For EPR they are
considered to be effectively ruled out by design, but have been assessed to establish
the robustness of the design and to provide conservative input data for other
assessments.
Safety criteria in relation to these fault sequences have been defined in Consolidated
GDA PCSR 2011 Sub-chapters 16.4 and 14.6, and are the radiological limits set for the
plant (PCC-4, see Chapter 14). The following fault scenarios are considered within Subchapter 16.4:
x
Double ended break of the main coolant line (2A-LOCA),
Page 162 of 230
Head Document
x
Double ended break of the main steam line outside the containment,
x
SGTR (1 tube) with main steam line break,
x
SGTR (1 tube) with VDA [MSRT] stuck open,
x
Multiple SGTR (10 tubes in one steam generator at power),
x
Spurious actuation of the RPR [PS].
All of the PCC-4 fault conditions are addressed and demonstrated as being met, either
by radiological analysis or justified as precluded by design.
16.1.5 Functional Diversity
The purpose of Consolidated GDA PCSR 2011 Sub-chapter 16.5 is to demonstrate the
adequacy of the UK EPR design functional diversity.
Functional diversity is addressed for all PIEs with a frequency greater than 10-3/r.y as
these have higher protection requirements. Diversity is demonstrated for all frequent
faults at the equipment level through the plant level safety functions, which in turn satisfy
the UK EPR MSFs. Since some events are clearly more bounding than others for a
given plant level safety function, a comprehensive review of the transients is performed
to select the limiting events before their examination by calculations.
The demonstration of the UK EPR design functional diversity in Chapter 16.5 was
completed based on the GDA fault schedule (see Sub-chapter 14.7), and by using
methodologies similar to those for the DBA discussed in Chapter 14.
16.1.6 Computer Codes Used for RRC-A & RRC-B Analyses
Appendix 16A of Consolidated GDA PCSR 2011 presents the computer codes used for
RRC-B analyses for the UK EPR. The codes used for RRC-A analysis in Sub-chapter
16.1 are the same as those used for DBA and are presented in Chapter 14.
Codes presented in Consolidated GDA PCSR 2011 Sub-chapter 16A have undergone
validation and verification. This is a continual process, as is the resulting improvement of
the codes.
16.1.7 4900 MW Safety Analyses used in Chapter 16
The Consolidated GDA PCSR 2011 assessments for all faults have been undertaken
assuming a thermal power of 4500MW, with one exception, discussed below.
Small Break LOCA without LHSI System (RRC-A)
The initiating event is a postulated small break located in the cold leg of the reactor
coolant piping system. A small break is defined as a leak with an equivalent diameter of
less than 5.0 cm or a cross-sectional area of less than 20 cm2.
The RRC-A event is identified by the combination of the initiating event and the total loss
of a relevant safety system. The total loss of the LHSI system is assumed to be caused
by a CCF. In accordance with the RRC-A guidelines, no additional failures (e.g. single
failure or emergency power mode) are postulated in the required systems in order to
reach the final steady state of the transient.
The sequence of events is reported in Consolidated GDA PCSR 2011 Appendix 16B.
In summary, in the small break LOCA (SB(LOCA)) with loss of LHSI scenario the final
state is characterised by:
Page 163 of 230
Head Document
x
Long-term core subcriticality ensured by boration via MHSI and/or the RBS [EBS],
x
Residual heat removal ensured by steam generator and the EVU [CHRS]/
RRI [CCWS]/SEC [ESWS],
x
Activity release is under control since all barriers, i.e. fuel, RCP [RCS] boundary and
containment maintain their full integrity.
The generic analysis of this RRC-A fault presented for GDA was completed using a
thermal power of 4900MW. This is conservative relative to the HPC thermal power of
4500MW.
16.2
The detail of this subject is presented in Consolidated GDA PCSR 2011 Sub-chapters
16.1-16.5 and Appendices 16A and 16B [Refs. 16.3-16.9]. These are applicable for
HPC, despite some caveats discussed in the Section 16.2.1 below. Figure 17 illustrates
the document structure for Chapter 16.
16.2.1.1 Sub-chapter 16.1 – Risk Reduction Categories (RRC-A)
For the purposes of HPC PCSR2, Sub-chapter 16.1 of Consolidated GDA PCSR 2011 is
applicable to HPC. This is on the basis that:
x
The range of faults is considered suitably representative of the range of multiple
failure event scenarios that will be considered in future HPC submissions, be they
analysed within or beyond the design basis.
x
The RRC-A fault scenarios in future HPC PCSR submissions will be judged against
the same deterministic criteria used for Consolidated GDA PCSR 2011. There is
some overlap between the RRC-A analysis and the diversity analysis in Sub-chapter
16.5 that may have a structural impact on future submissions of the HPC PCSR.
x
Chapter 14 indicates that the existence of two reactor units does not challenge any of
the DBA modelling assumptions or assessment methodologies within Consolidated
GDA PCSR 2011. No new DBA faults are identified, and the low number of new
initiating events reflects the independence of the two units. Also, the calculated
radiological consequences of PCC or RRC-A internally initiated faults are no higher
for two reactors than for one.
16.2.1.2 Sub-chapter 16.2 – Severe Accident Analysis (RRC-B)
Analysis undertaken in Consolidated GDA PCSR 2011 Sub-chapter 16.2 has assumed a
thermal power of 4500MW (consistent with HPC), and with input assumptions that are
bounding and therefore apply to HPC for the purpose of this submission. No site-specific
analyses have been undertaken for HPC PCSR2, and the main input data for the
Consolidated GDA PCSR 2011 studies are not modified in HPC PCSR2 (in particular
those related to the Reactor Building geometry and the EVU [CHRS] performance). The
rules for scenario selection and the set of severe accidents assessed are applicable to
the HPC site because the generic EPR design features and design criteria influencing
them are unchanged in HPC. At this stage the detailed design data are not fully defined
to update this analysis or to formally establish that all aspects of the design are
adequately represented in the Consolidated GDA PCSR 2011 analysis. In future safety
submissions analysis will use either HPC site-specific data or justify the use of UK EPR
Reference Design values. Since severe accidents are normally assessed at the best
Page 164 of 230
Head Document
estimate level, it may be necessary to be less bounding than the Consolidated GDA
PCSR 2011 to adequately inform the Operational Strategy for Severe Accidents (OSSA).
Nevertheless, the severe accidents analysis that demonstrates the robustness of the UK
EPR GDA design is confirmed to be applicable to HPC in support of the safety case for
construction of the plant.
16.2.1.3 Sub-chapter 16.3 – Practical Elimination
Situations Related to Severe Accidents
The analyses of severe accidents completed for Consolidated GDA PCSR 2011 (see
Sub-chapter 16.2) are adequately bounding and therefore are applicable to HPC. The
three particular scenarios demonstrated to be practically eliminated also are applicable.
Rapid Reactivity Insertion
Rapid Reactivity Insertion as a result of a heterogeneous boron dilution fault is the
subject of GDA Issue GI-UKEPR-FS-01.
Containment Bypass
Containment bypass event sequences will be considered within the site-specific PSA,
and though considered to be practically eliminated their contribution to overall risk will be
assessed.
Fuel Damage in the Spent Fuel Pool (SFP)
Because the SFP is not located in the containment building, it must be demonstrated
that spent fuel damage conditions in the pool as a result of failed cooling and/or pond
water loss are practically eliminated.
Faults occurring during fuel handling will be considered as part of the site-specific fault
analysis and the PSA as PCC-4 faults, and are not considered as practically eliminated.
16.2.1.4 Sub-chapter 16.4 – Specific Studies
Double Ended Break of the Main Coolant Line (2A-LOCA)
The potential consequences of this scenario depend on the chosen fuel type and core
design, and thus will require reassessment for HPC. It is expected that the outcome will
not significantly change; no fuel ruptures will be predicted and the maximum fuel
cladding temperature limit of 1200°C with margins will not be exceeded. Margin is
present in the Consolidated GDA PCSR 2011 assessment due to the bounding nature of
the core design options presented.
Double Ended Break of the Main Steam Line Outside the Containment
Main Steam Lines Inside the Reactor Building
Even though the 2A steam line break upstream of the VIV [MSIV] is not postulated with
respect to the assessment of core behaviour, due to the application of the break
preclusion concept, this fault is considered in the PCC-4 analysis as a bounding case
covering all PCC events.
Main Steam Lines Outside the Reactor Building
The Departure from Nucleate Boiling (Ratio) (DNB(R)) criterion is met, with the PCC-4
2A-SLB case being considerably more onerous than the two cases of VDA [MSRT]
branch connection break and main steam line guillotine break. Chapter 14 provides
further discussion of this criterion and will present the results of future site-specific
PCC-4 fault studies.
Page 165 of 230
Head Document
Steam Generator Tube Rupture Assessments
In the Consolidated GDA PCSR 2011 assessment of this fault the initial state is at 102%
nominal power. A conservative residual heat curve is used to represent the residual heat
history following the reactor trip. However, there is a potential impact from site-specific
fuel and core design and reactor trip settings that will be determined by site-specific fault
studies. It is anticipated that the GDA assessment will be confirmed as bounding.
16.2.1.5 Sub-chapter 16.5 – Functional Diversity
The applicability of the Consolidated GDA PCSR 2011 assessment of functional
diversity to HPC is confirmed based on the applicability of the GDA PCSR fault schedule
and the DBA. The justifications in Chapter 14 that support the applicability of GDA PCSR
Sub-chapter 16.5 for HPC PCSR2 include the following:
x
The DBFs identified in the GDA PCSR are applicable to HPC,
x
The DBF initiating event frequency designations for HPC are the same as the
Consolidated GDA PCSR 2011 designations,
x
The analysis in Sub-chapter 16.5 used the same initial and boundary conditions as
the DBA discussed Consolidated GDA PCSR 2011 Chapter 14. Section 14 confirms
that for the purposes of HPC PCSR2 these plant characteristics are suitably
representative of those that will be used in HPC-specific DBA analysis. The Single
Failure Criterion, preventative maintenance and LOOP are not considered in addition
to the loss of low level safety function.
The safety criteria applied for the analysis in Consolidated GDA PCSR 2011 Subchapter 16.5 are confirmed in Chapter 14 as applicable to HPC.
16.2.1.6 Sub-chapter Appendix 16A – Computer Codes Used for RRC-B Analyses
The codes presented in Consolidated GDA PCSR 2011 and their validation are
applicable to HPC.
16.2.1.7 Sub-chapter Appendix 16B – 4900 MW Safety Analyses used in Chapter 16
Small Break LOCA Without LHSI System (RRC-A)
The generic analysis of this RRC-A fault presented for GDA and HPC PCSR2 was
completed using a thermal power of 4900MW. This is conservative relative to the HPC
thermal power of 4500MW. Once analysis of this fault at 4500MW has been performed,
the information in HPC PCSR2 will be replaced in subsequent safety reports.
No site-specific severe accident analysis has been performed for submission in HPC
PCSR2. Applicability statements are made above to confirm, where possible, that the
safety assessments presented in Consolidated GDA PCSR 2011 are either directly
applicable to, or suitably representative of, HPC. Future analysis on a site-specific basis
will, if required, be based on the site-specific detailed design data when it is available.
No specific items have been identified in the GDA Out-of-scope letter of April 2011
[Ref. 16.2] in relation to severe accidents. However items originating in other topic areas
(e.g. PSA & Human Factors) may have a bearing on the contents of Sub-chapter 16.2,
and this will be considered during detailed design.
Those items with an impact on DBF studies and RRC-A faults have been identified in
Chapter 14.
Page 166 of 230
Head Document
16.3
Route Map
The scope of Consolidated GDA PCSR 2011 Chapter 16 applicable for HPC PCSR2 is:
x
Sub-chapter 16.1 Risk Reduction Analysis (RRC-A) [Ref. 16.3] is introduced to
complement the deterministic list of DBFs by considering a set of DECs due to
multiple failure events.
x
Sub-chapter 16.2 Severe Accident Analysis (RRC-B) [Ref. 16.4] reports the
deterministic assessment of severe accidents (RRC-B) for UK EPR.
x
Sub-chapter 16.3 Practically Eliminated Situations [Ref. 16.5] reports those accident
sequences assessed to be practically eliminated. To achieve practical elimination
each type of accident sequence that could lead to a large early release of
radioactivity is examined and addressed by design measures.
x
Sub-chapter 16.4 Specific Studies [Ref. 16.6] reports an assessment of six faults
previously considered for PWR designs. These are nominally outside the design
basis of the EPR design but have been included for the UK EPR.
x
Sub-chapter 16.5 Adequacy of the UK EPR Design Regarding Functional Diversity
[Ref. 16.7] reports the demonstration of the adequacy of functional diversity for the
GDA UK EPR design.
x
Sub-chapter Appendix 16A Computer Codes Used in Chapter 16 [Ref. 16.8]
describes the computer codes used to analyse severe accidents within Chapter 16
and in support of Level 2 PSA.
x
Sub-chapter Appendix 16B 4900 MW Safety Analysis used in Chapter 16 [Ref. 16.9]
reports on a specific RRC-A fault that has been assessed at an increased reactor
power beyond the proposed UK EPR power of 4500MW.
RRC-A analysis presented in Sub-chapter 16.1, specific studies in Sub-chapter 16.4 and
functional diversity presented in Sub-chapter 16.5 are linked to the fault analysis in
Chapter 14 Design Basis Analysis. These analyses will be developed further for HPC
under the programme for forward work described in Chapter 14.
The severe accident analysis (RRC-B) in Sub-chapter 16.2 is consistent with the
calculations in the Level 2 PSA described in Sub-chapter 15.4 and demonstrates that
the severe accident safety features are correctly designed. The Level 2 PSA is the
probabilistic assessment of the risk from severe accidents that are deterministically
addressed in Sub-chapter 16.2.
Scenarios considered practically eliminated in Sub-chapter 16.3 depend on severe
accident analysis (Sub-chapter 16.2), fault studies (Chapter 14) in the case of boron
dilution, and Chapter 14 for faults on the SFP.
16.4
Conclusions
The demonstration of risk reduction and severe accident analysis presented for HPC
PCSR2 is the same as that for Consolidated GDA PCSR 2011. The safety assessments
demonstrate that the risks associated with the UK EPR design are acceptably low. No
new HPC-specific DBA faults have so far been identified and the range of faults
identified in Consolidated GDA PCSR 2011 are directly applicable or suitably
representative of HPC.
It should be noted that implications of the ISFS on the severe accident analysis are yet
to be considered. This will occur when the design is at a suitable stage of development,
Page 167 of 230
Head Document
but the contribution to the severe accident analysis is anticipated to be negligible from
the ISFS.
Future HPC safety submissions will provide further analysis, where required, based on
site-specific parameters (e.g. heat sink) and detailed design data. These are expected to
confirm the robustness of the design and that estimates of risk are not significantly
different.
NNB GenCo expects that the results of the site-specific studies will confirm that the
Consolidated GDA PCSR 2011 risk reduction and severe accident analysis is bounding
for HPC and that risks will be acceptably low.
16.5
References
Ref
Title
Location
Document No.
16.1
UK EPR Hinkley Point Project: “Identification and
Review of the Safety Implications of a Twin
Reactor Design for HPC”, Issue 6 May 2012
EDRMS
16.2
EDRMS
ND(NII)
EPR00836N,
but
replaced
by
UKEPR-I-002, the GDA
reference design, which
includes the out of
scope items
16.3
GDA PCSR Sub-chapter 16.1 – Risk Reduction
Analysis (RRC-A) Issue 06, March 2011
EDRMS
UKEPR-0002-161-I06
16.4
GDA PCSR Sub-chapter 16.2 – Severe Accident
Analysis (RRC-B) Issue 04, March 2011
EDRMS
UKEPR-0002-162-I04
16.5
GDA PCSR Sub-chapter 16.3 – Practically
Eliminated Situations Issue 03, March 2011
EDRMS
UKEPR-0002-163-I03
16.6
GDA PCSR Sub-chapter 16.4 – Specific Studies
EDRMS
UKEPR-0002-166-I03
16.7
GDA PCSR Sub-chapter 16.5 – Design
Functional Diversity Issue 00, March 2011
EDRMS
UKEPR-0002-167-I00
16.8
GDA PCSR Appendix 16A – Computer Codes
used in Chapter 16 Issue 03, March 2011
EDRMS
UKEPR-0002-164-I03
16.9
GDA PCSR Appendix 16 B – 4900 MW safety
analyses used in Chapter 16 Issue 05, March
2011
EDRMS
UKEPR-0002-165-I05
Page 168 of 230
Head Document
17
ALARP ASSESSMENT
17.1
Summary
This section of the Head Document summarises the ALARP assessment for the
proposed twin-reactor site at HPC presented in HPC PCSR2 Chapter 17 sub-chapters,
and provides an overview of the HPC-specific ALARP supporting studies, several of
which are still in development.
Chapter 17 of Consolidated GDA PCSR 2011 provides the demonstration that the
design of a generic UK EPR complies with the overall requirements of the ALARP
principle. This demonstration is applicable to HPC as the basis of the safety case for the
HPC design.
The UK EPR design can be seen as having been developed in three main phases:
x
EPR Conceptual Design (as summarised in Sub-chapter 17.2 [Ref. 17.1]),
x
GDA (as reported by Chapter 17),
x
(HPC) Nuclear Site Licensing.
Appropriate optioneering of the UK EPR design has been provided in Consolidated GDA
PCSR 2011 Sub-chapters 17.3 [Ref. 17.2] and 17.5 [Ref. 17.3]. An approved ALARP
methodology [Ref. 17.4] was used in the production of Consolidated GDA PCSR 2011,
and this methodology is also applied to the development of modifications to the UK EPR
design for HPC by the Architect Engineer. Modifications to the UK EPR for HPC are
controlled by the Architect Engineer via a Project Instruction [Ref. 17.5] that ensures UK
context aspects including ALARP are appropriately addressed.
In order to substantiate the HPC site-specific aspects of the design, a number of HPCspecific ALARP studies have been initiated, several of which are ongoing. HPC –
Overview of the ALARP Assessment of Design Modification [Ref. 17.6] summarises
those HPC studies that are mature (with the exception of the heat sink reported in
[Ref. 17.7] and some supporting ALARP studies produced specifically for Chapter 11).
Section 17.3 below also identifies the ALARP assessments supporting Chapter 11.
Future HPC-specific ALARP studies will form part of subsequent safety reports and
other associated safety justifications (see the HPC PCSR2 Forward Work Activities
report [Ref. 17.8]).
Where appropriate an integrated approach to optioneering has been taken for ALARP
and Best Available Techniques (BAT) aspects of these HPC-specific design provisions.
The twin-reactor site report [Ref. 17.9] provides a review of GDA generic site aspects in
the specific context of HPC. This report concludes that, based on the level of design
detail currently available, it is expected that there will be no significant increase in the
level of risk per unit associated with the twin-unit site configuration of HPC compared
with the Consolidated GDA PCSR 2011 baseline. This, together with the ALARP
assessment of the plot plan (reported in Sub-chapter 2.3 [Ref. 17.10]), provides a basis
for concluding that the HPC site configuration will be ALARP, and that if any gaps are
identified these can resolved at the appropriate time. The twin-reactor site report was
specifically used during preparation of the ALARP assessment of the plot plan so that
specific hazards presented by a twin-reactor site were subject to ALARP consideration
at an early stage.
Page 169 of 230
Head Document
A general review of HPC PCSR2 has been carried out against the NNB GenCo NSDAPs
and this is reported in Chapter 3. Identified gaps from this review will be justified where
appropriate by specific ALARP assessments, and provision for this is included in the
Forward Work Activities for ALARP (see the HPC PCSR2 Forward Work Activities report
[Ref. 17.8]).
17.2
The detail of this topic is given in Consolidated GDA PCSR 2011 Sub-chapters 17.1,
17.2, 17.3, 17.5 and 17.6. Consolidated GDA PCSR 2011 Sub-chapter 17.4 has been
omitted from HPC PCSR2 to avoid duplication of information given in Chapter 15.
Figure 18 illustrates the document structure for Chapter 17.
Sub-chapter 17.1 of Consolidated GDA PCSR 2011 outlines the UK ALARP requirement
and guidance for its application.
Sub-chapter 17.2 captures the historical basis for the EPR design and provides a
qualitative description of the incorporation of relevant good practice into the design
evolution, together with identification of codes and standards.
Sub-chapter 17.3 documents a number of historical EPR design optioneering aspects
presented specifically for the GDA. It is therefore a ‘backward looking’ record, and as
such is not exhaustive with respect to the full extent of EPR design optioneering for the
HPC site. This methodology is being carried forward for the site-specific application.
Sub-chapter 17.4 has been deleted from HPC PCSR2 as this repeats Level 3 PSA
results from Chapter 15. A site-specific PSA model has been developed for HPC, and
the calculations have been updated and are presented in Sub-chapter 15.5.
Sub-chapter 17.5 describes the GDA ALARP methodology including qualitative and
quantitative assessment of design options. The results are based on the GDA PSA
model and they justify GDA design options that are not impacted by the site-specific
Reference Design. Therefore, although the detailed HPC PSA results are different from
GDA PSA, the ALARP conclusions in Consolidated GDA PCSR 2011 are applicable to
HPC. The ALARP conclusions are unlikely to change for the options considered in GDA
PSCR Sub-chapter 17.5. However, this needs to be confirmed in the future with a review
of the HPC-specific PSA model.
Sub-chapter 17.6 reports the ALARP conclusions and confirms that GDA PCSR Subchapters 17.1–17.5 provide adequate substantiation of the GDA design. For HPC, sitespecific ALARP studies have been completed or are planned in order to support the
same conclusion for the HPC site-specific design.
For the purposes of HPC PCSR2, Consolidated GDA PCSR 2011 Sub-chapters 17.1,
17.2, 17.3, 17.5 and 17.6 are applicable. Sub-chapter 17.4 is not applicable as it is
superseded by the HPC-specific results presented in Sub-chapter 15.5.
Consolidated GDA PCSR 2011 provides the current generic safety case for the UK EPR.
The HPC plant and site have some variations from the generic safety case, as a result of
factors such as the twin-reactor design and the local geography, geology and
environment. Hence, in addition to the GDA PCSR, HPC PCSR2 justifies the sitespecifically as required.
Page 170 of 230
Head Document
17.3
Route Map
x
Sub-chapter 17.1 Explanation of ALARP Requirement [Ref. 17.11].
This sub-chapter identifies the legal requirement/basis for demonstration of ALARP
in the UK. The primary internal HPC PCSR2 interfaces are:
o Sub-chapter 17.2 Demonstration of Relevant Good Practice in EPR Design,
o Chapter 15 Probabilistic Safety Assessment.
x
Sub-chapter 17.2 Demonstration of Relevant Good Practice in EPR Design
[Ref. 17.1];
This sub-chapter summarises the relevant good practices and standards applied in
the EPR design process. In particular, information is presented on the following:
o Review of the experience of EPR designers and a summary of the review and
assessment process applied to the design. Summary of R&D effort
underpinning the EPR design,
o Review of the design codes used in EPR design, taken from Consolidated
GDA PCSR Sub-chapter 3.8. Reference is made to international/national
codes,
o Use of operational feedback from French and German plants in optimising EPR
design,
o Discussion of a comparison of the EPR design against the ONR SAPs to
confirm that all key nuclear safety requirements embodied in the SAPs are met
by the EPR design.
This sub-chapter also addresses PSA methodology for risk-informed design as used
in Consolidated GDA PCSR 2011. The Head Document section for Chapter 15 of
HPC PCSR2 states how this is being updated for HPC.
x
Sub-chapter 17.3 EPR Design Optioneering [Ref. 17.2];
This sub-chapter describes the optioneering process carried out in France and Germany
between 1987 and 2006 to develop the EPR design, and the design review carried out
by independent safety experts on behalf of the French and German safety authorities. It
presents the outcome of the design optioneering processes in terms of the principal
design options that were selected and rejected to achieve a balanced design that
minimised risk to workers and the public, while achieving practical constructability and a
cost-effective design. The rationale for the evolution of the design, and the
improvements from predecessor designs, are explained along with the reasons why
certain features were selected and others rejected.
This sub-chapter also provides an analysis of the risk informing of the EPR design
during the design evolution phase.
x
For HPC, the results of the Level 3 PSA are reported in HPC PCSR2 Sub-chapter
15.5 [Ref. 17.12]. The PSA model and results that were presented in the GDA have
been updated to reflect HPC-specific features in Sub-chapter 15.5. Further
development is required to fully represent the HPC site, and this is managed in the
context of the overall PSA development and the PSA forward work plan [Ref. 17.13].
Specifically, the updated content of Sub-chapter 15.5 addresses the statements
made below in Sub-chapter 17.4 of Consolidated GDA PCSR 2011 [Ref. 17.14]:
Page 171 of 230
Head Document
o 2.2.1 Individual risk,
GDA PCSR Sub-chapter 17.4 contains a commitment that the first analysis of
worker risk will be updated as part of the detailed design and site licensing
phase.
HPC PCSR2 Sub-chapter 15.5 presents the first analysis of worker risk and the
public individual risk for the HPC site, and demonstrates that where the
analysis produces results above the BSO they are considered to be ALARP.
o 2.2.2 Societal risk,
GDA PCSR Sub-chapter 17.4 contains a commitment that a more detailed
analysis of accident consequences would be provided as part of site licensing
taking into account the site characteristics. The GDA conclusion also stated
that the BSO is “likely to be met”.
Taking into account the twin-reactor arrangement of the HPC site, the updated
analysis for HPC presented in HPC PCSR2 Sub-Chapter 15.5 exceeds the
BSO target. However, the assessment [Ref. 17.15] demonstrates that this is
mostly attributable to modelling conservatisms and at this stage of PSA
development can be considered ALARP.
o 2.2.3 Conclusions.
GDA PCSR Sub-chapter 17.4 contains a statement that the BSO risk targets
are “likely to be met”.
For HPC, comparison against the NNB GenCo NSDAPs SDOs numerical
targets, which are fully aligned with the BSOs, confirms this (with the exception
of societal risk discussed above).
x
Sub-chapter 17.5 Review of Possible Design Modifications to Confirm Design Meets
ALARP Principle [Ref. 17.3];
This sub-chapter considers both additional modification options that have been
requested by US and Finnish regulators in their assessment of the EPR design and
design variants implemented in the Sizewell B PWR, and assesses whether these
are warranted for the design of the UK EPR under the UK principles of ALARP. None
of the potential ALARP modifications addressed within this sub-chapter were
considered to be reasonably practicable when assessed within a quantitative ALARP
methodology.
There is an apparent omission here, in that specific consideration of steam turbine
driven options for the provision of diversity (as implemented at Sizewell B) has not
been demonstrated. This is of potential significance post-Fukushima. This has been
addressed in GDA under Technical Query 39018 (originally raised under the Fault
Studies topic area, but the issue is also cross-cutting) wherein the options for steam
drive feed were rejected. The Requesting Parties in GDA judged that this response
did not need to be explicitly incorporated in Consolidated GDA PCSR 2011, but
reconsideration of the various options is being undertaken within the HPC project.
In response to the lessons learned from Fukushima and GDA Issues, some areas of
design are being revisited within the HPC project. These new design optioneering
studies will include reconsideration of options and demonstration that the risk will be
ALARP. The specific areas of design that are to be revisited are:
18
The response to TQ390 has not been subjected to NNB DR&A and so is not formally incorporated into the HPC safety case.
Page 172 of 230
Head Document
o Diverse means for providing emergency feedwater to the steam generators,
o Installed diesel-driven fire pump capability,
o Investigation of options for further systems or equipment to control containment
overpressure,
o Cross connection between individual trains of safety systems (electrical and
fluid),
o Severe accident management guidelines (to incorporate Fukushima lessons
learned),
o Further studies on the management of hydrogen accumulation in the Fuel
Building.
x
Sub-chapter 17.6 Conclusions of EPR ALARP Assessment [Ref. 17.16];
This sub-chapter summarises the preceding sub-chapters and concludes that the
design of the UK EPR complies with the overall requirements of the ALARP principle.
There are also a number of supporting studies relevant to the ALARP topic area:
x
A compliance assessment of HPC PCSR2 has been carried out against the NNB
GenCo NSDAPs (see Section 3). Identified gaps will be subject to appropriate
ALARP assessment, and provision for this is included in the Forward Work Activities
[Ref. 17.8].
x
The twin-reactor site report provides a review of GDA generic site aspects in the
specific context of HPC. This report was not specifically focused to consider ALARP
aspects. However, together with the qualitative ALARP assessment of the plot plan
(in support of Sub-chapter 2.3), it provides a basis for concluding that the HPC site
configuration will be ALARP.
x
The following HPC ALARP studies are summarised in [Ref. 17.6]:
o Demonstration for ILW transfers from HQC Unit 2 to HQA-HQB Unit 1,
o Justification of the HPC stack height,
o Justification for the installation of a site-wide groundwater drainage gallery.
x
ALARP assessment of the HPC heat sink is reported in [Ref. 17.7].
x
The following HPC ALARP studies are referred to in Chapter 11:
o ALARP demonstration for resin transfers from HQC Building to HQA-HQB
Buildings,
o Demonstration for ILW transfers from HQC Unit 2 to HQA-HQB Unit 1,
o The choice of interim spent fuel management storage technology for the HPC
UK EPRs,
o Management of solid waste arising from the operation of the ISFS (HHK
building).
17.4
Conclusions
The demonstration of ALARP presented for HPC PCSR2 is the same as that for
Consolidated GDA PCSR 2011. The safety assessments demonstrate that, taking into
account the documented design development/optimisation of the plant and also the
Page 173 of 230
Head Document
formal assessment of the plant against potential modifications (identified through a
review of international assessment of the EPR design and a review of Sizewell B plant
features not present within the EPR design), the UK EPR design will be ALARP. These
ALARP reviews are directly applicable to the generic aspects of HPC.
The HPC site plot plan involves an assessment against the ALARP principle, and the
twin-reactor report presents a qualitative ALARP assessment (a quantitative ALARP
assessment will follow within HPC PCSR3). Where there are significant site-specific
deviations from Consolidated GDA PCSR 2011 (e.g. waste, heat sink, ISFS, etc.)
relevant individual ALARP studies have been carried out for HPC PCSR2.
There is a high level of compliance of the UK EPR with the NNB GenCo NSDAPs that
provides additional assurance that the design process will reduce the risk to ALARP.
Future HPC safety submissions will provide further ALARP demonstration where
required based on site-specific detailed design information as it becomes available.
The current demonstration of ALARP as presented and reviewed within this section
demonstrates that, with respect to the requirements laid out in the NSDAPs, an
adequate baseline safety justification has been made to support moving into the
construction phase.
17.5
Ref
References
Location
Document No.
17.1
GDA PCSR Sub-chapter 17.2 Demonstration
of Relevant Good Practice in EPR Design
Issue 3, March 2011
Title
EDRMS
UKEPR-0002-172-I03
17.2
GDA PCSR Sub-chapter 17.3 EPR Design
Optioneering Issue 3, March 2011
EDRMS
UKEPR-0002-173-I03
17.3
GDA PCSR Sub-chapter 17.5 Review of
Possible Design Modifications to Confirm
Design Meets ALARP Principle, Issue 3,
March 2011
EDRMS
UKEPR-0002-175
17.4
UK EPR ALARP Methodology to Support the
Design Modification Process, ENSNDR100088
Rev A, July 2010
EDRMS
UKX-EDFENE-XX-000REP-000001
17.5
UK EPR – Management of Design Changes
and Technical Consistency with Other EPR
Projects, Rev A
Serapis
INS-UKEPR-313
17.6
HPC – Overview of the ALARP Assessment of
Design Modification, Rev A, Nov 2011
EDRMS
17.7
Heat Sink Summary Document, Issue 2.0, Jan
2012
EDRMS
HPC-NNBOSL-U0000-RET-000011
17.8
HPC PCSR2 Forward Work Activities, Issue
1.0, Nov 2012
EDRMS
17.9
Identification and Review of the Safety
Implications of a Twin-reactor Design for HPC,
Issue 6, April 2012
EDRMS
HPC-NNBOSL-U0000-RET-000020
17.10
EDRMS
HPC-NNBOSL-U0ALL-RET-000001
17.11
GDA PCSR Sub-chapter 17.1 Explanation of
ALARP Requirement Issue 3, March 2011
EDRMS
UKEPR-0002-171
17.12
HPC PCSR2 Sub-chapter 15.5 Level 3 PSA,
Issue 1, July 2012
EDRMS
Page 174 of 230
Head Document
Ref
Location
Document No.
17.13
PCSR2 PSA Forward Work Plan, Issue 1, Aug
2012
Title
EDRMS
17.14
GDA PCSR Sub-chapter 17.4 Review of PSA
results – Comparison with Numerical Risk
Targets, Issue 3, March 2011
EDRMS
UKEPR-0002-174
17.15
ALARP argument for HPC Level 3 PSA
Societal Risk, Issue 1, June 2012
EDRMS
17.16
GDA PCSR Sub-chapter 17.6 Conclusions of
EPR ALARP Assessment, Issue 3, March
2011
EDRMS
UKEPR-0002-176
Page 175 of 230
Head Document
18
HUMAN FACTORS AND OPERATIONAL ASPECTS
18.1
Summary
18.1.1 Human Factors
The overall objectives of the UK EPR Human Factors Engineering (HFE) programme are
to minimise both the potential for human error and the impact of those errors on the
plant, personnel and the environment.
The following summarises the existing Human Factors safety assessment as presented
in Consolidated GDA PCSR 2011 Sub-chapter 18.1 [Ref. 18.1]:
x
The Consolidated GDA PCSR 2011 Human Factors safety assessment shows that
Human Factors benefit has been applied to the UK EPR design by using an
evolutionary and operational experience driven Human Factors approach,
x
Significant Human Factors engineering effort has been applied to the development of
key Human Factors programme elements such as the MCR design (Human Factors
engineering includes the use of error reduction techniques within the design of
control systems and plant),
x
The overall quantitative Human Factors risk assessment is conservative and is
sufficient for the generic stage of the design programme (refer to Chapter 15
Probabilistic Safety Assessment),
x
A comprehensive programme of Human Factors work has been agreed with ONR
and commissioned by EDF/AREVA to resolve the applicable GDA Issue; this work is
ongoing,
x
The HPC Human Factors programme will address the GDA Assessment Findings in
an appropriate and timely manner. The scope and content of this programme will be
subject to review by ONR in the course of their regulatory intervention with NNB
GenCo.
Further details of the expected scope of the developing Human Factors safety
assessment are presented as part of the Forward Work Activities (see the HPC PCSR2
Forward Work Activities report [Ref. 18.2]). PSA insights will be used to inform the work
programme for Human Factors (see Section 15 for more information on the PSA).
18.1.2 Normal Operation
Operating documents will be defined to ensure that the plant is operated within the
safety case assumptions and requirements. HPC PCSR2 Sub-chapter 18.2 Normal
Operations [Ref. 18.3] outlines the methods that will provide operating limits to ensure
that design limits19 are not exceeded for the UK EPR at HPC.
19
There are several sources of parameters and values that form the design limits and conditions:
x
Regarding systems design: claims typically are made on structural integrity in terms of loading conditions that systems will
have to face (thermal-hydraulic conditions in circuits and buildings, nature and number of transients to meet) and chemical
provisions in circuits,
x Regarding faults: claims are made for each plant state on thermal-hydraulic conditions in circuits, systems performance,
systems availability, neutronic parameters.
Page 176 of 230
Head Document
The objectives for normal operation are:
x
To manage normal scheduled operating transients and certain specific operations
involving unplanned events,
x
Compliance with the safety case, within the design limits established for the plant.
The first objective is achieved using the normal operating principles and procedures.
The second objective is achieved by establishing operating rules to control plant
unavailability so that the plant is maintained within the operating envelope justified by
the safety analyses. These operating rules will be presented in the OTS.
Detailed operating instructions are used to ensure that the plant is operated within the
limitations and boundaries imposed by the OTS. These cover routine plant manoeuvres,
and responses to incident or accident scenarios and to alarms.
Chemical and radiochemical parameters are controlled and monitored to ensure
compliance with the safety analysis. These parameters are principally related to control
of coolant activity, material structural integrity and fuel performance and integrity.
Periodic testing is performed to guarantee that the system performance identified in the
fault studies is maintained throughout the plant lifetime. The tests are carried out
according to preset frequencies, procedures and plant configurations.
Preventive maintenance is carried out on static components during planned outages to
ensure the integrity of safety systems. In the UK it is required that a PSI is conducted
before first fuel load followed by ISIs during operations.
The NSL requires the licensee to implement adequate arrangements for the regular and
systematic examination, inspection, maintenance and testing of all plant that may affect
safety. The results are retained as an operational record for demonstrating the safe
status of the plant
Mechanical equipment can be damaged by thermo-hydraulic transients. The integrity of
each safety-related nuclear component is demonstrated in a ‘stress report’, which takes
into account the anticipated number of transients (during normal, incident and accident
conditions) over the plant lifetime. Overall integrity is ensured by confirming that the
loading conditions taken into account in the initial design substantiation within the stress
report are bounding with respect to the actual loadings and transient situations
experienced by the components during their lifetime. The occurrence of each situation
on each plant is thus recorded, and if the number of permitted occurrences is exceeded
the continued integrity of the component(s) must be justified by calculation.
18.1.3 Abnormal Operation
During abnormal operation the plant must be maintained in a safe state. Two different
plant operating categories are defined to achieve this:
x
Emergency operation,
x
Severe accident management.
Emergency operations cover all transients, incidents and accidents addressed in the
safety case (PCC-2, PCC-3, PCC-4, RRC-A conditions) and define the operator actions
needed to restore the plant to a safe and stable state, including transfer to cold
shutdown using the RRA [RHRS] where necessary.
The State Oriented Approach (SOA) will be used for developing the Emergency
Operating Procedures (EOP). The SOA is appropriate because even for an unlimited
Page 177 of 230
Head Document
number of possible combinations of events or failures these combinations can only lead
to a limited number of plant physical states. The physical state can be characterised
from a list of six state functions, which can be maintained or recovered within defined
limits using parameters that can be monitored by design instrumentation. The SOA
results in a finite number of strategies irrespective of the sequence of events.
The SOA is a self-adjusting and continuous process of permanent diagnosis of the plant
state, and also caters for errors in diagnosis as the ‘looping’ strategy means that the
operator will have sight of an error made on the previous loop. The required strategy can
also change in the case of degradation of the plant state. In a similar way SOA is also a
potential recovery mechanism for errors.
Severe accident management corresponds to core melt scenarios (RRC-B) and defines
post-accident mitigation measures that will be employed following a severe accident to
prevent a significant release of radioactive material in the event of a low-pressure core
melt (note that a high-pressure core melt has been eliminated as a credible event
through the design of the UK EPR units).
LC 11 and the Radiation Emergency Preparedness and Public information Regulations
(REPPIR) require the production of emergency plans to restrict exposure to ionising
radiation and ensure the health and safety of all persons on site and in the surrounding
area. Consolidated GDA PCSR 2011 uses generic principles of a typical UK emergency
plan.
18.2
The detail of this topic is given in Consolidated GDA PCSR 2011 Sub-chapters 18.1
[Ref. 18.1] and 18.3 [Ref. 18.4], and in HPC PCSR2 Sub-chapter 18.2 [Ref. 18.3]. Figure
19 illustrates the document structure for Chapter 18.
18.2.1.1 Human Factors
Consolidated GDA PCSR 2011 Sub-chapter 18.1 [Ref. 18.1] was produced at the end of
GDA Step 4, and is undergoing significant revision as part of the GDA resolution
process. However for the purpose of HPC PCSR2 the entirety of this sub-chapter is
applicable.
18.2.1.2 Normal Operation
HPC PCSR2 Sub-chapter 18.2 [Ref. 18.3] has been produced using the contents of the
equivalent document in Consolidated GDA PCSR 2011, with no technical changes and
only a reorganisation of the information to draw chemistry aspects together.
18.2.1.3 Abnormal Operation
The detail of this topic is presented in Consolidated GDA PCSR 2011 Sub-chapter 18.3
[Ref. 18.4]. Consolidated GDA PCSR 2011 Sub-chapters 18.3.1 to 18.3.4 are applicable
to HPC PCSR2. Sub-chapter 18.3.4 Emergency Planning will be subject to further
revisions as a consequence of learning from the Fukushima event.
18.2.2.1 Human Factors
The Human Factors safety assessment for the UK EPR Reference Design presented
within Consolidated GDA PCSR 2011 Sub-chapter 18.1 [Ref. 18.1] has been assessed
Page 178 of 230
Head Document
by the ONR in the GDA Step 4 Human Factors assessment report [Ref. 18.5] to fall short
of providing an adequate Human factors safety assessment to allow pouring of nuclear
island safety-related concrete at HPC.
This assessment led the ONR to identify one GDA Issue and eight GDA Assessment
Findings relevant to the start of construction (refer to the HPC PCSR2 Forward Work
Activities report [Ref. 18.2]).
In response to the ONR assessment a significant amount of Human Factors work has
been commissioned both by the GDA Requesting Parties and by NNB GenCo to resolve
the shortfalls of the Human Factors assessment. This will result in a completely revised
GDA PCSR Human Factors safety assessment and the implementation of a
comprehensive Human Factors Integration Plan (HFIP) aligned to the HPC engineering
programme, to ensure that Human Factors is properly integrated into the detailed
design, construction, commissioning and operation of HPC in a timely and appropriate
manner.
The revised GDA Human Factors safety assessment, and the Human Factors analysis
that provides its supporting basis, have not yet been completed, although according to
the resolution programme agreed with the ONR they will be available in time to support
the start of construction.
Significant elements of the Human Factors contribution to the safety case have been
declared out-of-scope of the GDA [Ref. 18.6]. These activities will be addressed as part
of the Forward Work Activities [Ref. 18.2].
The Human Factors implications of the twin-reactor site are out-of-scope of the GDA and
will be addressed as part of the Forward Work Activities [Ref. 18.2].
18.2.2.2 Normal Operation
Consolidated GDA PCSR 2011 covers the generic principles for production of OTS.
Corrective measures and timescales for where plant availability falls outside the
operating envelope are outside the scope of GDA. NNB GenCo will apply PSA
techniques to the generic OTS to develop risk informed OTS for HPC, and will put in
place arrangements for the development, implementation, monitoring, updating and
modifying of OTS documentation.
Consolidated GDA PCSR 2011 identifies that certain operating requirements (fire, overpressurisation protection, RPV brittle fracture) may either feature in the OTS or in
separate operating documents. NNB GenCo will develop an appropriate documentation
structure to include these requirements.
Consolidated GDA PCSR 2011 identifies chemical and radiological parameters that are
to be managed, and sets the preliminary limiting values. NNB GenCo will put in place a
process that manages the control and monitoring of these parameters, and that also
manages the case where a control parameter is breached.
Consolidated GDA PCSR 2011 provides indicative values for occurrences of loading
conditions assumed for the mechanical design analysis. NNB GenCo will prepare a
schedule of thermo-hydraulic loading conditions so that compliance with the design
assumptions can be monitored.
NNB GenCo will develop processes to ensure that each fuel load is compliant with the
requirements of the bounding values of nuclear design.
The Consolidated GDA PCSR 2011 exhaustive analysis documents give the
recommended periodic testing programme. NNB GenCo will convert these into
Page 179 of 230
Head Document
operational documentation to include any additional requirements from the equipment
supplier or maintenance schedule. NNB GenCo will also validate the GDA intervals for
periodic testing and the operational parameters during commissioning.
Consolidated GDA PCSR 2011 is limited to demonstrating equipment accessibility and
feasibility, as well as to outline programmes for PSI, ISI and preventive maintenance,
equipment accessibility and redundancy for the maintenance programme. NNB GenCo
will develop detailed ISI/PSI and Examination, Maintenance, Inspection and Testing
(EMIT) programmes. The latter will include specification of maintenance intervals,
recommendations from the designer and Reliability Centred Maintenance (RCM)
principles.
As for Consolidated GDA PCSR 2011, a schedule of thermo-hydraulic transients,
containing the associated assumed number of transients is provided to a future licensee
as an interface document. NNB GenCo will develop a process to record transients as
they occur on the plant and to ensure that the number of occurrences is not exceeded.
A number of items in the GDA Out-of-scope letter of April 2011 [Ref. 18.7] are relevant
to this topic. These are listed below with the NNB GenCo positions:
x
Topic Area 4 PSA, Item 2 – The methods of risk informing UK EPR OTS are being
considered and developed by the Operational Documentation Working Group,
x
Topic Area 4 PSA, Item 5 – The development of periodic testing schedules is part of
the scope of the Operational Documentation Working Group,
x
Topic Area 5 Fault Studies, Item 2 – Derived safety circuit settings will be
incorporated into the OTS as appropriate,
x
Topic Area 5 Fault Studies, Item 3 – OTS will include site-specific radiological
consequences limits,
x
Topic Area 9 Reactor Chemistry, Item 1 – All chemistry limits will be defined as
part of an operational chemistry strategy,
x
Topic Area 13 Human Factors, Items 1-6 – Significant Human Factors support for
this topic area will be required. This will be captured as part of the overall Human
Factors Integration (HFI) programme (see Sub-chapter 18.1),
x
Topic Area 18 Cross-cutting, Item 3 – Mid-loop level and nozzle dams within the
safety case will be derived as required.
These commitments are listed within the Forward Work Activities [Ref.18.2] and as they
pertain to operations do not need completing prior to commencement of construction.
18.2.2.3 Abnormal Operation
Consolidated GDA PCSR 2011 Sub-chapter 18.3.2 gives the principal requirements of
EOP. Consolidated GDA PCSR 2011 Sub-chapter 18.3.3 gives the generic operating
principles used during severe accident conditions. NNB GenCo will produce the detailed
operating instructions from upstream documents defining and justifying the operating
strategy for emergency procedures. Consolidated GDA PCSR 2011 Sub-chapter 18.3.4
gives the generic principles of a typical UK emergency plan. NNB GenCo will develop a
specific emergency plan and an emergency handbook for the HPC site, and also work
with local authorities in developing an off-site emergency plan that caters for the needs
of the increased collective site needs.
Two items in the GDA Out-of-scope letter of April 2011 [Ref. 18.7] are relevant to this
topic. These are listed below with the NNB GenCo position:
Page 180 of 230
Head Document
x
Topic Area 13 Human Factors, Items 3 and 4 – Detailed implementation (highlevel concepts are in the GDA scope) of operating and maintenance procedures and
use of SOA – NNB GenCo is developing these procedures through the Operational
Documentation Working Group.
These commitments are listed within the Forward Work Activities [Ref. 18.2] and as they
pertain to operations do not need completing prior to commencement of construction.
18.3
Route Map
18.3.1 Human Factors
Consolidated GDA PCSR 2011 Sub-chapter 18.1 Human-Machine Interface [Ref. 18.1]
includes the following sections:
x
Section 18.1.0 presents the safety requirements,
x
Sections 18.1.1 and 18.1.2 introduce the HFE programme,
x
Sections 18.1.3 and 18.1.4 address the HMI systems and design principles,
x
Section 18.1.5 outlines the general principles for implementing an adequate training
programme,
x
Section 18.1.6 summarises the impact of Human Factors on the EPR safety analysis.
It interfaces with Chapter 14 Design Basis Analysis, Chapter 15 Probabilistic Safety
Assessment and Chapter 16 Risk Reduction and Severe Accident Analyses.
18.3.2 Normal Operation
HPC PCSR2 Sub-chapter 18.2 Normal Operation [Ref. 18.3] presents the arrangements
for normal plant operation in the following sections:
x
Section 18.2.1 sets out the principles of normal operation,
x
Section 18.2.2 covers normal operating procedures,
x
Section 18.2.3 presents the design and operating limits and conditions,
x
Section 18.2.4 describes the principles, requirements and process for periodic
testing,
x
Section 18.2.5 outlines ISI and the maintenance regime,
x
Section 18.2.6 addresses operational chemistry control.
18.3.3 Abnormal Operation
Consolidated GDA PCSR 2011 Sub-chapter 18.3 Abnormal Operation [Ref. 18.4]
describes the arrangements for abnormal plant operation in the following sections:
x
Section 18.3.1 provides a summary of approach to abnormal operation,
x
Section 18.3.2 addresses HPC EOP and their use,
x
Section 18.3.3 addresses HPC severe accident management procedures and their
use,
x
Section 18.3.4 addresses HPC site emergency planning arrangements.
Page 181 of 230
Head Document
18.4
Conclusions
The Human Factors safety assessment presented in HPC PCSR2 shows that Human
Factors engineering has been applied to the UK EPR design by using an evolutionary
and operational experience driven approach. The assessment has examined the normal
and abnormal (emergency response and severe accident management) operation of the
proposed UK EPR units at HPC. This work has included the development of key Human
Factors programme elements such as the MCR design (including the application of error
reduction techniques within the design process). This programme of work, as well as the
proposed Forward Work Activities, ensures that the risks from operator error during
normal operation will be reduced to ALARP within the detailed design of the UK EPR
units proposed for HPC.
The development of the SOA, which is being deployed within the EPR fleet, ensures that
the appropriate response to an emergency situation is selected by an operator, and that
a recovery mechanism for any errors made during the emergency response is available.
This ensures that the risks from operator error during an emergency situation are
reduced and that the risks from an operator making an irretrievable error are reduced so
far as is reasonably practicable.
Utilising the current human factor safety assessments, and following the completion of
the associated Forward Work Activities, NNB GenCo is confident that the risks from
human factors and operational aspects will have been appropriately assessed and will
be reduced to ALARP.
18.5
Ref
References
Title
Location
Document No.
18.1
Consolidated GDA PCSR sub-chapter 18.1
(March 2011) version, Issue 05
EDRMS
UKEPR-0002-181-I05
18.2
Nov 2012
EDRMS
18.3
HPC PCSR2 Sub-chapter 18.2 - Normal
Operation, Issue 1, Sept 2012
EDRMS
18.4
Consolidated GDA PCSR subchapter 18.3 (2011)
version Issue 02 (March 2011)
EDRMS
UKEPR-0002-183-I02
18.5
GDA Step 4 Generic Design Assessment – New
Civil Reactor Build, Step 4 Human Factors
Assessment of the EDF and AREVA UK EPR™
Reactor, ONR-GDA-AR-11-028, Revision 0,
November 2011, HSE.
http://www.hse.gov.uk/ne
wreactors/reports/stepfour/technicalassessment/ukepr-hf-onrgda-ar-11-028-r-rev-0.pdf
ONR-GDA-AR-11-028
18.6
EDRMS
18.7
EDRMS
ND(NII) EPR00836N
Page 182 of 230
Head Document
19
COMMISSIONING
19.1
Summary
The purpose of commissioning is to undertake a structured programme of inspection and
testing to verify the functionality of plant and equipment and validate that it meets the
design intent. It is intended that the primary means of verification and validation will be
by empirical testing. This process will support compliance with LC 21 (Commissioning).
In the context of the HPC safety case, the principal goal of the commissioning process is
to demonstrate that the safety requirements placed on SSCs, as defined in HPC PCSR2
Sub-chapter 3.2, have been met by the installed plant when tested against the design
basis. Additionally commissioning provides the opportunity to train operations staff and
to test the operating rules, procedures and instructions.
By engaging in systematic testing of SSCs from an early stage, a comprehensive
portfolio of test data will be collated to provide confidence in progressing to subsequent
stages of commissioning and ultimately into commercial operation.
Initial testing of plant and equipment will occur during Factory Acceptance Testing (FAT)
and the commissioning process will commence with non-active commissioning before
proceeding through radioactive commissioning to final takeover of the plant.
Information gathered during the commissioning process will be used in support of both
the PCmSR and POSR.
Compliance with the requirements of LC21 will be in accordance with the strategy
described in the LC21 compliance matrix [Ref. 19.1].
19.2
The detail of this topic is given in Consolidated GDA PCSR 2011 Sub-chapter 19.0
[Ref. 19.2] and HPC PCSR2 Sub-chapter 19.1 [Ref. 19.3]. Figure 20 illustrates the
document structure for HPC PCSR2 Chapter 19.
Consolidated GDA PCSR 2011 Sub-chapter 19.0 is applicable to HPC and is included in
HPC PCSR2. It is intended that this information will be later developed in support of
subsequent safety report documentation as discussed in the HPC PCSR2 Forward Work
Consolidated GDA PCSR 2011 Sub-chapter 19.1 has been replaced in the HPC PCSR
with an updated version to include aspects of the HPC-specific commissioning
programme in place of the generic information contained in the GDA PCSR.
There are no GDA Out-of-scope Items [Ref. 19.5] that require inclusion in the scope of
works for commissioning in support of HPC PCSR2.
A discussion of future development of commissioning processes to address GDA Out-ofscope Items beyond HPC PCSR2 is included in the HPC PCSR2 Forward Work
Page 183 of 230
Head Document
19.3
Route Map
x
Consolidated GDA PCSR 2011 Sub-chapter 19.0 Commissioning Safety
Requirements [Ref. 19.2] outlines the regulatory framework for nuclear and nonnuclear safety during the commissioning process by identifying key primary
legislation (Acts of Parliament) and secondary legislation (Regulations and other
Statutory Instruments). While the list provided by Consolidated GDA PCSR 2011 is
not exhaustive, it is sufficient to convey the intent to ensure that commissioning will
comply with all of the relevant safety principles mandated by the regulatory
stakeholders.
The sub-chapter identifies that the key aspects of the early stages of developing the
commissioning strategy are to define the commissioning programme and the
commissioning programme organisation.
x
HPC PCSR2 Sub-Chapter 19.1 Plant Commissioning Programme [Ref. 19.3]
introduces the outline of the commissioning programme incorporating the period from
turnover of equipment from the erection contractor to takeover of the tested plant.
In summary, it is intended that commissioning will comprise two principal phases:
o Pre-operational testing supporting the PCmSR and request for ONR consent to
receive fuel on site,
o Initial start-up and operational testing supporting the POSR and request for
ONR consent to commence commercial operation.
These phases will be further divided into systematic test regimes as discussed in
HPC PCSR2 Sub-chapter 19.1.
The following elements of HPC PCSR2 influence or inform the content of HPC PCSR2
Chapter 19 and the intent of the commissioning process:
x
Consolidated GDA PCSR 2011 Sub-chapter 1.4 Compliance with Regulations
identifies the obligation under LC17 to implement a management system for all
phases of design and construction, including commissioning.
x
Consolidated GDA PCSR 2011 Sub-chapter 1.5 Safety Assessment and
International Practice identifies the requirement for commissioning test results to
support the ONR consent points.
x
Consolidated GDA PCSR 2011 Sub-chapter 3.1 General Safety Principles and 3.8
Codes and Standards Used in the EPR Design state that the design, construction
and commissioning of the plant will be carried out according to international,
European and national standards and codes.
x
Consolidated GDA PCSR 2011 Sub-chapter 3.2 Classification of Structures,
Equipment and Systems provides the fundamental techniques for assessment of
SSCs and in turn informs the commissioning process.
x
HPC PCSR2 Chapter 21 HPC PCSR Management Framework, Design Development
and Use and QA Arrangements identifies the general NNB GenCo arrangements for
the management of safety design, construction, commissioning and operational
safety and change control.
Page 184 of 230
Head Document
19.4
Conclusions
HPC PCSR2 Chapter 19 outlines the NNB GenCo requirements and the regulatory
framework for nuclear and non-nuclear safety during commissioning and the
commissioning programme for demonstrating that the plant installed meets its design
intent.
The information provided in Chapter 19, including the development of strategy, systems
and programme, provides the confidence that NNB GenCo can commission the design
at HPC.
19.5
Ref
References
Title
Location
Document No.
19.1
Compliance Matrix, Licence Condition: 21 –
Commissioning, Issue 1, Feb 2011
EDRMS
NNB-OSL-MAT-000021
19.2
Consolidated GDA PCSR Sub-chapter 19.0
Commissioning Safety Requirements (March
2011) version, Issue 03
EDRMS
UKEPR-0002-190-I03
19.3
HPC PCSR2 Sub-chapter 19.1 Plant
Commissioning Programme, Issue 1, May 2012
EDRMS
19.4
Nov 2012
EDRMS
19.5
EDRMS
ND(NII) EPR00836N
Page 185 of 230
Head Document
20
DECOMMISSIONING
20.1
Summary
Decommissioning of the HPC site will be undertaken at the end of the operating life of
the power station. However, decommissioning activities have to be considered at all
stages of the life of the facility, from its design stage until the end of decommissioning
operations. The aim of the decommissioning chapter of HPC PCSR2 is to ensure
compliance with the safety objectives during all decommissioning activities. These safety
objectives are to bring the plant to a safe and stable state, and to dismantle and dispose
of the structures and equipment from the site at an appropriate time and in a manner
that is both safe and effective, thus permitting the site to be reused for future purposes.
Compliance with these objectives includes, in particular, the requirement to show that
the radiation dose received by the decommissioning workforce and the public will be
ALARP, and that the production of radioactive waste will be minimised.
In order to satisfy these objectives, this chapter aims to demonstrate that
decommissioning can be satisfactorily undertaken following normal operation and any
DBFs using currently available technology or reasonable extensions of it. Encompassed
by the objectives is the need to ensure the safety of the plant during any potential
passive phase between stages of decommissioning.
The level of detail on decommissioning provided in the safety case will be periodically
reviewed and updated throughout the lifetime of the facility. A full decommissioning
safety case will be produced in the last few years of station operation, before the start of
any decommissioning activities.
Generic information on decommissioning of the UK EPR was provided as part of the
GDA process [Refs. 20.1 & 20.2]. Greater detail is included in the HPC Detailed
Decommissioning and Waste Management Plan ((D)DWMP) [Ref. 20.3] and other
supporting documents produced in the context of the Funded Decommissioning
Programme (FDP). HPC PCSR2 Chapter 20 draws upon the information available in
these documents, but focuses on details relevant to safety such as NNB GenCo’s
approach to radiological and nuclear safety in decommissioning, in particular in terms of
adherence to the SAPs [Ref. 20.4], dose limits and exposure assessment. Potential
hazards and faults encountered during decommissioning have been identified as well as
their potential consequences where there could be significant exposure of the workforce
or releases of radioactivity. The precautions taken to avoid their occurrence and mitigate
their consequences are discussed.
Chapter 20 also identifies the faults within the design basis of the HPC site that can lead
to significant plant degradation and radiological consequences, and considers how the
subsequent decommissioning task would need to be modified from that currently
planned. This includes consideration of some of the design features that assist in the
decommissioning of the plant following a DBF.
An estimated inventory of radioactive materials that will be present following the final
shutdown of the HPC reactors is provided, including fuel, accumulated operational
wastes, fixed activated structures and contaminated structures, and materials requiring
ultimate disposal.
Page 186 of 230
Head Document
20.2
The detail of this topic is given in HPC Sub-chapters 20.1-20.7. Figure 21 illustrates the
The decommissioning safety assessment for the UK EPR design is presented in
Consolidated GDA PCSR 2011 Sub-chapters 20.1 and 20.2 [Ref. 20.1] and the
supporting document [Ref. 20.2]. The GDA documentation has formed the basis of the
HPC PCSR2 decommissioning chapter and has been made site-specific for HPC by
alignment with the HPC (D)DWMP. The GDA PCSR provides a starting point for HPC
PCSR2, but because of the need to develop the data to represent a twin-reactor site,
including an Interim ILW Store and an ISFS, a HPC-specific decommissioning chapter
has been prepared rather than referencing the GDA PCSR extensively.
The HPC (D)DWMP has been used extensively to describe the decommissioning of the
power station, and forms the basis of extending the GDA PCSR to HPC.
Consolidated GDA PCSR 2011 Sub-chapters 20.1 and 20.2 are applicable to HPC, with
the following caveats:
x
The content of the sub-chapters has been updated to incorporate the level of
information provided in the supporting document [Ref. 20.2], and has been
subdivided within HPC PCSR2 Sub-chapters 20.1 to 20.7.
x
Consolidated GDA PCSR 2011 Sub-Chapter 20.2 Section 4.4 provides
decommissioning waste estimates. However, these were based on preliminary
calculations and provided for a single-unit site (GDA scope). More complete
information is available in the HPC (D)DWMP [Ref. 20.3] and has been included in
HPC PCSR2 Sub-chapter 20.2.
The following items were not included in the scope of the decommissioning topic for the
GDA:
1)
Twin-reactor site:
a) Impact on decommissioning activities (two units sharing some facilities),
b) Impact on decommissioning schedule and sequence of activities,
c) Impact on waste volumes,
d) Impact on reuse of some buildings during decommissioning,
e) Post-fault decommissioning.
2)
Site-specific topics:
a) Internal and external hazards assessment and measures to prevent or mitigate
radiological and conventional risks,
b) Presence of the ISFS and Interim ILW Store, and requirement for a standalone phase for the ISFS (only briefly mentioned in Reference 2).
The structure of Consolidated GDA PCSR 2011 Chapter 20 has been modified
significantly for HPC PCSR2 Chapter 20 to incorporate the information available in the
supporting document [Ref. 20.2] and in the HPC (D)DWMP. NNB GenCo considers that
Page 187 of 230
Head Document
the information available on decommissioning is sufficient to support the safety
justification for moving into the construction phase.
HPC PCSR2 Chapter 20 has been divided into seven sub-chapters to address the
following points:
1)
The regulatory and licensing requirements relevant to the post-operation and
decommissioning phases,
2)
The principal sources of radioactivity after final shutdown and the anticipated
inventory of the major components likely to be active at the end of generation,
along with the inventory of the estimated waste produced during the
decommissioning phase,
3)
The general procedures that are expected to be adopted for station
decommissioning, the outline plan for station decommissioning following normal
operation, the features that will assist in plant dismantlement, the management of
decommissioning waste up to the point of safe transit across the site boundary
(before disposal at a GDF) and the regime of controls,
4)
The procedures implemented to ensure adequate storage and retrieval of
information so that records of plant construction and operation are available in
sufficient detail to allow the station to be safely decommissioned,
5)
The approach to radiological protection to be adopted during decommissioning,
6)
The approach to minimisation of the radiological consequences of faults during the
post-operation and decommissioning phases,
7)
The approach to
decommissioning.
establishing
the
procedures
for
potential
post-fault
A Decommissioning Safety Case (DSC) will be produced during the final operating years
of the station and before any decommissioning activities begin, and will continue to be
developed as decommissioning progresses. Further details of decommissioning
activities will be provided in subsequent safety reports (PCmSR, POSR and SSR) and
during the lifetime of the facility. Decommissioning activities start five years before the
shutdown of Unit 1, with the commencement of planning for decommissioning.
Out-of-scope items for HPC PCSR2 Chapter 20 include a dose assessment for the
workforce and for the public during decommissioning activities. At this pre-construction
stage there is insufficient material data available to undertake these site-specific
assessments. Qualitative considerations regarding the dose received by the workforce
and public during decommissioning are however included in HPC PCSR2, and a
quantitative dose assessment for decommissioning will be undertaken during the
production of future safety documents to support decommissioning activities, i.e. the
facility operational safety case and the DSC. Hazard analyses will be performed at the
detailed planning stage to ensure decommissioning operations can be conducted safely,
and individual decommissioning activities will be assessed to identify any safety
measures that may be employed to reduce radiation dose rates on and off site. Overall,
the fault analysis carried out to support the DSC will result in a fault schedule together
with identification of the protection measures and administrative controls provided to
ensure that public and workforce doses will be maintained ALARP.
Page 188 of 230
Head Document
20.3
Route Map
The decommissioning safety assessment for the UK EPR is presented in HPC PCSR2
Chapter 20, arranged as follows:
x
Sub-chapter 20.1 Decommissioning Regulatory and Licensing Requirements
[Ref. 20.5] summarises the current policy and regulatory framework applicable to the
post-operation decommissioning phase of HPC.
x
Sub-chapter 20.2 Sources of Radioactivity in Decommissioning [Ref. 20.6] describes
the sources of radioactivity generated during the decommissioning of the following
plant/areas:
o Nuclear island,
o Interim stores (Interim ILW Store and ISFS),
This sub-chapter also provides an estimate of secondary waste generated during
various decontamination and dismantling activities, and an inventory of radioactive
material at commencement of decommissioning, such as:
o Waste from the clean-up of the building surfaces,
o Filters and ion exchange resins arising from decommissioning activities,
o Secondary waste from the use of equipment and material in decommissioning,
o Plant and equipment used for decommissioning.
x
Sub-chapter 20.3 General Procedures for Decommissioning [Ref. 20.7] outlines the
significant aspects of the Early Site Clearance (ESC) decommissioning strategy for
the twin-reactor site at HPC. It describes the decommissioning plan developed for
the dismantling of the site in accordance with this strategy, with a focus on those
aspects that are newly introduced for decommissioning and that would not be
already covered by the operational safety case. While the management of spent fuel
and ILW after end of generation is discussed, the processes, operations and safety
aspects are covered in Sub-chapter 11.5 of HPC PCSR2 and ultimately the
operational safety case.
x
Sub-chapter 20.4 Records and Knowledge Management for Decommissioning
[Ref. 20.8] addresses the ongoing management of records generated during design,
construction and operation, and before end of generation. It also overviews the
knowledge management required for decommissioning, the management of
knowledge and records generated during decommissioning, and the records retained
subsequently. As such, this section describes the characteristics of the records, the
information and knowledge management systems required to ensure secure
retention of relevant records and knowledge and to facilitate its transfer between all
stages of the power station lifecycle.
x
Sub-chapter 20.5 Hazards during Decommissioning [Ref. 20.9] provides an outline
hazard assessment for the decommissioning of the HPC power station to
demonstrate that it can be decommissioned in a safe manner. A detailed assessment
of the hazards and risks associated with HPC decommissioning has not been
undertaken at this stage, nor have workforce and public dose assessments, although
qualitative considerations are included. The measures taken to eliminate the hazards
as far as reasonably practicable in the design, to limit the severity of hazards and to
mitigate the consequences should any hazard occur are discussed. This section also
provides an outline of the assumed status of the plant and safety case at the
Page 189 of 230
Head Document
commencement of decommissioning activities. This sub-chapter interfaces with HPC
PCSR2 Chapter 13 Hazards Protection.
20.4
x
Sub-chapter 20.6 Faults during Decommissioning [Ref. 20.10] identifies and outlines
the potential faults during decommissioning and their consequences, where there
could be a significant risk of exposure to the workforce or releases of radioactivity
and the precautions taken to avoid their occurrence and mitigate their consequences.
This sub-chapter provides a qualitative fault analysis that demonstrates that all
phases of HPC decommissioning can be undertaken safely.
x
Sub-chapter 20.7 Post-Accident Decommissioning [Ref. 20.11] discusses fault
conditions identified by the design basis for HPC that can lead to plant degradation
and radiological consequences, and considers how the subsequent
decommissioning task would need to be modified from that currently planned. It also
refers to some of the plant design features that assist in the decommissioning of the
plant following a fault occurrence. Overall it is expected that none of the faults
identified would prevent the plant from being decommissioned safely. However it is
expected that recovery and additional pre-decommissioning work will be required,
along with the development of alternative decommissioning procedures for degraded
plant items.
Conclusions
HPC PCSR2 Chapter 20 outlines the decommissioning activities and their compliance
with the safety objectives. These are to bring the plant to a safe and stable state, and to
dismantle and dispose of the structures and equipment from the site at an appropriate
time and in a manner that is both safe and effective, thus permitting the site to be reused
for future purposes. Compliance with these objectives includes, in particular, the
requirement to show that the radiation dose received by the decommissioning workforce
and the public will be ALARP, and that the production of radioactive waste will be
minimised.
A considerable amount of work has been undertaken to develop and describe the
decommissioning plan for HPC and to prepare the information in HPC PCSR2
Chapter 20. A brief description of the decommissioning plan for the dismantling of the
site in accordance with the preferred strategy of ESC is provided. Particular attention
has been given to aspects that are newly introduced for decommissioning that would not
already be covered by the operational safety case, as well as aspects related to the
ongoing management of the records and knowledge required for decommissioning.
HPC PCSR2 Chapter 20 provides additional information to develop the HPC site-specific
PCSR based on that included in Consolidated GDA PCSR 2011. The chapter
demonstrates that it would be safe and feasible to decommission HPC (including the
interim storage facilities for spent fuel and ILW) using current technology, and that
consideration of decommissioning issues has been made in the design. NNB GenCo
considers that the information available on decommissioning at this stage is sufficient to
support the safety justification for moving into the construction phase.
Page 190 of 230
Head Document
20.5
Ref
20.1
References
Title
Consolidated GDA PCSR, Issue 01,
March 2011, EDF/AREVA
Sub-chapter 20.1
Sub-chapter 20.2
Location
Document No.
EDRMS
UKEPR-0002-201-I01
UKEPR-0002-202-I01
20.2
GDA EPR – Decommissioning. Issue 1,
March 2011.
EDRMS
UKEPR-0016-001- I01
20.3
Hinkley Point C Power Station Detailed
Decommissioning and Waste
Management Plan, March 2012.
EDRMS
NNB-PEA-REP-000002
20.4
Safety Assessment Principles for
Nuclear Facilities, Revision 1, 2006.
http://www.hse.gov.uk/nucl
ear/saps/saps2006.pdf
2006 Edition
HPC PCSR2 Sub-chapters all Issue 1,
July 2012 :
20.520.11
Sub-chapter 20.1 Decommissioning
Regulatory and Licensing Requirements
Sub-chapter20.2 Sources of
Radioactivity in Decommissioning
Sub-chapter 20.3 General Procedures
for Decommissioning
Sub-chapter 20.4 Records and
Knowledge Management for
Decommissioning
Sub-chapter 20.5 Hazards During
Decommissioning
Sub-chapter 20.6 Faults During
Decommissioning
Sub-chapter 20.7 Post-Accident
Decommissioning
EDRMS
Page 191 of 230
Head Document
21
HPC PCSR MANAGEMENT FRAMEWORK, DESIGN,
DEVELOPMENT AND USE AND QA ARRANGEMENTS
21.1
Summary
The objectives of HPC PCSR2 Chapter 21 are as follows:
x
To articulate the production of HPC PCSR2 under the NNB GenCo management
system.
x
To facilitate understanding of where HPC PCSR2 sits in the context of the wider HPC
project and how it has been developed.
x
To give confidence in the adequacy of the arrangements for controlling:
o The production of HPC PCSR2 to enable a ‘fit for purpose’ product, and
suitable and sufficient safety assessment of the plant, to support the HPC
design process and the start of construction,
o The appropriate use of HPC PCSR2 to facilitate confirmation that the design
and operational arrangements are compliant with the safety case.
x
To support/contribute to the purposes of HPC PCSR2, in the following way:
o To outline the steps that need to be followed within the company process for
enabling each SSC or group of SSCs to proceed to construction,
o To outline the standards used and assessment principles applied,
o To facilitate NNB GenCo's management of the design, procurement and
construction work,
o To demonstrate that suitable safety case management arrangements exist to
enable safety justifications to be developed at the appropriate stages to enable
construction, commissioning, operation and decommissioning of the site.
x
To support/contribute to achieving the more detailed objectives of HPC PCSR2, in
the following way:
o To refer to the safety management arrangements that are suitable to progress
into the construction phase,
o To refer to the methods for how the plant is to be constructed, so it will be safe
and ‘fit for purpose’ at the end of the construction phase, by a combination of
the design and safety analysis presented in the PCSR (GDA & HPC), and
outline the process of completing remaining design and safety justification work
in a timely manner, and the hold point process for allowing plant to proceed to
construction once appropriate justifications have been made and accepted.
NNB GenCo’s core activities in support of the HPC project are the design, procurement,
manufacturing, construction, commissioning, operation and eventual decommissioning
of two EPR reactors at HPC. NNB GenCo will be the nuclear site licensee and
environmental permit holder for the HPC site supported by EDF SA, who serves as the
Architect Engineer and prime contractor for HPC. The principal engineering role is being
performed by DIN of EDF SA, under the overall management of NNB GenCo. The
Responsible Designer (when appointed) is anticipated to be within DIN. This principal
engineering role includes the production of documentation required to design, procure,
Page 192 of 230
Head Document
construct, commission and operate the plant. Chapter 21 describes NNB GenCo’s
arrangements to adequately manage the safety case in the context of a developing HPC
Reference Design.
21.2
The detail of this topic is given in HPC-specific Sub-chapters 21.1-21.3. Figure 22
illustrates the document structure for Chapter 21.
21.2.1 Status of Sub-Chapters
The detail of this subject is presented in HPC PCSR2 Sub-chapters 21.1, 21.2 and 21.3.
A small amount of information from Consolidated GDA PCSR 2011 was used for HPC
PCSR2 in Sub-chapter 21.3. This included the GDA PCSR organisation and quality
arrangements, which supported the development and approval of Consolidated GDA
PCSR 2011. The remainder of Chapter 21 is all new information for HPC PCSR2.
No out-of-scope items are relevant to Chapter 21. Since the sub-chapters for this area
have been produced specifically for HPC, the scope of the GDA in this area is not
relevant for HPC PCSR2.
21.3
Route Map
HPC PCSR2 Chapter 21 comprises the following three sub-chapters:
x
Sub-chapter 21.1 Management Framework Relating to the Development and Use of
the HPC PCSR [Ref. 21.1],
x
Sub-chapter 21.2 Design Development and Use of the HPC PCSR [Ref. 21.2],
x
Sub-chapter 21.3 HPC PCSR Quality Assurance Arrangements [Ref. 21.3].
Chapter 21 provides an overview of the NNB GenCo management framework, the
design development for HPC and the QA arrangements applied to HPC PCSR2
including the adopted parts of the GDA PCSR. The figure below provides a simplified
illustration of the interactions between the Chapter 21 sub-chapters.
Page 193 of 230
Head Document
NNB GenCo
Management
Framework
Sub-Ch 21.1
Management
Framework
Relating to the
Development and
use of HPC PCSR
Sub-Ch 21.2 Design
Development and
Use of HPC
PCSR
Sub-Ch 21.3 – HPC
PCSR Quality
Assurance
Arrangements
HPC PCSR2
Arrangements
Sub-chapter 21.1 provides an overview of the NNB GenCo organisation for delivering
the HPC project, focusing on aspects that are relevant to nuclear safety. Reference is
made to the NNB GenCo Integrated Management System (IMS) within the sub-chapter
that provides the route map for navigating the NNB GenCo company processes and
procedures.
Sub-chapter 21.1 focuses on the key roles and responsibilities and the main
arrangements regarding control of HPC PCSR2. The interface arrangements between
NNB GenCo, as the Intelligent Customer, and the Architect Engineer are referred to.
Interim arrangements based on the Technical Review process, augmented by features
taken from the arrangements made under LC 20 Control of Modifications during
Construction and Commissioning, are to be used in the period prior to the full
implementation of the LC 20 arrangements. These interim arrangements will be used to
process the modifications not considered as part of the GDA and the modifications
identified for inclusion in the DDR. The LC 20 procedure contains entry conditions for the
use of LC 20 arrangements.
Sub-chapter 21.2 sets out the strategy and generic future plans for the HPC safety case
in the context of a developing HPC Reference Design. The HPC design process is
described, including a high-level description of how requirements will be captured, how
Page 194 of 230
Head Document
the design will be accepted and how design change will be managed. The inputs to the
design process are also set out in addition to how the HPC Reference Design will be
controlled. The engineering project management steps that control the development of
the HPC Reference Design, (as illustrated in Figure 23) are:
x Preliminary Design Reference Phase (PDR milestone) – the purpose of this phase
is to list the forecast design developments to be implemented on FA3 to set up the
HPC Design,
x Decided Design Reference Phase (DDR milestone) – the purpose of this phase is
to provide details of the forecast design development to be implemented on FA3 to
set up the HPC Design, thus creating the HPC Reference Design,
x Implemented Design Reference Phase (IDR milestone) - the purpose of this phase
is to implement the modifications identified at the DDR milestone to form the
technical content of the HPC Reference Design,
x Ready for execution Design Reference Phase (RDR milestone) – the purpose of
this phase is to prepare the HPC Reference Design for feeding of execution design
activities.
Sub-chapter 21.2 also summarises the HPC safety case development. This includes a
description of the development beyond submission of HPC PCSR2, covering the role of
CSJs (previously referred to as Addenda to HPC PCSR2) in the construction process
and the development of HPC PCSR3. LC19 requires construction or installation to be
divided into stages. A CSJ is the justification of the nuclear safety of the proposed
construction or installation activities during a construction stage [Ref. 21.4]. Due to the
continued evolution of the HPC Reference Design, updates will be required to HPC
safety case documentation to provide control of safety-related activities. There is a need
for a summary and collation of all the relevant engineering design and substantiation
prior to the commencement of any nuclear safety-related construction activity. This will
be achieved through the use of CSJs.
The CSJ will adequately justify all nuclear safety-related aspects of the stage to be
entered. It will present the design intended for construction and demonstrate that the
design presented will meet the safety requirements. The CSJ will also justify the
suitability of the arrangements for ensuring that design intent of what is presented will be
met in the more detailed design undertaken throughout the construction and installation
stages. The CSJ will also justify that what is actually constructed and installed can be
shown to meet the design intent, and can be fully substantiated through the
commissioning stages.
Sub-chapter 21.3 provides an overview of the QA arrangements used by NNB GenCo to
deliver HPC PCSR2. The sub-chapter refers to the specification developed by NNB
GenCo for HPC PCSR2 [Ref. 21.5]. It describes how information from Consolidated
GDA PCSR 2011 has been used within HPC PCSR2. As Consolidated GDA PCSR 2011
forms a key component of HPC PCSR2 this sub-chapter summarises both the GDA
PCSR organisation management arrangements and the GDA QA arrangements that
were used to develop, review and approve Consolidated GDA PCSR 2011. Sub-chapter
21.3 also summarises the process by which NNB GenCo reviewed, accepted and
approved HPC PCSR2 as described in the HPC PCSR2 Safety Case Production and
Management Work Instruction [Ref. 21.6]. While NNB GenCo’s internal challenge
function continues to develop, appropriate and proportionate independent assessment
has been applied to HPC PCSR2. Several important sub-chapters and supporting
documents of HPC PCSR2, as well as the whole Head Document, have been subject to
IPR. Sub-chapter 21.3 provides further detail regarding this.
Page 195 of 230
Head Document
21.4
Conclusions
The NNB GenCo governance processes that have been applied to the production and
development of HPC PCSR2, as described in Sub-chapter 21.1, are appropriate and
proportionate.
Post HPC PCSR2 further safety submissions will be produced (as described in Subchapter 21.2). CSJs will provide adequate and suitable design substantiation and
information, giving linkage to the justification for any nuclear safety-related construction
activity.
HPC PCSR2 aims to make the most effective use of the GDA information and the
assessment process that this has been through, as described in Sub-chapter 21.3. This
is achieved by clearly presenting the differences and additional analysis for HPC and by
superseding certain non-applicable GDA PCSR documents with HPC site-specific
documents. The QA process applied for incorporation of GDA information and for the
production of new site-specific documentation is appropriate and proportionate.
Processes and arrangements are in place to facilitate effective knowledge transfer from
the GDA process to the ongoing site specific activities.
NNB GenCo considers that through the DR&A process and the CSJ production process,
the safety management arrangements, as described in Sub-chapters 21.1 and 21.2, are
adequate to ensure the future development in these arrangements will support future
safety submissions moving into the construction phase. HPC PCSR2 provides an
adequate baseline safety justification to support this.
21.5
Ref
References
Title
Location
Document No.
21.1
HPC PCSR2 Sub-chapter 21.1 - Management
Framework Relating to the Development and
Use of the HPC PCSR, Issue 1, July 2012
EDRMS
21.2
HPC PCSR2 Sub-chapter 21.2 - Development
and Use of the HPC PCSR, Issue 1, July 2012
EDRMS
21.3
HPC PCSR2 Sub-chapter 21.3 - HPC PCSR
Quality Assurance Arrangements, Issue 1, July
2012
EDRMS
21.4
Strategy for Demonstrating Sufficient Safety
Justification to Support Construction at HPC,
Issue 1, Aug 2012
EDRMS
NNB-OSL-STR-000047
21.5
HPC PCSR2 Specification, Issue 2, Feb 2012
EDRMS
HPC-NNBOSL-U0000-SPE-000002
21.6
HPC PCSR2 Safety Case Production and
Management Work Instruction, Issue 2, Jan
2012
EDRMS
HPC-NNBOSL-XX000-WIN-000001
Page 196 of 230
Head Document
22
FIGURES, GLOSSARY AND ABBREVIATIONS
FIGURES
Figure 1: Diagram of the Safety Case Structure
Page 197 of 230
Head Document
Figure 2: Document Structure for HPC PCSR2 Chapter 1
Page 198 of 230
Head Document
Figure 3a: Document Structure for HPC PCSR2 Chapter 2
Page 199 of 230
Head Document
Figure 3b: Document Structure for HPC PCSR2 Chapter 2
Page 200 of 230
Head Document
Page 201 of 230
Head Document
Page 202 of 230
Head Document
Page 203 of 230
Head Document
Page 204 of 230
Head Document
Page 205 of 230
Head Document
Page 206 of 230
Head Document
Page 207 of 230
Head Document
Page 208 of 230
Head Document
Page 209 of 230
Head Document
Page 210 of 230
Head Document
Page 211 of 230
Head Document
Page 212 of 230
Head Document
Page 213 of 230
Head Document
Page 214 of 230
Head Document
Page 215 of 230
Head Document
Page 216 of 230
Head Document
Page 217 of 230
Head Document
Page 218 of 230
Head Document
Page 219 of 230
Head Document
Page 220 of 230
Head Document
Page 221 of 230
Head Document
Page 222 of 230
Head Document
Figure 23: HPC Design Process
Page 223 of 230
Head Document
GLOSSARY AND ABBREVIATIONS
A complete glossary of terms (including EDF trigrams) can be found in the Introduction
to the Safety, Security and Environmental Report (SSER) [Ref. 22.1].
AAD [SSS]
ABP
ADG
ADMS
AGR
AHP
ALARP
AOD
APA [MFWPS]
APG [SGBS]
ARE [MFWS]
ASG [EFWS]
BAT
BDR
BOP
BSL
BSO
CCF
CDF
CFI [CWFS]
CHF
CRF
CSJ
DACC
DBA
DBF
DCH
DCL [CRACS]
DDM
DDR
(D)DWMP
DEA [SSSS]
DEC
DEL [SCWS]
DFL
DIN
DMK
DNB
DNB(R)
DR&A
DVD [DBVS]
DVL [SBVSE]
DVP [CWPSVS]
DWB [OBCRVS]
Start-up and Shutdown Feedwater System
Low Pressure Feedwater and Heater System
Feedwater Tank and Gas Stripper System
Atmospheric Dispersion Modelling System
Advanced Gas-cooled Reactor
High and Medium Pressure Feedwater Plant and Heater System
As Low As Reasonably Practicable
Above Ordnance Datum
Motor Driven Feedwater Pump System
Steam Generator Blow Down System
Main Feedwater System
Emergency Feedwater System
Best Available Techniques
Basic Design Report
Balance of Plant
Basic Safety Level
Basic Safety Objective
Common Cause Failure
Core Damage Frequency
Circulation Water Filtration System
Critical Heat Flux
Circulating Water System (or main cooling system)
Construction Safety Justification
Design Assurance Coordination Committee
Design Basis Analysis
Design Basis Fault
Direct Containment Heating
Control Room Air Conditioning System
Décision sur Demande de Modification (Modification Request
Decision)
Decided Design Reference
(Detailed) Decommissioning and Waste Management Plan
Standstill Seal System
Design Extension Condition
Safety Chilled Water System
Smoke Confinement System
Division Ingénierie Nucléaire
Handling Equipment and Plant for the Fuel Building
Departure from Nucleate Boiling
Departure from Nucleate Boiling (Ratio)
Design Review and Acceptance
Diesel Building Ventilation System (Main diesel and SBO diesel)
Safeguard Building Ventilation System Electrical (Division)
Circulating Water Pumping Station Ventilation System
Operational Building Contaminable Room Ventilation System
Page 224 of 230
Head Document
DWK [FBVS]
DWL [CSBVS]
DWN [NABVS]
DWQ [ETBVS]
DWW [ABVS]
EA
EBA [CSVS]
EDE [AVS]
EDF SA
EDG
EDRMS
EFPD
EMI
EMIT
EOP
EPR
ESC
ETB
ETC-C
ETC-F
ETY [CGCS]
EUR
EVF
EVR [CCVS]
EVU [CHRS]
FA3
FAT
FDM
FMEA
FSCD
GCT [MSB]
Gd
GDA
GDF
GSE
GQAS
HFE
HFIP
HFI
HHI
HHK
HIC
HMI
HPA
HPB
HPC
HPCM
HQA/B
HQC
HRA
Fuel Building Ventilation System
Controlled Safeguard Building Ventilation System
Nuclear Auxiliary Building Ventilation System
Effluent Treatment Building Ventilation System
Access Building (Controlled Area) Ventilation System
Environment Agency
Containment Sweep Ventilation System
Annulus Ventilation System
Electricité de France Société Anonyme
Emergency Diesel Generator
Electronic Document and Records Management System
Effective Full Power Day
Electromagnetic Interference
Examination, Maintenance, Inspection and Testing
Emergency Operating Procedures
The Pressured Water Reactor developed by AREVA
Early Site Clearance
Effluent Treatment Building
EPR Technical Code for Civil Works
EPR Technical Code for Fire Protection
Combustible Gas Control System
European Utility Requirements
Reactor Building Internal Filtration System
Containment Cooling Ventilation System
Containment Heat Removal System
Flamanville 3
Factory Acceptance Testing
Fiche de Demande de Modification (Modification Request Form)
Failure Modes and Effects Analysis
Fast Secondary Cooldown
Main Steam Bypass
Gadolinium
Generic Design Assessment
Geological Disposal Facility
Turbine Protection System
Human Factors Engineering
Human Factors Integration Plan
Human Factors Integration
Building code for HPC Interim ILW Store
Building code for HPC Interim Spent Fuel Store
High Integrity Component
Human Machine Interface
Hinkley Point A
Hinkley Point B
Hinkley Point C
High Pressure Core Melt
Building code for Effluent Treatment Building (Unit 1)
Building code for waste treatment facility (Unit 2)
Human Reliability Assessment
Page 225 of 230
Head Document
HSE
HSSD
HVAC
HVD
HVL
HXA
I&C
IAEA
iDAC
IDR
IEC
ILW
IMS
IoF
IRWST
ISFS
ISI
iSoDA
IWS
JAC [FFWSS]
JDT [FDS]
JPD [FFS-NC]
JPH [FFS-THOT]
JPI [NIFPS]
JPS [FFEWD]
JPT [TFPS]
JPV [DBFPS]
KER [LRMDS]
KRT [PRMS]
LC
LERF
LHSI
LLI
LLSF
LLW
LLWR
LOCA
LOCC
LOOP
LRF
LUHS
MCCI
MCP [PICS]
MCR
MCS [SICS]
MHSI
MODEM
MOX
MSF
MSLB
Health and Safety Executive
Heat Sink Summary Document
Heating, Ventilation and Air Conditioning
Building code for the decontamination workshop
Building code for the hot laundry
Building code for the effluent tanks building
Instrumentation & Control
International Atomic Energy Agency
interim Design Acceptance Confirmation
Implemented Design Reference
International Electrotechnical Commission
Intermediate Level Waste
Integrated Management System
Incredibility of Failure
In-Reactor Water Storage Tanks
Interim Spent Fuel Store
In-Service Inspection
interim Statement of Design Acceptability
Integrated Waste Strategy
Fire Fighting Water Supply System
Fire Detection System
Fire Fighting System for Non-Classified Buildings
Fire Fighting System for Turbine Hall Oil Tanks
Protection and Distribution of Nuclear Island Fire Fighting System
Site Fire Fighting Water Distribution System
Transformer Fire Protection System
Diesel Building Fire Protection System
Liquid Radwaste Monitoring and Discharge System
Plant Radiation Monitoring System
Licence Condition
Large Early Release Frequency
Low Head Safety Injection
Long Lead Item
Lower Level Safety Function
Low Level Waste
Low Level Waste Repository
Loss of Coolant Accident
Loss of Cooling Chain
Loss of Off-Site Power
Large Release Frequency
Loss of Ultimate Heat Sink
Molten Core-Concrete Interaction
Process Information and Control System
Main Control Room
Safety Information and Control System
Medium Head Safety Injection
Monitoring and Decision Making panel
Mixed Oxide
Main Safety Function
Main Steam Line Break
Page 226 of 230
Head Document
MW
NAB
NC
NCSS
NDA
NDT
NNB GenCo
NPP
NSC
NSDAPs
NSL
NSSS
ONR
OSC
OSSA
OTS
PACS
PAR
PAS
PCC
PCER
PCI
PCmSR
PCSR
PDR
PIE
PIPO
PIPS
PLSF
PMC [FHS]
POP
POSR
PSA
PSI
PSIS
PSOT
PTR [FPPS/FPCS]
PWR
QA
RBS [EBS]
RCCA
RCC-E
RCC-M
RCM
RCP [RCS]
RCPB
RCSL
RCV [CVCS]
RDR
REA [RBWMS]
Megawatt
Nuclear Auxiliary Building
Non-Classified
Non-Computerised Safety System
Nuclear Decommissioning Authority
Non-Destructive Testing
Nuclear New Build Generation Company
Nuclear Power Plant
Nuclear Safety Committee
Nuclear Safety Design Assessment Principles
Nuclear Site Licence
Nuclear Steam Supply System
Office for Nuclear Regulation
Operational Service Centre
Operational Strategy for Severe Accidents
Operating Technical Specifications
Priority and Actuation Control System
Passive Autocatalytic Recombiner
Process Automation System
Plant Condition Category
Pre-Construction Environmental Report
Pellet Clad Interaction
Pre-Commissioning Safety Report
Pre-Construction Safety Report
Preliminary Design Reference
Postulated Initiating Event
Inter Workstation Console
Process Instrumentation Pre-processing System
Plant Level Safety Function
Fuel Handling System
Plant Overview Panel
Pre-Operational Safety Report
Probabilistic Safety Assessment
Pre-Service Inspection
Inter-panel Signalisation Panel
Protection System Operator Terminal
Fuel Pool Purification (and Cooling) System
Pressurised Water Reactor
Quality Assurance
Extra Boration System
Rod Cluster Control Assemblies
Technical Code for Electrical Equipment
Technical Code for Mechanical Equipment
Reliability Centred Maintenance
Reactor Coolant System
Reactor Coolant Pressure Boundary
Reactor Control, Surveillance and Limitation
Chemical and Volume Control System
Ready for execution Design Reference
Reactor Boron and Water Make-up System
Page 227 of 230
Head Document
REN [NSS]
RES [SGSSS]
RFI
RFS
RGL [CRDM]
RIS [SIS]
RIS/RRA
[SIS/RHRS]
RPE [NVDS]
RPR [PS]
RPV
RRA [RHRS]
RRC
RRI [CCWS]
RSE-M
RSR
RSS
RWMD
/r.y
SA I&C
SAP [CAPS]
SAPs
SAR [CAS]
SAS
SAT [SCADS]
SB(LOCA)
SBO
SDA [DPS]
SDO
SEC [ESWS]
SED [NIDWDS]
SEK [CILWDS]
0SEK [SiteLWDS]
SEP [PWS]
SER [CIDWDS]
SFCTF
SFP
SGH [HDS]
SGN [NDS]
SGO [ODS]
SGTR
SIR
SIT
SMA
SOA
SRU [UCWS]
SSC
SSR
SZB
TAGSI
Nuclear Sampling System
Steam Generator Secondary Sampling System
Radio Frequency Interference
French Basic Safety Rules
Control Rod Drive Mechanisms
Safety Injection System
Safety Injection System operating in Residual Heat Removal Mode
Nuclear Vent and Drain System
Protection System
Reactor Pressure Vessel
Residual Heat Removal System
Risk Reduction Category
Component Cooling Water System
Technical Code for Mechanical Equipment
Radioactive Substances Regulations
Remote Shutdown Station
Radioactive Waste Management Directorate
per reactor year
Severe Accident Instrumentation and Control
Compressed Air Production System
Safety Assessment Principles
Compressed Air System
Safety Automation System
Service Compressed Air Distribution System
Small Break (Loss of Coolant Accident)
Station Blackout
Demineralised Production System
Safety Design Objective
Essential Service Water System
Nuclear Island Demineralised Water Distribution System
Conventional Island Liquid Waste Discharge System
Site Liquid Waste Discharge System
Potable Water System
Conventional Island Demineralised Water Distribution System
Spent Fuel Cask Transfer Facility
Spent Fuel Pool
Hydrogen Distribution System
Nitrogen Distribution System
Oxygen Distribution System
Steam Generator Tube Rupture
Chemical Conditioning (Injection with Reagent)
Chemical Sampling and Monitoring System
Seismic Margin Assessment
State Oriented Approach
Ultimate Cooling Water System
Structure, System or Component
Station Safety Report
Sizewell B
(UK) Technical Advisory Group on Structural Integrity
Page 228 of 230
Head Document
TEG [GWPS]
TEN [ETBSS]
TEP [CSTS]
TEP4 [CDS]
TER [ExLWDS]
TES [SWTS]
TEU [LWPS]
UDG
UHS
UPS
VDA [MSRT]
VIV [MSIV]
VLLW
VVP [MSSS]
WDA
WENRA
/y
Gaseous Waste Processing System
Effluent Treatment Building Sampling System
Coolant Storage and Treatment System
Coolant Degasification System
Additional Liquid Waste Discharge System
Solid Waste Treatment System
Liquid Waste Processing System
Ultimate Diesel Generator
Ultimate Heat Sink
Uninterruptible Power Supply
Main Steam Relief Train
Main Steam Isolation Valve
Very Low Level Waste
Main Steam Supply System
Water Discharge Activity
Western European Nuclear Regulators’ Association
per year
Page 229 of 230
Head Document
Ref
22.1
Title
Introduction to the Safety, Security and
Environmental Report (SSER) Issue 05, March
2011
Location
EDRMS
Document No.
UKEPR-0001-001
Page 230 of 230

Pre Construction Safety Report

Transcription

Similar documents

These are Security risks! Security is about key control

And From the Student`s Perspective

HPC for Interactive Training Simulation

1 2 0 0 CMB - Lockmasters, Inc.

Intro to LargeData On the HPC cluster

On to HPC - Parent Directory

Inżynier Utrzymania Ruchu – Elektryk

GWADAR DEVELOPMENT AUTHORITY OFFICE THE PROJECT

Switch Blitz - Lockmasters, Inc.

presentation title