Preliminary Assessment of Engineered Safety Features Against Station Blackout in Selected PWR Models

Received: 19 January 2021 Received in revised form: 18 February 2021 Accepted: 19 February 2021 The 2011 Fukushima accident did not prevent countries to construct new nuclear power plants (NPPs) as part of the electricity generation system. Based on the IAEA database, there are a total of 44 units of PWR type NPPs whose constructions are started after 2011. To assess the technology of engineered safety features (ESFs) of the newly constructed PWRs, a study has been conducted as described in this paper, especially in facing the station blackout (SBO) event. It is expected from this study that there are a number of PWR models that can be considered to be constructed in Indonesia from the year of 2020. The scope of the study is PWRs with a limited capacity from 900 to 1100 MWe constructed and operated after 2011 and small-modular type of reactors (SMRs) with the status of at least under licensing. Based on the ESFs design assessment, the passive core decay heat removal has been applied in the most PWR models, which is typically using steam condensing inside heat exchanger within a water tank or by air cooling. From the selected PWR models, the CPR-1000, HPR-1000, AP-1000, and VVER-1000, 1200, 1300 series have the capability to remove the core decay heat passively. The most innovative passive RHR of AP1000 and the longest passive RHR time period using air cooling in several VVER models are preferred. From the selected SMR designs, the NuScale design and RITM-200 possess more advantages compared to the ACP-100, CAREM-25, and SMART. NuScale represents the model with full-power natural circulation and RITM-200 with forced circulation. NuScale has the longest time period for passive RHR as claimed by the vendor, however the design is still under licensing process. The RITM-200 reactor has a combination of passive air and water-cooling of the heat exchanger and is already under construction.


INTRODUCTION
The effort of Indonesia government to introduce the nuclear power plant (NPP) as an electricity power generation system has been initiated since 1970s. The most significant NPP program was conducted in the early 1991  as Indonesia nuclear energy agency (BATAN) and NewJEC consultant of Japan carried out a feasibility study from various aspects to select the most suitable site in Java island, which resulted the selcted Muria site[1]. Since then, various studies have been further intensified, not only limited to the site selection but also for the NPP technology. The most recent study was the consideration of using the high temperature gas cooled reactor (HTGR) as a part of strategic milestone to introduce the largescale NPP in Indonesia [2].
All of those efforts were affected by the most recent nuclear accident in the Fukushima Daiichi NPP in 2011, which has changed the mindset of NPP technology industry worldwide related to nuclear safety. One of the safety aspects to be reinforced is related to the ability of the NPP design to safely withstand the full range of external and internal events. From the Fukushima Daiichi accidents, it can be learned that even the direct effects of external event has been successfully responded by the shutdown of the reactor and establishing the core cooling. However, the following tsunami event caused the loss of all offsite and onsite power lines, which provided the required AC power supply for operating the core cooling system in long term [3]. The 2011 Fukushima accident did not prevent countries to construct new NPPs as part of the electricity generation system. Instead, the new constructed NPPs have been further modified from the Fukushima accident lesson to enhance the safety as implemented in the design of the engineered safety features. Based on the IAEA Power Reactor Information System (PRIS), there are in total 48 units of NPPs, whose constructions are started after the Fukushima accident in 2011 [4]. From those units, 44 units are pressurized water reactor (PWR) type of NPPs of all capacities. In addition, there are in total 60 new NPP units, which has been connected to the grid since 2011, which means that their constructions were not delayed due to the Fukushima accident [5].
Based on the above under construction and operating NPP data, a study has been conducted as described in this paper to assess the safety aspects of the NPP technology especially in facing a similar initiating event leading to the accident occurred in Fukushima Daiichi. The study was started by evaluating the PWR model of NPPs, which are at the latest under construction and in operation since 2011. The selection of the 2011 is based on the averaged construction time of a single NPP unit of 7 years. To limit the number of evaluated NPPs, the electricity capacity of each unit is limited only from 900 to 1100 MWe, which are the most suitable capacity range of NPP to be constructed in Indonesia [6]. Another alternative is also considered by evaluating the small-modular type of reactor (SMR), which has prospect in the future as part of the strategic plan to introduce the large capacity unit NPP. The selection of the SMR technology is also limited on those models, which are at least under licensing process in the designer country. The study is focused on the initiating event occurred in the Fukushima accident, which is started by the loss of offsite power followed by the loss of emergency power supply or station blackout (SBO). In that case, the structure of the engineered safety features on each selected NPP model is evaluated in order to obtain the most reliable safety design in mitigating the SBO event. It is expected that there are a number of PWR model, which can be considered to be constructed in Indonesia from the year of 2020.

DESCRIPTION OF STATION BLACKOUT EVENT
A plant may experience SBO conditions, when the loss of offsite power (LOOP) initiating event is not mitigated properly by the standby or emergency AC power supply systems to generate the power supply required for safety system operation. An SBO event was considered a beyond design basis accident (BDBA) for many plant designs. After the Fukushima Daiichi accident, the SBO event is now considered as part of the plant Design Extension Conditions (DEC), which is defined as postulated accident conditions not considered in the design basis accidents (DBA), but still considered in the design process for the facility in accordance with best estimate methodology [7]. Consequently, the SBO requires an additional safety features to support safety systems required in the DBA category. As initiating event of SBO, LOOP events result in the loss of capability to remove decay heat by normal cooling systems even if the reactor core is successfully shutdown. The decay heat removal has to be accomplished by the related safety system as part of the engineered safety features, which still have dependency on the AC power supply. Therefore, an alternate electrical power supply is required, normally from the operation of emergency diesel generators as standby or alternate power systems. The operation of the decay heat removal is the key factor in keeping the core cooling even when the emergency power supply is lost due to the other external events or common-cause failures. The core should be maintained in a safe condition after the following loss of the emergency AC power system in a duration, which is referred to as the coping time. A typical SBO event tree involving the mitigation measures is shown in Figure 1 [8] From that figure, the decay core heat removal has to be maintained first by operation of the steam generator secondary side using the available DC power supply from the battery sets. If the DC power is exhausted, the increasing core heat is released by pressurizer valves to maintain the reactor cooling system (RCS) integrity. The loss of DC power will also affect the plant monitoring and instrumentation system, which is important for operators during the progress of decay heat removal. This safety mode has limited capability, which requires a restoration of the AC power, from emergency AC power system or from offsite AC grid, to operate the normal core heat removal systems. In the event tree of Figure 1, there are two cases of AC power recovery based on assumption of the AC power recovery time less than or more than 2 hours to maintain the core cooling function based on the DC power supply capability. On either case, the AC power recovery will take the reactor in a safe condition, in which the core is sufficiently cooled. The sequences are a classic example of SBO mitigation using decay heat removal active systems. In addition, there are possible potential failures during the emergency heat removal, such as small break loss of coolant from the heated reactor cooling pump (RCP) seals, failure of the pressurizer relief valves to close, and others [9]. To reduce the SBO event time, the AC power supply must be restored from normal offsite AC power sources, standby sources or alternate AC power sources as soon as possible to prevent fuel damage[10]. The offsite AC power sources have higher capacity and capability to power all station loads including circulating pumps on non-safety buses that support heat removal using the normal cooling configuration. The onsite source has limited capacity and can only power loads from auxiliary cooling and makeup systems.

METHODOLOGY OF SELECTING THE PWRS
From the huge number of PWR units collected in the IAEA PRIS, a number of PWR units was selected, which started their operation (first-grid connection) and construction after 2011. Another criterion is based on the generated electricity power of 900 to 1000 MWe, which belongs to the large power reactor type. Based on the data selection, there are 52 PWR units in operation and 25  On all selected PWR models, an analysis of operating procedures to respond the LOOP event will be performed by studying each safety system. After that, evaluation of the engineered safety features is carried out to obtain a whole picture of the plant capability to mitigate the SBO event due to the failure of the onsite backup power systems. In this analysis, other event such as loss of coolant is not considered to occur simultaneously with the LOOP.

Measures to mitigate the loss of offsite power (LOOP)
In general, the established procedures after the LOOP in all PWRs include trips of reactor, reactor coolant pumps, main turbine, main feedwater pumps, and circulating water pumps. The generated decay heat in the core is cooled in the primary system by the steam generator, in which its secondary side coolant is supplied by the emergency feedwater systems. The generated steam in the steam generator is dumped in the condenser or by the operation of the steam generator relief valves to control the secondary pressure [11]. The operation of emergency feedwater system (or auxiliary feedwater system) is normally performed using turbine-driven and the diesel or motor-driven feedwater systems consisting of pumps and feedwater storage tanks. The diesel-driven feedwater pumps have dedicated diesel engines, which also supply the emergency diesel generator of the plant. The motor-driven feedwater pumps are powered by the AC power from the emergency or standby AC power supply systems. The turbinedriven feedwater pumps are independent on the AC power as long as the generated steam is able to drive the pumps, however their control systems (of valves) rely on the AC and DC power. Therefore, the configuration of the emergency AC power system to supply AC power into the emergency feedwater systems is significant to maintain the core cooling after reactor trip as long as possible before the offsite AC power system can be restored. Figure 2 shows a typical configuration of the auxiliary feedwater system in a two-loop PWR with three different types of feedwater pump and two different sources of feedwater [12].

Fig. 2.
Typical emergency or auxiliary feedwater system of PWR for core cooling after LOOP event [12] The operation of diesel-driven and AC power dependent feedwater pumps is related to the reliability of the diesel engine and the onsite standby AC power source in the plant to deliver necessary AC power into the plant safety buses of the safety related systems. Typical standby AC power sources are high-capacity diesel generators, supported by gas turbines, or nearby dedicated hydropower plants if available. Those sources are considered to deliver AC power for an extended LOOP duration of about 7 days [9]. The operation of the AFW systems require also the DC power from the batteries for the I&C systems, control power of valves, process monitoring, which typically last several hours.
For the selected PWRs of Chinese vendors, all PWR models such as CPR-1000, HPR-1000, CNP-1000, ACP-1000, and ACPR-1000 remove the core decay heat after the LOOP using the above described typical auxiliary feedwater systems, mostly with turbine and motor-driven feedwater pumps. The reliability of the feedwater is increased by ensuring an external feedwater supplies continuously. The similar LOOP mitigation design is because of the reference plant used for developing those PWR models by the Chinese companies, which basically refer to the French 900 MWe 3-loop PWR design [13]. The other PWR model, a two-loop AP1000, is developed by the Westinghouse of USA, which classifies the auxiliary feedwater system as a non-safety related system due to the design of passive engineered safety features. The feedwater is supplied from the start-up feedwater system using only motor-driven feedwater pump powered by the emergency AC diesel generator and feedwater tank for 14 hours core cooling capacity [14]. The OPR-1000 of Korea is two-loop PWR, which also uses the typical turbine and motor-driven auxiliary feedwater pumps taking feedwater for storage tank and condensate storage tank as backup supply. The reliability of motor-driven pumps is maintained by installing a set of emergency AC diesel generator and alternative backup generator. Another PWR model is the WH-4LP, the only one Generation II PWR developed by Westinghouse consisting of 4 loop PWR design, which entered first grid connection in 2016 after many years of construction delay since 1973. Therefore, its safety design to mitigate the LOOP event is a typical active auxiliary feedwater system, which depends on the emergency AC diesel generator.
The Russian PWR models are developed in different series of VVER (or WWER/water-water energetic reactor). All of the VVER series are 4loop PWRs with one horizontal steam generator on each loop. The VVER-1000/V320 removes the core decay heat after the LOOP event using the steam generators with the feedwater supplied from auxiliary and emergency feedwater systems [15]. The feedwater is pumped by motor-driven pumps from deaerator tank and storage tank with capacity of several days. To ensure the operation of motordriven pumps, the emergency AC diesel generator has backup from mobile AC power system and additional generator. The VVER-1000/V412, V428M, V528, and V491 are Generation III VVERs, which are based on the V392 model with additional safety design such as double containment, core catcher, and specific site reinforcement. Their LOOP mitigation design is basically similar to the V320 with increased redundancy (4 × 100%) of auxiliary and emergency feedwater system, including the installation of emergency and backup AC diesel generator on each line. Other series of VVER belong to the VVER-1200, consisting of V392M, V509, V523, and V491, which are different from each other due the specification in the site and passive safety system configuration, such as the VVER in Turkey [16]. In the LOOP event, the core decay heat is removed by the emergency steam generator cooldown and blowdown system in the secondary site of steam generator. Each system consists of emergency cooling pump drawing feedwater from the emergency storage tanks with 2 × 100% capacity. Additionally, each system is supported by 4 × 100% emergency AC diesel generator systems with backup AC diesel generator on each line. The VVER-1300/V510K has also similar mitigation system with the VVER-1200 as previously described.

Engineered safety features in case of SBO
As previously described, the SBO event occurs when the onsite emergency AC generator cannot longer supply the necessary AC power to the safety related systems for the core cooling as the offsite AC power is not yet recovered. Unavailability of the AC power will affect the function of auxiliary feedwater systems, which depends on the AC power. Some functions may be maintained using the DC power from batteries for only limited time. Therefore, the core cooling will depend on the function of the passive system, which is normally designed as part of the engineered safety features. For the selected PWRs, only CPR-1000, HPR-1000, AP-1000, and VVER series are equipped with the passive core decay heat removal system in case of SBO. In the CPR-1000, the passive emergency feedwater systems (PEFS) will take the core heat removal function with 3 × 100% redundancy as shown in Figure 2. The heated water in the secondary side will flow naturally inside a heat exchanger submerged a cooling water tank (CWT). The cooled water will flow back into the steam generator. The water inside all three CWTs has a cooling capacity for 6 hours and can be supplied from an external water tank passively for additional 72 hours. A similar design is also adopted in the HPR-1000 using the passive residual heat removal system of secondary side (PRS) with 72 hours capacity before tank refilling [13]. Other remaining selected PWR models such as CNP-1000, ACP-1000, and ACPR-1000 do not have passive engineered features for core cooling after shutdown. The AP-1000 otherwise is claimed by the US vendor as an advanced PWR design with passive safety, in which the passive residual heat removal system (PRHR) is installed as part of the passive core cooling system (PXS) [14]. The PRHRS is equipped with the PRHRS heat exchanger (PRHRS-HX), which is submerged in the in-containment refueling water storage tank (IRWST) and directly connected into the reactor vessel through an inlet line from one of primary system hot leg and an outlet line to the steam generator cold leg plenum as shown in Figure 4. The PRHR-HX is designed to remove decay heat passively for an indefinite time in a closed-loop mode of operation. Together with operation of passive containment cooling water storage tank installed above the containment, the IRWST water capacity is sufficient for 72 hours of PRHR operation without operator action and active AC power [17]. For the VVER series, the VVER-1000/V412, V428M, and V528 are equipped with passive residual heat removal system (PRHRS) consisting of 4 trains with 33% capacity each, in which each train is connected into 1 horizontal steam generator. The steam line of steam generator has a bypass line into the finned tube air heat exchangers, which are used to reject core heat to the outside atmosphere [18,19,20]. There are 4 HXs for each train inside a chimney-like structure along the outer surface of containment up to the top of the containment to enable a natural circulation of air as shown in Figure 5. A similar configuration of PRHRS is also used in the VVER-1200/V392M and V523 such as the VVER in Roppur Bangladesh [21]. The VVER-1200/V509 and VVER-1300/V510K uses the configuration of 2 aircooled heat exchanger for the each PRHRS train with an overall capacity of 4 × 33% [16]. The VVER-1200/V491 is equipped with steam generator passive heat removal system (SG PRHRS), which is basically similar to the Figure 3, to establish a long-term core cooling by removing heat from secondary side of steam generator in heat exchanger inside an emergency heat removal tank (EHRT) with air as ultimate heat sink [22]. The SG PRHRS is a passive four-trains system with train redundancy of 4 × 33%, in which each train consists of 4 heat exchangers. Overall, the system has 4 × 33% capacity for 72 hours passive operation or 3 × 33% capacity for 24 hours before tank refilling as shown in Figure 6. For the selected SMRs, there are different engineered safety features, which are plant-specific. ACP-100 is an integrative pressurized water-cooled type SMR with 125 MWe output, which is being developed by China National Nuclear Corporation (CNNC). The passive feature for residual heat removal utilized the operation of integral oncethrough steam generators (OTSGs), which remove core heat into the heat exchanger submerged in cooling pools with 2 × 50% capacity during reactor shutdown [23,24]. The schematic diagram of passive system of ACP-100 is shown in Figure 7. The passive core heat removal occurs for 3 days without operator intervention or 14 days using additional water supply from the separated Incontainment residual water storage tank (IRWST). Core cooling is also supported by the vessel conduction through cooling water inside a pool surrounding the vessel. The primary coolant flow is achieved by natural circulation induced by installing the steam generators above the core. The CAREM safety systems rely on passive features including for depressurization and residual heat removal in case of SBO as shown in Figure 8[23, 25]. The system consists of a closed pipeline loop to condense steam from the primary system in emergency condensers in form of heat exchangers with parallel horizontal U tubes submerged in a cold-water pool inside the containment. The condensers are connected by two headers, one in the reactor vessel steam dome for the steam inlet and the other in the reactor vessel below the reactor water level for the condensate outlet. The water inside the cooling pool will evaporate, which is then condensed in a suppression pool inside the containment as the ultimate heat sink for 36 hours before refilling. The NuScale is SMR design developed by the NuScale Power USA, which consists of at most 12 power modules. Each power module is a small water-cooled integral reactor with 160 MWt or 45 MWe output enclosed in a high-pressure containment vessel submerged in a water pool. The reactor pool provides the passive containment cooling and core decay heat removal. In the event of SBO, the core decay heat is removed passively by the decay heat removal system (DHRS) using two helical steam generators of 2 × 100% capacity into isolation condensers immersed in the reactor pool [23,26]. The DHRS, shown in Figure 9, is capable for a minimum 3 days operation using heat exchanger in the water pool cooling without pumps or power or for 30 days with air cooling.  Figure 10[23]. The passive RHRSs are operated using a combination of air and water cooling heat removal, which is able to anticipate a post-accident grace period of 72 hours without operator action or power in case of combination of LOCA and SBO event. The last SMR design under consideration is the system-integrated modular advanced reactor (SMART), which is developed by KAERI, Republic of Korea. It is an integral PWR capable of producing electricity output of 107 MWe. The reactor core, 8 modular type once-through helicalcoiled steam generators, 4 canned reactor coolant pumps, control rods, in-vessel pressurizer, and other reactor internals are contained inside reactor pressure vessel. The core decay heat removal is accommodated first by the active heat removal mechanism using feedwater pumps through steam generators. In the case of SBO, the passive residual heat removal systems (PRHRS) consisting of 4 trains with 4 × 50% capacity will remove the core decay heat, in which each train consists of a heat exchanger submerged inside an emergency cooling tank (ECT), a makeup tank, and isolation valves as shown in Figure 11[23, 27]. The system is designed to cool the RCS below the safe shutdown condition temperature within 36 h and to keep the core undamaged for 72 hours without operator action during the SBO event and longer for a long-term period when the ECT is replenished periodically by a refilling system. Base on the study of the engineered safety features of selected PWRs in case of SBO event, the CPR-1000, HPR-1000, AP-1000, and all series of VVER-1000, 1200, 1300 have capability to remove the core decay heat removal passively, in which all models uses the heat exchanger with several trains of redundancy connected to the secondary side of steam generators to transfer heat into the cooling water tank. Only PRHRS of AP-1000 is connected to the primary system, but without redundancy. The claimed time period of all PRHR systems operation is 72 hours before water tank refilling. Only VVER series using the air-cooled heat exchanger are claimed by the vendor to be capable of core cooling for unlimited time period. In the selected SMR design, an innovative passive core decay heat removal is shown by the NuScale design plus installing the reactor and containment vessel cooling inside a large water pool, which provides extra safety of the reactor cooling. The time period of passive core cooling is also the longest compared with other SMR designs. As the NuScale, the CAREM-25 design uses also natural circulation for full-power operation, yet the passive RHRS is not more advanced with only 36 hours with extended period capability. The other SMR design uses the forced circulation with pumps operation, but the RITM-200 design has more advanced passive RHRS with a combination of air and water cooling of the heat exchanger for 72 hours grace period.

CONCLUSION
A preliminary assessment of the engineered safety feature (ESF) of selected PWR models with 1000 MWe output and water-cooled SMR has been conducted for the SBO event. The passive mechanism of the core decay heat removal in the ESF is the focus of the study, which is typically by steam condensing inside heat exchanger submerged in a cooling water tank or by air cooling. For the selected PWR models operated after the Fukushima Daiichi accident in 2011, the CPR-1000, HPR-1000, AP-1000, and all series of VVER-1000, 1200, 1300 have capability to remove the core decay heat removal passively. The most innovative passive RHR of AP-1000 and the longest passive RHR time period using air cooling in some VVER models are preferred. For the selected SMR designs, which are at least under licensing process, the NuScale design and RITM-200 have more advantages compared to the ACP-100, CAREM-25, and SMART. NuScale represents the model with natural circulation during full power operation and RITM-200 with forced circulation. NuScale has the longest time period for passive RHR as claimed by the vendor, however the design is still under licensing process. The RITM-200 reactor has a combination of passive air and water-cooling of the heat exchanger and is already under construction.