[N+1 Safety Criterion and N+2 Safety Criterion]
There is specified a single failure criterion as the most general safety criterion applied to design of an emergency core cooling system (ECCS) of a conventional boiling water reactor. The single failure criterion assumes, in a safety assessment for a loss of coolant accident (LOCA) which is one of design basis accidents (DBA), occurrence of a single failure in an emergency core cooling system and requires that required cooling of the core is sufficiently performed even in a state where at least one emergency core cooling system is unable to function. Hereinafter, this criterion is referred to as N+1 criterion.
The emergency core cooling system of the conventional boiling water reactor is generally divided into two to four safety divisions. A plurality of systems are provided in one safety division, and electric power is supplied to the plurality of systems provided in one safety division from an emergency power source provided for each safety division.
In general, only one emergency power source is provided in one safety division, so that when a failure of the emergency power source is assumed to be the single failure, it is determined in the safety assessment that all motor-driven systems in the one safety division become unable to function. Actually, electric power is supplied from an offsite power system, so that the motor-driven systems in the one safety division do not become unable to function due to only the single failure of the emergency power source. However, the safety assessment is conservatively required to simultaneously assume a loss of the offsite power system. Thus, it is required to assume in the safety assessment that only the single failure of the emergency power source causes all the motor-driven systems in the one safety division to become unable to function.
The term “division” refers not only to a division corresponding to the emergency power source, but also to a special area defined by physical separation walls (fire walls or a water leak tight walls) formed against anticipated fire, flooding, and so on in a plant so as to isolate the influence of the anticipated events occurring in another division. That is, even if an event in which an emergency core cooling system corresponding to one division is disabled completely due to fire or flooding is assumed as the single failure, the plant is designed such that the single failure exercises no influence on another division. A division including a safety system is referred to as “safety division”. A division not including the safety system but including a non-safety system is refereed to as “non-safety division”.
In the single failure of the safety system, a loss of function of the one entire safety division results in the most severe decrease in safety function, so that the safety system single failure is assumed by selecting a component (e.g., emergency power source) or a cause (e.g., faire or flooding) that may bring about the loss of function of the one entire safety division.
When a failure in the emergency core cooling system has been found in a periodic inspection made during operation of the plant, operation is allowed to continue within about 7 to 10 days since the single failure has already occurred, and the operation of the plant is stopped if the failure cannot be resolved during the 7 to 10 days. This regulation is carried out by restricting an AOT (Allowed Outage Time) according to technical specifications. Thus, hereinafter, the above specification is referred to as AOT regulation.
The above safety design of the emergency core cooling system based on the N+1 criterion and restriction of plant operation based on the AOT regulation are carried out commonly in US and Japan. In these states, reliability of the emergency core cooling system is very high, and little failure occurs, so that the safety design and restriction of plant operation are applied as a rational and efficient method. On the other hand, the safety criterion of some European countries includes not only the single failure criterion, but also a criterion that requires an assumption of the function loss state of another safety division through on-line maintenance. This criterion is hereinafter referred to as N+2 criterion.
That is, the N+2 criterion requires that plant design is made on the assumption that there exists a failure in one component of the emergency core cooling system on a steady basis and that maintenance (on-line maintenance) is always performed during operation of the plant and requires carrying out of the safety design and safety assessment on the assumption that when a remaining system of the emergency core cooling system in a standby state is automatically started-up upon occurrence of the design base accident, another failure occurs. The N+2 criterion is a very safety-conscious safety criterion. Under the N+2 criterion, the on-line maintenance for only one emergency core cooling system can be performed for an indefinite time period. It follows that applying the N+2 criterion allows the maintenance for the emergency core cooling system to be performed entirely during operation of the plant, which may significantly contribute to a reduction in plant outage time period and enhancement of the safety during the plant outage time period.
Assume that a loss of coolant accident, which is one of the design basis accidents, has occurred under the N+2 criterion. More specifically, it is assumed that piping of one system of the emergency core cooling system is broken to generate the loss of coolant accident and that two emergency core cooling systems become unable to function due to the single failure and on-line maintenance. Thus, at least four systems of the emergency core cooling system are required. Further, the N+2 criterion assumes that two divisions become unable to function due to a signal failure and on-line maintenance, so that at least three divisions are required. When three active safety divisions are provided, two systems are required in one of the divisions and, further, symmetry needs to be considered, with the result that two emergency core cooling systems need to be provided for each safety division.
[Emergency Core Cooling System of “BWR72”]
An emergency core cooling system of “BWR72” in Germany is a representative example that meets the N+2 criterion by providing three active divisions. Hereinafter, with reference to FIG. 7, a configuration of the emergency core cooling system of the German “BWR72” will be described.
Referring to FIG. 7, the emergency core cooling system, having three active divisions, includes a motor-driven high pressure core injection system (HPCI) 25, a motor-driven low pressure core injection system (LPCI) 26, and an emergency diesel generator (EDG) 4 for each division. Two motor-driven systems are provided for each division and, correspondingly, a capacity of each emergency diesel generator 4 is large. Further, the emergency core cooling system is designed such that when a reactor component cooling water system (not illustrated) provided for each active safety division has become unable to function, the high pressure core injection system 25 and the low pressure core injection system 26 provided in a corresponding division become unable to function simultaneously. Thus, although a total number of the emergency core cooling systems is six, non-reliabilities of the reactor component cooling water systems provided in respective three divisions determine the entire reliability. Similarly, when the emergency diesel generator 4 for supplying electric power to each active safety division has failed, the high pressure core injection system 25 and the low pressure core injection system 26 provided in a corresponding division become unable to function simultaneously.
[Emergency Core Cooling System of “BWR75”]
As another representative example of the BWR designed under the N+2 criterion, there is known a “BWR75” in Sweden. Hereinafter, with reference to FIG. 8, an outline of the emergency core cooling system of the Swedish “BWR75” will be described.
Referring to FIG. 8, the emergency core cooling system, having four safety divisions, includes an auxiliary feed water system (AFS) 31, a low pressure core injection system 26 or a low pressure core spray system (LPCS) 32, a residual heat removal system (RHR), and an emergency diesel generator 4 for each safety division. The low pressure core injection system 26 or the low pressure core spray system 32 and the residual heat removal system are independently provided without sharing a pump. Since the residual heat removal system of the “BWR75” is dedicatedly used as a containment cooling system for cooling a wet well and a dry well of a containment vessel at a design basis accident, it is indicated as a wet well/dry well cooling system (WDCS) 24.
All the systems use motor-driven pumps, a total number of systems are as large as 12 and, correspondingly, a capacity of each emergency diesel generator 4 is large. Nevertheless, a plurality of motor-driven emergency core cooling systems provided for each active division all become unable to function due to a failure of the corresponding emergency diesel generator 4. Similarly, when a rector component cooling water system (not illustrated) provided for each active safety division has failed, all the emergency core cooling systems provided in the corresponding division become unable to function.
[Example in which Passive Safety Division is Provided in Addition to Active Safety Divisions Meeting N+2 Criterion]
As described above, the emergency core cooling system having the active divisions meeting the N+2 criterion has sufficient redundancy and is thus high in safety. On the other hand, there is known a technique of Patent Document 1 as an example in which a passive safety division is provided in addition to the active divisions meeting the N+2 criterion. A system in which the passive safety division is provided independently of the active safety divisions as described above so as to enhance safety further is referred to as an in-depth hybrid safety system.
This background art will be described based on FIG. 9. Referring to FIG. 9, there are first, second, and third safety divisions as the active safety divisions. A fourth division is a passive safety division. Each of the three active safety divisions includes a high pressure core cooling system (HPCF) 1, a low pressure core cooling system (LPFL) 2 which is also used as a residual heat removal system 3, and an emergency diesel generator 4 that supplies electric power to both the high pressure core cooling system 1 and the low pressure core cooling system 2. The passive safety division includes an isolation condenser (IC) 5, a passive containment cooling system (PCCS) 8, and a gravity-driven cooling system (GDCS) 9.
As a result, even if the emergency core cooling system having three active safety divisions becomes entirely unable to function due to natural disaster such as a giant earthquake or a giant tsunami, the safety of the reactor can be ensured by the emergency core cooling system of the passive safety division. However, two emergency core cooling systems are provided for each active safety division, resulting in six systems in total, which exceeds the minimum number (four, as described above) of systems required for the N+2 criterion.
Each emergency diesel generator 4 requires a large capacity of, e.g., about 5,000 kW due to need of supplying electric power to two emergency core cooling systems. As a result, a physical quantity of components and cost for the emergency core cooling system having the active safety divisions meeting the N+2 criterion are increased. The increase in the physical quantity of components correspondingly increases a volume of a reactor building housing the components. Further, addition of the fourth passive safety division also increases the physical quantity and cost of the entire emergency core cooling system. Furthermore, when a reactor component cooling water system (not illustrated) provided for each active safety division has become unable to function, both the high pressure core cooling system 1 and the low pressure core cooling system 2 are disabled, so that the non-reliability of all the active safety divisions is determined by the non-reliabilities of the reactor component cooling water systems provided in respective three divisions.