Development of Computerized Severe Accident Management
Guidelines of AP1000 Nuclear Power Plant
Gang Chen
1,2
, Shuang Xiao
1
, Haidan Wang
1
, Yiqiang Xiong
1
and Yixue Chen
1
1
State Nuclear Power Software Development Centre, South Side of Future Science & Technology Park,
Changping District, Beijing, China
2
National Energy Key Laboratory of Nuclear Power Software, Beijing, China
Keywords: Nuclear Power Plant, Computerized Severe Accident Management Guidelines, AP1000.
Abstract: Nuclear Power is considered to be one of the solutions to fulfil the increasing need of clean energy in China.
Making use of this clean energy can help reduce the consumption of fossil energy, which could enhance the
surrounding areas by preventing the environment from harmful air pollution. However, the consequence of
severe accident of nuclear power is unbearable, such as Chernobyl and Fukushima Accidents. So as to
improve the safety of nuclear power, the severe accident shall be managed in case to reduce the negative
impacts to the environment and people health. This paper introduces the Severe Accident Management and
Emergency Response System (SAMERS), which aims to help the operators and technicians deal with the
severe accidents. Especially, the development of Computerized Severe Accident Management Guidelines
(CSAMG) is described in detail, which is a module of SAMERS. CSAMG is based on the AP1000 severe
accident management guidelines, which could enhance the operator performance during severe accident.
1 INTRODUCTION
Due to the rapid development of Chinese economics
and the demand for more environmentally friendly
energy, China has issued an ambitious program of
nuclear power development. By 2020, the nuclear
installation will reach 40 GW (CNDRC, 2007), which
means many nuclear power plants will be built in the
next few years. A big part of the new-built nuclear
power plants (NPPs) will be of AP1000 type,
including Sanmen and Haiyang NPPs. Fukushima
accident has drown people’s attention to the severe
accident consequence. After Fukushima accident, all
NPPs in China planned to enhance their capability of
severe accident management and emergency
response, as required by the regulation organization.
One way to improve the severe accident management
capability is to investigate the scenario and
phenomena of accident to improve the calculation of
severe accidents. The other efficient way is to employ
the computer-based procedure system rather than the
paper-based procedures in the implement of severe
accident management guidelines (Robert et al., 2009).
To enhance the safety of nuclear power plant,
especially for the AP1000 type NPPs during severe
accidents, Severe Accident Management and
Emergency Response System (SAMERS) is designed
to support the operators and technicians during the
severe accident and emergency conditions. It is
supposed to be able to monitor the plant status and to
simulate the accident process in advance. Then it
could show the plant response to the mitigation
intervention, and evaluate the accident consequence.
Computerized Severe Accident Management
Guidelines (CSAMG) is a relatively independent
module of SAMERS. The main function of CSAMG
is to monitor the plant status and to provide the proper
advice to mitigate the accident effectively. The
ultimate objective of SAMERS and CSAMG is to
apply to NPPs for accident mitigation and emergency
response. But in the near term, the application of
SAMERS and CSAMG would be used to train the
new operators and technicians to enhance their
understanding of severe accident progress.
2 SAMERS
SAMERS consists of 3 subsystems:
(1) Accident Analysis and Prediction Subsystem
(AAPS)
199
Chen G., Xiao S., Wang H., Xiong Y. and Chen Y..
Development of Computerized Severe Accident Management Guidelines of AP1000 Nuclear Power Plant.
DOI: 10.5220/0005560901990204
In Proceedings of the 5th International Conference on Simulation and Modeling Methodologies, Technologies and Applications (SIMULTECH-2015),
pages 199-204
ISBN: 978-989-758-120-5
Copyright
c
2015 SCITEPRESS (Science and Technology Publications, Lda.)
(2) Plant Status Evaluation Subsystem (PSES)
(3) Plant Information and Interface Display
Subsystem(PIDS)
The Client/Server architecture is employed for its
futures of high stability, intensive interaction, mass
data processing and communication. The 4-tier
architecture of SAMERS is shown in figure 1.
Plant Data
Display
Severe Accident
Phenomenon Display
Human Machine
Interface
Software Interface
SA Simulator
Operation
Platform
PIDS
AAPS
Safety Status
Evaluation
CSAMG
PSES
Data Access Interface
Plant Data
Database
Meteorological
Data
Material Data
Base
Presentation
Layer
Business
Layer
Data
Access
Layer
Database
Layer
Figure 1: The 4-tier architecture of SAMERS.
2.1 AAPS
The main function of AAPS is to simulate the severe
accident scenario by using the severe accident
simulator. The severe accident simulator adopts the
Severe Accident Source Term (SAST) code as the
calculation engine. It could simulate in real-time
scenario or faster-than-real-time scenario. When the
SAMERS is connected to the NPP network, which is
called on-line mode, the plant data that is transferred
from the detectors on site could provide the initial
conditions and boundary conditions for simulating.
The AAPS could predict the scenario in advance, so
the operators and technicians could figure out
mitigation actions; also they could apply these actions
to the simulator to make sure the impact is positive.
Besides the on-line mode, the off-line mode of
SAMERS is used only as a training system which
means AAPS could provide a virtual reactor for the
trainees to operate.
2.2 PSES
PSES consists of 2 major modules, one is safety status
evaluation module; the other one is CSAMG. The
safety status evaluation module is capable of
evaluating several critical safety status such as the
reactor core damage, containment hydrogen
flammability and spent fuel pool status. These safety
statuses are the uppermost issues in the plant
operation. This module could offer the clear results of
these safety evaluations, help the operators to decide
the mitigation actions.
Figure 2: Flowchart of reactor core damage evaluation.
CSAMG is a support tool for the operators and
technicians under the condition of severe accident.
When linked to the plant database, it could monitor
the parameters and automatically remind the
operators of dangerous situations that need to be
concerned. It also provides many mitigation advices.
The function of CSAMG will be described in detail
in the next chapter.
2.3 PIDS
PIDS is the user interface of SAMERS. It not only
displays the real-time plant data, but also shows a
severe accident phenomenon simulation, which helps
users to understand the process taking place in a
severe accident. The visual image of accident
phenomenon is important for the trainees to learn the
accident scenario. Furthermore, PIDS provide human
machine interface which is used to manipulate the
SIMULTECH2015-5thInternationalConferenceonSimulationandModelingMethodologies,Technologiesand
Applications
200
severe accident simulator, and all the software
interfaces including CSAMG.
3 COMPUTERIZED SEVERE
ACCIDENT MANAGEMENT
GUIDELINES
Severe accident management guideline is a paper-
based handbook for the NPP operators and
technicians to consult when the accident happened. It
requires the operators and technicians to be very
familiar with its content so as to locate the
information they need quickly. It would cost lots of
time and energy to learn the guidelines during the
training courses. And under the condition of severe
accident, due to the tension and pressure of operators,
they might be inefficient to look up through the
handbook. Compared to the paper based procedures,
Computerized Procedure System could improve the
performance of operators in the procedure application
(Lee et al., 2010). It also could reduce workload and
save time during the accidents (Yuji et al., 1996).
To develop the CSAMG, firstly, the AP1000
SAMG is investigated to learn the work mode of
operators and technicians during the accident; then
the requirements are analysed to provide the design
basis of CSAMG; next is the function design of
CSAMG. At the same time the prototype of CSAMG
is developed. At last is the test and validation. We are
in the stage of function design and prototype
development.
3.1 AP1000 SAMG
AP1000 SAMG consists of three major parts: (Zheng,
2012)
(1) Control Room Severe Accident Management
Guidelines (CR SAMG);
(2) Technical Support Centre Severe Accident
Management Guidelines (TSC SAMG);
(3) TSC Severe Challenge Response Guidelines
(TSC SCRG).
The CR SAMG is guided by the control room, while
the TSC SAMG and TSC SCRG are both guided by
the TSC. The CR SAMG consists of two separate
guidelines SACRG-1 and SACRG-2, which are
defined by the status of the Technical Support Centre
(TSC). SACRG-1 is the entry guideline from the
AP1000 EOP to the SAMG. SACRG-1 includes
many steps that are same as in the EOP. SACRG-2 is
intended to enhance the cooperation of the control
room and TSC. The primary responsibility of TSC is
evaluating the plant status and recommending
possible actions to mitigate the core damage. But if
the core damage occurs before TSC is functional, the
control room operators must response to the situation.
SACRG-1 is the guideline for this condition. When
the TSC becomes functional, the responsibility of
severe accident management would pass to the TSC.
The operators move to execute the SACRG-2.The
control room operators will remain in SACRG-2 until
the TSC decide to exit SAMG to other procedures.
The TSC SAMG and SCRG both can be divided
into two sections: diagnostics and relative
management strategies. These guidelines are used by
the TSC to evaluate the plant status and to
recommend the management strategies. The
diagnostics consist of two parts: a Diagnostic Flow
Chart (DFC) and a Severe Challenge Status Tree
(SCST).
The DFC specifies several key parameters to
monitor for diagnosis of plant status. The key
parameters are monitored in a continual periodic way
until all the parameters are in the safe region, so the
plant could be declared to be safe. If one of the
parameters is outside the range, the TSC should
evaluate the need to implement strategies to make the
parameter back into the safe range. The strategies are
specified in a set of seven corresponding procedures
called Severe Accident Guidelines (SAGs). It is
worthwhile to notice that the mitigation strategies can
have negative impacts. It is reasonable for the TSC to
decide not implement any actions.
The SCST is the other tool for diagnosis of
ongoing fission product releases and challenges to
fission product boundaries. In the SCST, some key
parameters are identified to be monitored too. The
main difference between the DFC and SCST is the
urgency of implementing the mitigation strategy. In
the DFC, the impacts of the strategy should be
evaluated by the TSC to determine whether to
implement the strategy or not. But in the SCST, due
to serious conditions, the strategy should be
implemented immediately without the evaluation of
the impact, because without the mitigation strategy,
the fission product is about to release.
The seven SAGs corresponding to the DFC
specify a systematic, logical evaluation of possible
mitigation strategies to a given parameter. The SAGs
helps the TSC staff identify the possibility of
implement, balance of positive and negative impacts,
symbol of the successful strategy, and long term
concern of the strategy.
The four SCGs corresponding to the SCST are
similar to the SAGs. The SCGs don’t need the
DevelopmentofComputerizedSevereAccidentManagementGuidelinesofAP1000NuclearPowerPlant
201
evaluation process of the positive and negative
impacts. Through the SCGs, the TSC staff only needs
to determine the most appropriate strategy, and to
identify the successful symbol and long term concern
of the strategy.
3.2 Requirement Analysis
Computerized procedure system based on computer
information processing aims to assist operators and
TSC members to monitor and control the implement
of procedures. The ultimate goal of CSAMG is to
assist the TSC members and operators execute the
SAMG.
Basic functional requirements of CSAMG are
similar to the CPS used on the AOPs and EOPs (Gang,
2013). But due to the difference between the AP1000
SAMG and other procedures, some requirements are
special to the CPS of the AP1000 SAMG. The
analysis could help the design to be more appropriate.
(1) CSAMG shall be capable of identifying the data
availability and justify the data quality. The key
parameter specified in DFC and SCST are very
important for the TSC staff to evaluate the status
of the plant. If the data is not available, the user
should be warned by CPS, and the user should
justify the procedure.
(2) CSAMG shall be capable of parallel monitoring
plant status, especially the availability of systems
and equipment (Park and Ahn, 2010). Any
information of availability changed shall be
displayed as warning to the operators and TSC
technicians. The situation of severe accident is
very complex, and the status of plant systems and
equipment may change all the time. Since the
availability of the systems and equipment affect
the mitigation strategies directly, TSC technicians
shall be aware of it timely. They need to re-
evaluate the strategies already in use.
(3) CSAMG shall provide a convenient operation
mode for the control room operators and TSC
technicians to cooperate better. The information
transferring and interaction process in the severe
accident operation requires a convenient tool in
CSAMG to make the communication and
cooperation more effective. The communication
function shall be combined with the parameter
monitoring and strategies evaluating.
(4) CSAMG shall be capable of networking operation
of multi-user from different locations to cooperate
together. As mentioned above, the AP1000
SAMG is implemented by the main control room
and TSC technicians. The TSC staff could be a
group of experts from different places and they
work on-line together with the control room to
make the executing order. Furthermore, the CPS
should guide the users to work together. Different
users may have different tasks, and some of them
could just evaluate the plant, and the others could
take actions. Or the status of the plant is evaluated
by different users, the final decision of implement
the procedures are made by the joint discussion of
these users.
(5) After one strategy is implemented, the long term
impact of this strategy should be monitored. Due
to the change of availability of systems and
equipment, the old strategy may not be the most
appropriate way to mitigate the accident. But to
monitor every strategy that has been executed is
difficult for operators or TSC technicians.
CSAMG shall be capable of automatically
monitoring the necessary information of
implemented strategies. This function shall
collaborate with the function of parallel
monitoring.
(6) CSAMG shall provide easy access to the
execution of mitigation strategies, such as provide
the link to the operation interface of related
systems and equipment. This function could
accelerate the process of accident mitigation;
especially benefit the management of fast-acting
core damage sequence.
(7) CSAMG shall be capable of connecting to the
severe accident simulator. The severe accident
simulator could simulate different scenario to help
the trainees manage severe accident and help
validate the CSAMG. In the practical application
rather than training application, severe accident
simulator could also help the TSC technicians to
evaluate the potential strategies by simulating
them in advance and providing the impact to the
plant.
3.3 Design Proposal
According to the requirement analysis of CSAMG,
the CSAMG is designed to have two modes. One is
on-line mode, connecting to the plant database or
severe accident simulator for the use of accident
mitigation and training; the other mode is off-line
mode, which means it is independent from the data
source, and it could be used by the students to learn
the content of SAMG.
3.3.1 Architecture
The architecture of CSAMG is shown in figure 3. It
is similar with the architecture of SAMERS, both of
whom are client/server.
SIMULTECH2015-5thInternationalConferenceonSimulationandModelingMethodologies,Technologiesand
Applications
202
Figure 3: The architecture of CSAMG.
3.3.2 Module Function
The CSAMG could be divided into 7 modules. Each
module has relative independent function.
(1) Account Management. This module is used for
assigning user roles, and user authorities. There
are 5 basic user roles: administrator, operators,
TSC technicians, trainer and trainee. Different
roles are assigned with different user authorities.
The proper role assignment would benefit the user
cooperation in the accident. Furthermore, user
authority could be assigned separately to qualified
users. This is because important operations may
have great influence on reactor safety. Only the
qualified users could have the right to execute this
kind of functions.
(2) User Collaboration. User collaboration is a special
feature of AP1000 CSAMG. The cooperation of
the 2 major users of AP1000 SAMG, operators
and TSC technicians, is the foundation of SAMG
implement. So the communication between them
would be very important. When they use the
paper-based SAMG, the communication is
inefficient through talking and writing. In
CSAMG, different users could send message to
each other in the chat window and also send the
link to the present guideline that they are reading.
This efficient way of sharing information and
opinions is time-saving and helps the users to
focus on the issues of accident.
(3) Guidelines Management. CSAMG could automa-
tically evaluate the plant status. If the parameters
fulfil the conditions of some guidelines, CSAMG
will remind the user to initiate the guideline and
follow the instructions. Of course the ultimate
power of decision is controlled by the users, they
could decide whether to follow the guidelines or
not. The content of SAMG needs to be built in
CSAMG before usage. The Guidelines
management module implement the functions of
add guideline, edit guideline, delete guideline and
logic builder. Logic builder is used to build the
logic that CSAMG need to calculate when it
evaluate whether the conditions of guidelines are
fulfilled.
(4) Guidelines Operation. Guidelines Operation is the
core function of CSAMG. CSAMG display the
content of SAMG in flowchart, so the users could
clearly know the previous and next steps. The
detailed content of present step will be displayed
too. Users could mark the present step as an
implementing step, and go on to read information
of any steps in any guidelines. When the users
want to go back to the implementing step,
CSAMG provide the return function to go back to
the implementing step display interface by
clicking one button. It will be very helpful when
users need to read a lot of content in many
different guidelines. CSAMG also provide the
link to the relative operators HMI, where
operators need to complete the actions as
guidelines instruct.
(5) Parallel Monitoring. CSAMG is connected to the
database of plant parameters or severe accident
simulator. All the parameters related to the
guidelines are monitored in the CSAMG. Any of
these that reach the set point or exceed the safe
region will cause alarm to users. Users could read
the real time value of these parameters, and
directly go into the relative display interface of
guidelines. For some parameters of particular
concern, users could choose them to display on
the specific window.
(6) Search. Search function is prepared for the user to
find out the specific text information or parameter
information, such as which guidelines need to
monitor core damage or specific parameters they
want to monitor. It contains the fuzzy search
function to help user retrieval the information they
need. It is useful not only for accident mitigation,
but also for the training.
(7) Quick Deployment. Quick deployment means the
CSAMG could export the setting of SAMG, so
another client could import it to finish deployment.
DevelopmentofComputerizedSevereAccidentManagementGuidelinesofAP1000NuclearPowerPlant
203
3.4 Verification and Validation Plan
Since the CSAMG is designed to assist the users to
deal with the severe accidents of NPPs, it needs a lot
of verification and validation (V&V). The V&V
process could be divided into several parts:
(1) V&V of SA simulator;
(2) Verification of CSAMG contents;
(3) Verification of CSAMG logic;
(4) Validation of CSAMG by operating it with the SA
simulator.
Firstly the V&V of SA simulator is very important to
the whole process of V&V of CSAMG. Because of
the uncertainty of severe accidents, V&V of SA
simulator itself is a challenge (Jeong, et al., 2002).
Our SA simulator will run all the accident scenarios
that are analysed in the PSA report of AP1000 NPP.
The results will be analysed to make sure it is
reasonable.
Secondly the contents of CSAMG must be the
same as the handbook of AP1000 SAMG. The
CSAMG could export all the contents into a pdf file
in the format of AP1000 SAMG. Comparing these
two files will verify the contents of CSAMG.
Thirdly the logic of CSAMG needs to be test
carefully to make sure that all monitoring parameters
and their evaluation mechanism are set correctly.
Last but not least, CSAMG will be operated by
connecting to the SA simulator to mitigate the
simulated accidents. By the practice, CSAMG could
be validated whether it would help the users in the
accident mitigation.
4 CONCLUSIONS
In this paper SAMERS is described in brief as an
emergency supporting system to deal with the severe
accidents. CSAMG, as one of its modules, is an
assistant tool for severe accident mitigation. The
CSAMG could help the SAMG users to get a better
performance.
CSAMG could improve the cooperation between
the operators and TSC technicians. It could monitor
the plant status automatically and recommend the
mitigation strategies. It is efficient to provide useful
information of SAMG related to the current accident
status. It will save time, reduce human errors, and
improve plant safety.
There are some problems in the development of
CSAMG. One is the survival of detectors and
equipment during the severe accident. The lack of
data source could lead to the paralysis of monitoring
function of CSAMG. And without the monitoring
parameters CSAMG could not evaluate status and
provide advices. Another problem is the evaluation of
mitigation strategies is based on the current condition
and depend on the experience of operators. There are
no rules for all the strategies evaluation. CSAMG
may provide some improper strategies to confuse the
operators. The validation of CSAMG is also a
question need further discussion.
ACKNOWLEDGEMENTS
The research is funded by the Chinese National
Science and Technology Major Project under contract
No. 2013ZX06004-008.
REFERENCES
CNDRC, 2007. Nuclear Power Medium and Long Term
Development Plan (2005~2020), Beijing: Chinese
National Development and Reform Commission.
Gang, C., 2013. Functional Requirements of Computerized
Severe Accident Management Guidelines, Beijing:
SNPSDC.
Jeong, K.-S., Kim, K.-R., Jung, W.-D. & Ha, J.-J., 2002.
Development of Severe Accident Management
Advisory and Training Simulator (SAMAT). Annals of
Nuclear Energy , pp. 2055-2069.
Lee, J.-W., Kim, J.-T. & Park, J.-C., 2010. Computer-based
Alarm Processing and Presentation Methords in
Nuclear Power Plants. World Academy of Science,
Engineering and Technology, pp. 594-598.
Park, S.-Y. & Ahn, K.-I., 2010. SAMEX: a Severe Accident
management Support Expert. Annals of Nuclear
Energy, pp. 1067-1075.
Robert, F. T., Charles, K. D., Lewis, H. F. & Joseph, N. A.,
2009. Guidelines for Design and Implementation of
Computerized Procedures. Nuclear News, pp. 85-90.
Yuji, N., Hollnagel, E. & Green, M., 1996. Guidelines for
Computerized Presentation of Emergency Operating
Procedures. Nuclear Engineering and Design, 7, pp.
113-127.
Zheng, Y., 2012. The Foundation of Severe Accident
Management Guidelines of AP1000 Nuclear Power
Plant. Technology Innovation and Application, pp. 6-7.
SIMULTECH2015-5thInternationalConferenceonSimulationandModelingMethodologies,Technologiesand
Applications
204
