Development of Fuel Product Barrier Monitoring System Based on State Functions in State-Oriented Emergency Operating Procedure

For pressurized water reactor nuclear power plants, in order to prevent the release of radioactive substances into environment, fission product barriers (FPBs) are constructed based on the concept of defense-in-depth, including fuel clad, reactor coolant system (RCS), and containment; the status of these FPBs is then acting as an important dimension to decision-making of emergency action levels (EALs). For CPR1000 nuclear power plants, state functions defined in state-oriented emergency operating procedure (SOP) are used to characterize postaccident physical conditions; their degradation substantially represents the challenges on fundamental safety functions and then on the integrity of FPBs in like manner, so degradation of these state functions is referred to as determining initial conditions of each FPB, by which the link between SOP and EALs is established. *en, an intelligent FPB monitoring system (FPBMS) aiming to automatically monitor states of FPBs is developed, verified, and validated.*e pioneering work, by building bridges between state functions and initial conditions of FPBs and then computerizing them innovatively, proves that dynamical monitoring of states of FPBs during accident evolvement and real-time indication of loss or potential loss of FPBs can be achieved, which is most helpful in decision-making of EALs.


Introduction
Nuclear accidents are different from other accidents in that they may lead to unacceptable release of radioactive substances into environment. In order to quickly and effectively control and mitigate consequences of nuclear accidents, nuclear power plant should establish a thorough emergency plan for nuclear accidents and maintain adequate emergency preparedness (IAEA [1,2]), among which determination of emergency classification levels (ECLs) and emergency action levels (EALs) is very important issue. As for nuclear power plants in China, EALs are progressively divided into four action levels: emergency standby, facility emergency, on-site emergency, and off-site emergency (NNSA [3,4]).
In order to prevent the release of radioactive substances into the environment, nuclear power plants have set up multiple fission product barriers (FPBs); these FPBs are fundamentally constructed based on the concept of defensein-depth; as long as any of the physical barriers remains intact, it can effectively prevent the large-scale release of radioactive fission products into environment. For pressurized water reactors, three primary FPBs are generally constructed, including fuel clad, reactor coolant system (RCS), and containment. e status of these FPBs has also been acting as an important dimension while developing site-specific EALs, in which it is usually classified as recognition category F, that is, evaluating threats to each FPB after accidents and identifying typical symptoms indicating that its integrity is potentially or substantially challenged, and then initial conditions relative to the FPB are determined based on these symptoms (NEIs [5,6]).
How to evaluate threats to each FPB and screen out the representative symptoms indicates that its states have become the key problem. As for the methodologies for development of EALs, Shi [7] suggested a general methodology to determine EALs based on postaccident plant conditions, Liu et al. [8] investigated the popular technical systems for development of EAL, and recognition category "A" was specially studied (Liu [9]), He et al. [10] advanced a system of generic intervention levels and generic action levels for HPR1000, and Zang et al. [11] suggested a riskinformed optimization method of EALs for advanced passive light reactor. Meanwhile, emergency operating procedures (EOPs), aiming to monitor and control the reactor after accidents, have been suggested to be coupled with EALs. Faletti et al. [12] attempted to integrate EALs with Combustion Engineering EOPs, Yang [13] jointed the critical safety functions status tree (CSFST) in EOP with EALs for Qinshan Nuclear power plant, Yu [14] tried to connect the event-oriented EOPs with EALs for Fuqing nuclear power plant, and Zhang and Xu [15] discussed the initial conditions of EALs relative to anticipated transients without scream (ATWS). NEI [5,6] suggested that some red paths of CSFST, indicating severe degradation of critical safety functions, can be directly taken as the symptoms of loss or potential loss of a FPB, and thereupon can be referred to as the initial conditions of recognition category F. As for computerization of EALs, Chen et al. [16] realized a primary EALs semiautomatic judgment and warning system which still mostly depended on personal judgments. It also should be noted that CSFST is characteristic of symptom-oriented EOPs developed by Westinghouse; when these initial conditions are applied to CPR1000 nuclear power plants, adopting state-oriented EOP (SOP), a series of problems are emerging, such as the inappropriate parameters and thresholds, hard to execute, and so on.
is study aims to establish the link between SOP and EALs, after capturing the functional requirements; for each FPB, we determine initial conditions representing its loss or potential loss based on the degradation states of state functions as well as several other important parameters; then an intelligent FPB monitoring system, aiming to dynamically monitor and indicate states of FPBs during accident evolvement, is developed, verified, and validated.

Functional Requirement
Appropriate parameters and reasonable thresholds are the basic basis of judging the integrity of FPBs after accidents. ese parameters and thresholds should represent the typical symptoms of credible threats which may lead to loss of integrity of an FPB, excluding all other conditions where the integrity of the FPB is not challenged. SOP in CPR1000 nuclear power plants is developed based on six state functions of nuclear steam supply system (NSSS); these six state functions can characterize postaccident states of reactor representatively, as shown in Table 1. Rather than finding out the reason for accident, SOP aims to control the six state functions, to prevent them from degradation, or to restore them after their degradation. As long as these state functions are well managed, the safety of the reactor will be ensured; once degradation of state functions is detected, operators will be oriented to corresponding accident strategies and operating sequences to restore them orderly (J. Mišák [17]). SOP has a loop structure to keep periodically surveillance on these state functions, so as to detect possible concurrent accidents and change accident strategy in time. Although the initial conditions of FPBs focus on the threats on integrity of FPBs, they are consistent with the physical conditions characterized by degradation of state functions in SOP from the impact on fundamental safety functions (reactivity, core cooling, and containment) point of view; for example, degradation of secondary water inventory in SOP indicates that the residual heat cannot be effectively removed by steam generators (SG) and core cooling cannot be ensured anymore, which also certainly presents a potential challenge to the integrity of RCS. erefore, the parameters and thresholds relative to state functions that have been well defined in SOP can be taken as the typical symptoms of loss or potential loss of FPBs as long as they essentially represent the same physical significance; for this reason, the degradation of state functions can be depended on to determine the initial conditions of FPBs, which will build a bridge between SOP and EALs and is conducive to timely and reasonable decision-making of EALs after accidents.
Additionally, considering that the state functions are periodically monitored only at the end of each operating sequence with a period of about 20 min, during which time SOP will complete a loop, the interval may delay the annunciation of EALs for some time, so we consider building an intelligent FPB monitoring system (FPBMS); taking the advantages of digital control system (DCS), the system should be able to automatically perform surveillance on integrity of FPBs and indicate the status of FBPs under accident conditions in a timely manner.

FPB Initial Conditions
For each FPB, as suggested in NEI 99-01 [6], two states are defined: loss and potential loss. en, for each state of each FPB, the initial conditions are determined based on degradation of state functions as well as several other important parameters; these initial conditions are constructed into judgment logics which will be configured in FPBMS.

Fuel Clad Barrier.
e fuel clad barrier consists of all the clad of fuels in reactor core. For CPR1000 nuclear power plants, the logical criteria related to the state of fuel clad barrier based on state functions are shown in Figure 1.
We regard the beginning of uncovering of fuel assemblies in core as a criterion for potential loss of fuel clad barrier. CPR1000 nuclear power plants have installed core cooling and monitoring system (CCMS) which supplies both ΔTsat and RPVL measurements to monitor state functions WR (P, T) and IE P , respectively (He et al. [18]); these two state functions are dedicated to identifying the core cooling state in postaccident conditions and thus can be used to detect whether fuel assemblies are beginning to uncover or not: (1) Degradation of IE P : in SOP, it is characterized by RPVL lower than the top of the core; the scenario could only appear following continual draining of primary coolant, degradation of IE P means that the water level in reactor pressure vessel has begun to be lower than the physical level of the core, and fuel assemblies are beginning to uncover. (2) Degradation of WR (P, T) due to overheating: in SOP, it is characterized by ΔTsat < -ε, where "ε" is the uncertainty surrounding the measurement of ΔTsat (Wang et al. [19]). Negative ΔTsat means that the subcooling margin of coolant at the core outlet has been actually lost, superheated steam is beginning to appear at the core outlet, and the phenomena can only occur when the fuel assemblies are beginning to uncover. (3) In terms of the secondary side, degradation of IE S , which is characterized by L SG WR < −3 m in SOP, means that SGs have lost their capacity of heat removal due to the nearly dry-up of secondary side water inventory, as the residual heat cannot be effectively removed, overheating in the core and failure of fuel assemblies is anticipated, and this also indicates a potential loss of fuel clad barrier.
We regard the beginning of the failure of fuel clad as a criterion for loss of fuel clad barrier. T RIC > 650°C, as the temperature criterion for entering into severe accident management guideline (SAMG), indicates that the upper half of the core has already uncovered and failure of fuel clad is anticipated in several minutes; then it is taken as an initial condition for loss of fuel clad barrier. As for state function INT E , if its severe degradation is caused by high dose rate in containment as shown in Figure 2, it means that a certain proportion (about 2%∼5%) of the fuel clad has been failed, radioactive substances (such as noble gases) filled in the pellet-clad gap have released into primary coolant and then into the containment, and this condition also indicates loss of fuel clad barrier.

RCS Barrier.
e RCS barrier consists of RCS primary side, pressurizer safety valves, and all connecting pipelines and valves up to the isolation valves to RCS. For CPR1000 nuclear power plants, the logical criteria related to state of RCS barrier based on state functions are shown in Figure 3.
For potential loss of RCS barrier, the following initial conditions are identified: (1) Degradation of WR (P, T) due to overcooling: It is characterized by ΔTsat >140°C and represents a severe overcooling condition which may occur after steam line break with safety injection in service. In this condition, high risk of pressurized thermal shock on reactor pressure vessel may lead to its brittle fracture and threaten the integrity of the RCS barrier.
can only cover the operation modes that residual heat removal system (RHRS) is not connected; for the lower operation modes with RHRS connected, the setpoint pressure of safety valves on RHRS  (4) Leakage on RCS: It can be detected by leak balance test performed by operators if the leakage is high enough to actuate automatic reactor trip; it means that the leakage is so severe that actuation of reactor protection system is asked for; then this scale of leakage on RCS is considered as an initial condition of potential loss of RCS barrier. Similarly, if an SG is radioactive due to leakage on the U-tube, resulting in degradation of INT S , and consequently automatic reactor trip is actuated, the condition is also regarded as potential loss of RCS barrier.    Science and Technology of Nuclear Installations For loss of RCS barrier, the following initial conditions are identified: (1) Slight degradation of INT E due to high dose rate in containment: If slight degradation of containment is caused by slightly high dose rate in containment, it means that a certain scale mass and energy release into containment is ongoing, which indicates the integrity of RCS has been lost. 0.02 Gy/h is chosen as the threshold of the slightly high dose rate, which corresponds to an instantaneous release of all reactor coolant mass into the containment assuming that reactor coolant activity equals 37GBq/t dose equivalent I-131. (2) Break on RCS: anks to all the available parameters such as RPVL, ΔTsat, and pressurizer water level, break on RCS can be detected by operators; if the break is large enough to actuate engineered safety features such as safety injection, then this scale of the break on RCS is considered as an initial condition of loss of RCS barrier. Similarly, if an SG is radioactive due to rupture of the U-tube, resulting in degradation of INT S , and consequently safety injection is actuated, the condition is also regarded as loss of RCS barrier.

Containment Barrier.
e containment barrier consists of containment structure, containment isolation valves, and their upstream components, as well as the isolation valves on main steam lines and feedwater lines and their upstream components. For CPR1000 nuclear plants, the logical criteria related to state of containment barrier based on state functions are shown in Figure 4.
For potential loss of containment barrier, the following initial conditions are identified: (1) Degradation of INT E due to high Pcont concurrent with failure of the containment spray system: If degradation of containment is caused by high containment pressure, it means that there is a large-scale mass and energy release in containment and containment spray is requested. 0.24 MPa, which corresponds to the setpoint pressure of containment spray automatic action, is chosen as the threshold of high Pcont. Due to the failure of containment spray, the heat continually cumulated in containment cannot be effectively removed and it may threaten the integrity of the containment. (2) Pcont > limit pressure: If containment pressure is higher than 0.52 MPa, which is the designed limit pressure of containment, the integrity of containment will be aggressively challenged. (3) SAMG criteria: It is synthesis information, which includes (A) the temperature criterion T RIC > 650°C, which means that the upper half of the fuel assemblies has been uncovered and nearly all the primary coolant has been released into containment; (B) hydrogen concentration exceeding 4%, which means that hydrogen accumulated in containment has exceeded the minimum explosion concentration and there is a risk of hydrogen deflagration threatening the integrity of containment; (C) DRcont higher than SA dose rate curve as shown in Figure 5, which means that a considerable proportion of fuel clad has been failed (about 10%∼20%). In this condition, the fuel clad barrier and the RCS barrier must have been lost, and a major release of radioactive substances requiring off-site protective actions is anticipated (IAEA [20]); it is therefore prudent to take this condition as potential loss of containment barrier.
For loss of containment barrier, the following initial conditions are identified: (1) Degradation of INT S due to SG radioactive and failure of the radioactive SG isolation: Leak or rupture of U-tube in an SG will lead to the SG radioactive; after identifying the radioactive SG, the operator will try to totally isolate it on both water side and steam side following the guidance of SOP, failure of the radioactive SG isolation means that there is a path for radioactive substances from RCS discharging into environment, and this condition is regarded as a typical example of loss of containment barrier. (2) Failure of containment isolation: Actuation of containment isolation means that a considerable mass and energy release into the containment is expected following a break on the primary side or secondary side, and isolation of containment is requested as soon as possible. In this condition, however, if the operator estimates that containment isolation has been failed, then the containment is really bypassed and the integrity of containment is actually lost.

Construction of FPBMS
FPBMS, as an independent support system, will directly communicate with level 3 of DCS which is isolated from the terminal bus with a firewall, as shown in Figure 6, it is a oneway communication, data are only transmitted to FPBMS from level 3 of DCS, and FPBMS will never send any data to DCS, so as to avoid any unpredictable and adverse impact on the operation of DCS.

Signal Acquisition and
Processing. e input data obtained from DCS include the status of state functions themselves, parameters relative to state functions, and important signals (such as reactor trip signal and safety injection signal) as well as several critical instrument parameters; all these data are necessary for FPBMS to diagnose the status of FPBs.
As for instrument parameters, redundant signals are obtained from DCS and are processed in FPBMS to improve the robustness of the system. Taking P RCS as an example,   four P RCS signals, individually assigned in four independent protection groups of the reactor protection system, along with their availability status are acquired by FPBMS, and then the maximum value of these signals is chosen as the representative P RCS value after eliminating invalid signals.

Human-Machine
Interface. In FPBMS, three kinds of displays are provided for human-machine interface (HMI).
(1) Monitoring display: it integrates states of state functions, parameters relative to state functions, and FPBs status on one monitoring display, as shown in Figure 7. (2) Breakdown displays: these displays are dedicated to visualizing the logics shown in Figures 1, 3, and 4, so that emergency personnel can track the source and find out the original initial conditions. (3) Control displays: considering that, under some complicated conditions, it is the duty of plant emergency director (PED) to judge the status of FPBs using all other available pieces of information, control displays provide an interface for PED to intervene in the logic process. It should be noted that the judgments made by operators (such as leakage or break on RCS), which have been confirmed on SOP control displays while implementing SOP to control the reactor state, are also acquired from DCS by FPBMS.

Verification and Validation
e verification and validation (V&V) of FPBMS is carried out thanks to the full scope simulator (FSS) of CPR1000 nuclear power plants.
e operators, human factor engineers, technical engineers, and emergency response experts are all included in the V&V team. e technical engineers dedicate to integrating FPBMS into FSS, the operators control the reactor state following the guidance of SOP under accident scenarios simulated on FSS, all the accident scenarios are specially chosen if only they may threaten the integrity of one or more FPBs, the emergency response experts focus on FPBMS and identify the technical issues during the time, and the human factor engineers concentrate on the HMI issues.
Expected results are obtained via the V&V programs on FSS. Table 2 shows the sequence and results of a Fukushima-like accident (station blackout concurrent with turbine auxiliary feedwater pump failure); FPBMS indicates the first and second barrier potential loss at the time exhaustion of water inventory in SGs, which lead to degradation of IE S . Potential loss of the third barrier is indicated when Pcont is over 0.24 MPa as containment spray is failed to actuate due to power loss, FPBMS indicates RCS barrier loss when T RIC is over 650°C because pressurizer relief valves are forced to open by operator just before transferring to SAMG.
We conclude that FPBMS, though several deficiencies remain, can be looked at as a real-time system that can reliably monitor the status of FPBs during accident evolvement. Loss or potential loss of the three FPBs can be dynamically indicated to help emergency response experts quickly and correctly determine the EALs. Since FSS is a little more different from the actual reactor characteristic, further V&V is expected to be carried out on the multiplant integrated real-time monitoring platform where the real-time operating data of all CPR1000 nuclear power plants are monitored.  Science and Technology of Nuclear Installations 7

Conclusions and Prospects
As degradation of state functions defined in SOP substantially represents the challenges on fundamental safety functions and then on integrity of FPBs in like manner, for each FPB, we determine the initial conditions representing its loss or potential loss based on degradation of state functions as well as several other important parameters, by which the link between SOP and EALs is established; then, an intelligent FPBMS, aiming to dynamically monitor and indicate the status of FPBs during accident evolvement, is developed, verified, and validated. e pioneering work, by building bridges between state functions and initial conditions of FPBs and then computerizing them innovatively, proves that dynamical monitoring of the status of FPBs during accident evolvement and real-time indication of loss or potential loss of FPBs can be achieved, which may effectively alleviate the pressure on persons under accident conditions and effectively support decision-making of EALs after accidents.
As far as the FPBs themselves are concerned, EALs can be easily determined according to their status. In general, loss or potential loss of fuel clad barrier or RCS barrier will trigger "facility emergency," loss or potential loss of both will trigger "on-site emergency," confirming loss of two barriers, and potential loss of the third barrier will trigger "off-site emergency." However, it should be noted that recognition categories of EALs, besides FPBs, also include abnormal radiation levels (recognition category A), system malfunction (recognition category S), and hazards (recognition category H); FPBMS, as a pilot system, has proved that it is feasible to automate the decision-making process of EALs; we are looking forward to extending the function of FPBMS in further work, aiming to build an integrated intelligent EALs expert system by entirely integrating the initial conditions of all recognition categories of EALs into it. Data Availability e data used in this paper are part of the plant design data, which are proprietary and cannot be disclosed.

Conflicts of Interest
e authors declare that they have no conflicts of interest.