CANDU Safety Basis: Limiting & Compensating for Positive Reactivity Insertion

CANDU Safety Basis: Limiting & Compensating for Positive Reactivity Insertion Albert Lee PhD IX International School on Nuclear Power, November 14-17, 2017 - Copyright -

A world leader Founded in 1911, SNC-Lavalin is one of the leading engineering and construction groups in the world and a major player in the ownership of infrastructure. From offices in over 50 countries, SNC-Lavalin s employees provide EPC and EPCM services to clients in a variety of industry sectors, including mining and metallurgy, oil and gas, environment and water, infrastructure and clean power. SNC-Lavalin can also combine these services with its financing and operations and maintenance capabilities to provide complete end-to-end project solutions. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 2

Safety First Remember that all SNC-Lavalin meetings begin with a Health & Safety moment. Safety doesn t happen by accident. SAFETY FIRST [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 3

Outline Definition of nuclear safety CANDU overview Means of Shutdown Reactor inherent protection: Canadian and international regulatory requirements for reactor protection CANDU Safety Basis: Limiting & Compensating for Positive Reactivity Insertion Inherent and Passive Safety Features Relevance of PCR and CVR to Licensing CNSC Position Compliance of CANDU to IAEA SSR 2/1 Summary [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 4

Supplementary Information Canadian vs Poland Terminology Enhanced CANDU 6 Health and Safety Objectives Fundamental Safety Functions CANDU overview Hierarchy of Plant States Defence-in-Depth Two-Group Separation Philosophy Power Coefficient of Reactivity Coolant Density (or Void) Coefficient Void Formation Neutron Kinetics CANDU and CNSC Guidance on Nuclear Design for New Designs (US NRC GDC-11) [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 5

Definition of Nuclear Safety

Definition of Nuclear Safety IAEA definition of nuclear safety: Safety is the achievement of proper operating conditions, prevention of accidents and mitigation of accident consequences, resulting in protection of workers, the public and the environment from undue radiation hazards. For positive reactivity insertion events, safety is achieved when: There is no resultant failure of the pressure boundary Ability to cool the fuel is maintained, and Significant core damage is prevented Pressure increase due to power increase is limited to less than the failure limit of the pressure boundary Energy deposited in the fuel due to power increase does not cause fuel to lose coolable geometry Meeting above two criteria prevents significant core damage [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 7

CANDU Reactor Overview

CANDU First Design Principles Use heavy water as moderator and coolant: Benefit: Maximizes neutron economy Benefit: Allows the use of natural uranium Safety Benefit: Long prompt neutron lifetime (10-3 seconds) Circulate coolant in pressure tubes: Benefit: Allows low-pressure calandria, no need for a large pressure vessel [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 9

CANDU Reactor Assembly Fuel channels: Arranged in a lattice geometry horizontally through the heavy water moderator High pressure and temperature primary coolant in pressure tubes Separate low pressure moderator Calandria Vessel is immersed within a large volume of water in a Calandria vault Provides radiation shielding Provides a heat sink [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 10

CANDU First Design Principles Make use of on-power refuelling: Benefit: Enables use of natural uranium Benefit: Maximizes capacity factor Safety Benefit: Minimizes available core excess reactivity Use a simple, economical fuel bundle design: Benefit: Minimizes costs and makes it easy to localize fuel fabrication Benefit: Supports ease of fuel handling and flexibility of core management [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 11

CANDU Core Physics Optimized spacing of fuel channels increases the probability of fission neutrons being slowed down in the moderator volume between the fuel channels increases the probability of neutrons interacting with the fuel. This is a basic parameter of CANDU design, with the lattice size being very near the value which maximizes reactivity The value is slightly larger than the value for maximum reactivity, due to concerns in the early design days regarding the feasibility of construction with channels more closely spaced [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 13

Candu 6 Positive Reactivity CANDU 6 design basis is for near-zero Power Coefficient of Reactivity (PCR) The sign is not significant to operation or safety: only the near-zero nature CANDU 6 reactors have a positive Coolant Void Reactivity (CVR) The most significant reactivity insertion event at <1 $ is Large Loss of Coolant Accident Inherent nuclear & reactor characteristics limit, or compensate for, the range of possible reactivity insertions The long reactor period is a prompt inherent nuclear feedback characteristic that tends to compensate for a rapid increase in reactivity (and power) [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 14

Means of Shutdown Shutdown systems SDS1 and SDS2 are fully independent Execute their function in the low-pressure moderator, not in the high-pressure Heat Transport System Rod ejection not possible SDS1 and SDS2 each are fully capable to render the reactor sub-critical for normal operation, all AOOs and all DBAs (Also capable for DECs) Either SDS1 or SDS2 remains poised during Guaranteed Shutdown State SDS1 uses mechanical shutoff rods Dedicated instrumentation detect events A trip de-energizes the clutches that hold the shutoff rods The rods drop into the core by gravity, assisted by springs (passive safety feature) SDS2 injects a neutron-absorbing poison into the moderator. Dedicated instrumentation detect events A trip de-energizes solenoids that hold fast-acting valves closed Liquid poison injected into the moderator by high-pressure helium (passive safety feature) Reactor controls are separate from shutdown systems [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 15

Barriers for Prevention of Radioactive Releases EC6 design incorporates major physical barriers to the release of radioactive materials from the reactor core to the environment: Normal Operation Anticipated Operational Occurrences Design Basis Accidents Fuel matrix Fuel sheath Heat Transport System Beyond Design Basis Accidents LCDA Design Extension Conditions SCDA Conditions Practically Eliminated Calandria tubes Calandria Vessel Calandria vault Containment Legend LCDA: Limited Core Damage Accident SCDA: Severe Core Damage Accident [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 16

CANDU Safety Basis CANDU 6, like all thermal water reactors, ensures sufficient defense-in-depth for the safety case by using a combination of: Engineered safety systems and Inherent reactor characteristics to address accidents (including reactivity insertion events) This safety case, particularly the values of CVR and PCR, complies with all relevant regulatory requirements, including requirements set by IAEA SSR 2/1 & Canadian Nuclear Safety Commission [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 17

- Copyright - Reactor Inherent Protection Regulatory expectations

Inherent Nuclear Feedback Characteristics Inherent nuclear feedback characteristics are (see IAEA NS-G-1.12): Reactivity coefficients (fuel T, coolant T, moderator T, coolant density) Delayed neutron fraction (β) Prompt neutron lifetime (Λ) Reactivity effects of power redistribution (e.g. Xe efficiency, moderator density) The nature of the inherent reactor characteristics, in particular nuclear feedback characteristics, are unique for each reactor design Each reactor technology has different engineered safety features to compensate for specific characteristics These characteristics must be considered in the context of the overall safety characteristics of the plant [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 19

Reactor Neutronic Feedback These reactivity responses are involved in most of the reactor neutronic feedback: Fuel temperature coefficient Coolant temperature coefficient Moderator temperature coefficient Coolant density coefficient Moderator/Coolant isotopic purity coefficient Moderator poison coefficient Power Coefficient of Reactivity (PCR) Power Coefficient of Reactivity (PCR) Recall that inherent nuclear feedback characteristics also include the prompt neutron lifetime (Λ) and the delayed neutron fraction (β), so consideration must be given to more than just the coefficients Note: reactivity (ρ) is generally expressed in mk, but occasionally in $. The reactivity of a system is $1 if ρ = β. In a PWR, this is between ~7.3 mk (BOC) & ~4.4 mk (EOC). In a CANDU 6 during normal operation, β is ~5.4 mk. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 20

Inherent Reactor Characteristics: Limits to the net effect of Reactivity Feedback CANDU s prompt neutron lifetime, Λ p, is 30-45 times longer than that for a PWR This inherent CANDU safety benefit means that the net effect (i.e., the power transient ) for accidents with significant reactivity insertion tends to be compensated, although differently than it is in a PWR When a PWR exceeds the prompt critical threshold in certain accidents, the period decreases sharply and so the resulting power transient is very fast in CANDU the decrease in period would be much less However, CANDU 6 does not exceed prompt critical in its limiting accident Therefore, the prompt inherent nuclear feedback characteristic of a long neutron lifetime keeps the reactor period for CANDU in the order of seconds, slowing down the power transient such that shutdown system action can be effective in providing the control safety function. Note that all CANDU safety analysis results credit shutdown by the least effective of the two independent fast acting shutdown systems, and on the 2 nd back-up trip (i.e., the fourth trip overall is credited). [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 21

- Copyright - CANDU Safety Basis Limiting & Compensating for Positive Reactivity Insertion

Limiting & Compensating for Positive Reactivity Insertion Underlying safety concern: CANDU reactors inject positive reactivity during loss of coolant accidents (i.e., positive CVR) Reactivity excursions should not cause failure of the reactor pressure boundary, should maintain cooling capability, and avoid significant damage to the reactor core Safety criterion: Maintain fuel enthalpy and coolable geometry during reactivity insertion accidents to less than value needed for fuel melting Avoid failure of the reactor pressure boundary [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 24

CANDU Safety Design Basis Inherent safety: Long prompt neutron lifetime Inherent safety: Minimal excess reactivity Engineered safety: Rodejection events not possible Engineered Safety: Two independent passive shutdown systems Use of D 2 O for neutron moderation results in neutron lifetimes (~900 µs) more than an order of magnitude longer than that of LWRs reactor control and shutdown are inherently easier to perform Inverse reactor period representative of speed of power increase versus speed of insertion of shutdown rods (or other poison injection): (ρ β)/λ On-line refuelling reduces the excess reactivity level needed for reactor operation Reactor characteristics are constant Additional reactivity control measures not typically needed for refueling Peak reactivity in any design basis accident is less than β Reactivity control devices cannot be ejected by high pressure because they are in the low-pressure moderator and do not penetrate the reactor coolant pressure boundary (Hence, practically eliminated ) SDS1 inserts mechanical absorber rods via gravity with spring assisted acceleration SDS2 injects liquid poison into the moderator via pressurized accumulator tanks Failure to shut down is practically eliminated [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 25

Limiting & Compensating for Positive Reactivity Insertion Engineered Shutdown -ve PCR Λ Event -ve Reactivity τ +ve Reactivity -ve Reactivity Event: +8$ S/D: -6$ PCR: -2$ Λ: 18.4 μs β: 0.0044 τ Event Λ +ve Engineered Shutdown -ve Reactivity Event: +<1$ S/D 1: -8$ S/D 2: ->30$ Λ: 900 μs β: 0.0054 PWR Limiting Reactivity Insertion CANDU Limiting Reactivity Insertion [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 26

1.2 Fuel Melting Region 1.0 AP-1000 Rod Ejection EPR Main Steam Line Break 0.8 CANDU 6 LOCA 0.6 EC6 (NU) LOCA 0.4 TMI MSLB ESBWR Turbine Trip AP-1000 Low Power Rod Ejection 0.2 Prompt Criticality Region 0.0 0.0 0.5 1.0 1.5 2.0 [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 27

Considerations of PCR and CVR for Licensing

CNSC Position on CVR and PCR Canadian Nuclear Safety Commission (CNSC) Technical Note on Positive coolant void reactivity feedback phenomenon in currently operating CANDU reactors issued in July 14, 2009: Notes design provisions of inherent safety features (long neutron lifetime) and engineered safety features such as shutdown systems, multiple barriers to release and the Emergency Core Cooling system. CNSC Mythbusters statement on PCR: The power coefficient of reactivity of CANDU reactors does not pose a significant risk. Consistent with Canadian nuclear safety requirements, nuclear power plants must have an appropriate combination of inherent and engineered safety features incorporated into the design of the reactor safety and control systems. A reactor design that has a positive power coefficient of reactivity is quite acceptable provided that the reactor is stable against power fluctuations, and that the probability and consequences of any potential accidents that would be aggravated by a positive reactivity feedback are maintained within CNSC-prescribed limits. These are known safety issues that have long been addressed by the CNSC s regulatory and safety regime. CNSC REGDOC 2.5.2 on Design of Reactor Facilities: Nuclear Power Plants No specific requirements on sign or magnitude of PCR. Design must demonstrate acceptable control, stability and safety. Designs with positive PCR are required to ensure a bounding value is used in these demonstrations. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 29

Compliance of CANDU to IAEA SSR 2/1 Clause 6.6 Clause 6.6: The maximum degree of positive reactivity and its rate of increase by insertion in operational states and accident conditions not involving degradation of the reactor core shall be limited or compensated for to prevent any resultant failure of the pressure boundary of the reactor coolant systems, to maintain the capability for cooling and to prevent any significant damage to the reactor core. This is met in all reactor designs through a mix of inherent characteristics and engineered safety systems, including shutdown systems. In LWR, the inherent negative Doppler coefficient limits and compensates for the effects of short reactor period and the relatively fast and/or large possible positive reactivity insertion so that engineered shutdown and other safety systems can act to prevent damage to the reactor. In CANDU, the inherent long reactor period and relatively slow and small possible positive reactivity insertion combine to limit and compensate for the effects of positive reactivity coefficients so that engineered shutdown and other safety systems can act to prevent damage to the reactor. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 30

LWR Protection Against Reactivity Insertion Threat Potential for escalation in power levels that could threaten the core due to very short prompt neutron lifetime and large size of reactivity coefficients Inherent reactor design characteristic includes rod ejection Some events (e.g. rod ejection, MSLB) result in very large and/or very fast reactivity insertion Protection Inherent reactor design limits rate and delays timing of reactivity insertion for MSLB Large negative PCR tends to compensate for large reactivity insertion even at rod ejection timeframes, limiting the magnitude of the power transient Engineered safety systems (including shutdown system) are able to act effectively Result: no resultant failure of the pressure boundary, ability to cool maintained, prevention of significant core damage [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 31

CANDU Protection Against Reactivity Insertion Threat Potential for escalation in power levels that could threaten the core due to positive coolant void reactivity feedback Some events (e.g. Large LOCA, Loss of Regulation) result in void formation and hence reactivity insertion Protection Inherent reactor design limits rate and magnitude of reactivity insertion Long prompt neutron lifetime tends to compensate for increased reactivity by maintaining a slow time constant for the event, limiting the magnitude of the power transient Engineered safety systems (including shutdown systems) are able to act effectively Result: no resultant failure of the pressure boundary, ability to cool maintained, prevention of significant core damage [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 32

Summary CANDU safety design basis for positive reactivity insertion events: CANDU design basis is for near-zero PCR near full power The sign is not significant to operation or safety CANDU has a positive void coefficient The most significant reactivity event is thus Large LOCA Has a combination of inherent and passive safety features and engineered safety systems Inherent safety characteristic Passive Safety features Engineered safety features Long prompt neutron lifetime leading to long reactor period during positive reactivity insertion accidents SDS1 rods drop into core by gravity, assisted by springs SDS2 liquid poison injected into moderator by highpressure helium SDS1 uses dedicated instrumentation to detect events and trip de-energizes the clutches that hold the shutoff rods SDS2 uses dedicated instrumentation to detect events and trip de-energizes solenoids that hold fast-acting valves closed [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 33

Summary CANDU safety design basis for positive reactivity insertion events: Safety is achieved by: There is no resultant failure of the pressure boundary Ability to cool the fuel is maintained, and Significant core damage is prevented Shutdown systems act to limit power increase such that pressure increase is much less than the failure limit of the pressure boundary Shutdown systems act to limit energy deposited in the fuel due to power increase such that fuel maintains coolable geometry Heat removal systems maintain fuel cooling Shutdown systems and heat removal systems maintain reactor in a long term safe shutdown condition [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 34

DISCUSSION 35

CANDU RELATED PUBLICATIONS and CONTACTS For CANDU related publications and selected past presentations please refer to SCN Lavalin Nuclear URL site dedicated to IX International School of Nuclear Power: www.snclavalin.com/en/media/events/2017/school-of-nuclear.aspx If you have any additional questions please feel free to contact: Albert Lee Phd at Albert.Lee@snclavalin.com (English) or Jerzy Parkitny at Jerzy.Parkitny@snclavalin.com (English and Polish) [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 36

- Copyright - Supplementary Information

- Copyright - Canadian vs Polish Terminology

Canadian vs Polish Safety Classification Terminology Canadian approach Systems Important to Safety Safety Systems (includes detection, initiation & protection) Safety Support Systems Other SSCs whose failure may lead to safety concerns Complementary design features Safety Systems Protection System Safety actuation system Safety system support features Safety-Related Systems [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 39

Enhanced CANDU 6 Health and Safety Objectives

Protect the Public Against Radioactive Releases The following Safety and Health Objectives provide a basis for the EC6 reactor design: Individual Early Fatality Risk should be less than 1 in 1,000,000 years per station for the average member of critical group most at risk. Individual Delayed Fatality Risk should be less than 1 in 100,000 years per station for the average member of critical group most at risk. Quantitative Health Objectives Incremental contribution to public health risk from nuclear accidents should be less than 1% of background cancer risk. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 41

Protect the Public Against Radioactive Releases Based on the Safety and Health Objectives, quantitative safety goals are used to assess the EC6 design: Small Release Frequency: The sum of frequencies of all event sequences that can lead to a release to the environment of more than 10 15 Bq of iodine-131 is less than 10-5 per reactor year. A greater release may require temporary evacuation of the local population. Large Release Frequency : The sum of frequencies of all event sequences that can lead to a release to the environment of more than 10 14 Bq of cesium-137 (i.e., the LRF threshold) is less than 10-6 per reactor year. A greater release may require long term relocation of the local population. These safety goals measure the accident mitigation capabilities and the risk to society and the environment from plant operation [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 42

- Copyright - CANDU Overview Additional Information

CANDU: A Proven Technology 48 CANDU and CANDU-type reactors operable worldwide Excellent, long operational safety record On time and on budget international project delivery The EC6 is an incremental development of the CANDU 6, which is a reliable, long lifetime, high output reactor EC6 is a Generation III reactor that has completed Canadian Prelicensing Design Review and is ready for deployment [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 44

CANDU 6 Major Features A CANDU 6 reactor is a horizontal pressure-tube reactor, D 2 O- moderated and D 2 O-cooled using natural uranium fuel. Key CANDU Features: Modular horizontal fuel channels Simple, economical fuel bundle design Separate, low temperature, low pressure heavy water moderator Safety features: Two independent passivelydriven safety shutdown systems Water-filled reactor vault On-power fuelling Reactor building access for onpower maintenance [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 46

CANDU 37-Element Fuel Bundle 380 channels x 12 bundles = 4560 bundles Each bundle stays in the core for ~1 year on average Average energy generated by each bundle = 4000 MW h [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 47

CANDU Reactor Assembly Fuel channels are arranged in a lattice geometry and run horizontally through the heavy water moderator. High pressure and temperature primary coolant is separated from the cool, low pressure moderator by two concentric tubes; a pressure tube inside a calandria tube, with the interspace filled by CO2 for thermal isolation. The Calandria Vessel is suspended within a large volume of water in a Calandria vault, which normally acts as a biological shield, and is normally circulated and actively cooled to remove the generated heat. - Copyright- [2017] SNC-Lavalin Inc. and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 48

CANDU Performance The true measure of a reactor s efficiency is uranium utilization the amount of uranium from the ground needed to produce a certain amount of energy. The use of heavy water as coolant and moderator, together with the selected lattice geometry, give CANDU reactors a high uranium utilization. High uranium utilization, no need to enrich, and simple fuel bundle result in a small refueling cost component. A typical PWR using 4.7 wt% enriched fuel and achieving an average exit burnup of 51 MW d/kg(u) is achieving a uranium utilization of ~4.75 MW d/kg(nu) (0.3 wt% tails) A standard CANDU 6 achieves ~7.5 MW d/kg(u) = 7.5 MW d/kg(nu), ~60% better than the PWR number This will vary for different fuel types. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 50

CANDU 6 On-Line Fuelling Twelve fuel bundles are installed in each of the 380 fuel channels in a CANDU 6 reactor. During normal operation heavy water coolant flows through each channel and through the fuel bundles to remove nuclear heat which is carried to the steam generator. During refuelling, two fuelling machines connect to opposite ends of a fuel channel; one machine delivers new fuel, the machine at the opposite end receives the spent fuel. During the refuelling process, flow through the fuel channel is uninterrupted, allowing the refuelling process to be performed at power. The capability to perform refueling at power is a unique feature of the CANDU reactor. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 51

Refuelling Schemes For efficient utilization of the uranium, each fuel bundle is replaced when the uranium it contains has been burned up to an optimum value. Since the rate of uranium burn-up varies, depending on the location of each bundle in the reactor, a few bundles are replaced each day as they reach their optimum burn-up, instead of replacing all the fuel bundles in one batch (as in a PWR). In the reference CANDU 6, eight bundles from the selected channel are replaced at a time, and approximately 14 channels are fuelled per week. The frequency of fuel changing and the number of fuel bundles to be replaced at a time will differ for varying fuel compositions. Channels are not refuelled in a rigorously defined sequence, but are selected for refuelling based on instantaneous, daily information about the core power and irradiation distributions. Refuelling is thus a means of controlling the reactor power shape over time as well as of managing core reactivity [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 52

Fundamental Safety Functions Fundamental Safety Functions Control of reactivity Removal of heat from the fuel Core Other Systems Important to Safety Reactor Regulating System Moderator Poison System Heat Transport System Feedwater System Auxilliary Feedwater System Shutdown Cooling System Enhanced CANDU 6 Systems Safety Systems Shutdown System 1 Shutdown System 2 Emergency Core Cooling System Emergency Heat Removal System Complementary Design Features Severe Accident Recovery Heat Removal System Mobile water make-up Spent Fuel Bay Spent Fuel Bay Cooling System Spent Fuel Bay make-up Mobile water make-up Confinement of radioactive material Shielding against radiation Control of operational discharges and hazardous substances, as well as limitation of accidental releases Monitoring of safety-critical parameters to guide operator actions All process systems containing radioactive substances Reactor Building Service Building Spent Fuel Bay Pool All process systems containing radioactive substances Reactor Regulating System Safety Monitoring System Main Control Room Technical Support Centre Secondary Control Room Emergency Response Centre Containment Containment Containment Shutdown System 1 Shutdown System 2 Containment Igniters and PARs Containment Spent Fuel Bay Pool Emergency Containment Filtered Venting System Safety Monitoring System Secondary Control Room Emergency Response Centre Mobile power supplies Portable instruments [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 53

Level 1 Defence-in-Depth Plant State Normal Operation Event Freq. (yr -1 ) 2 AOO >10-2 3 DBA 10-2 - 10-5 4 5 DEC (LCDA) DEC (SCDA) 1 <10-5 <10-6 Objective Prevent deviations from normal operation, and to prevent failures of structures, systems, and components Intercept deviations from normal operation in order to prevent AOOs from escalating to accident conditions, and to return the plant to a state of normal operation Minimize the consequences of accidents by providing inherent safety features, failsafe design, additional equipment, and mitigating procedures Prevent accident progression and ensure that radioactive release caused by severe accidents are kept as low as practicable Mitigate the radiological consequences of potential releases of radioactive materials that may result from accident conditions Essential Means Conservative design High quality in construction and operation Process & control systems Reactor Regulating System setback and stepback functions Safety Systems Emergency Operating Procedures Complementary Design Features SAMGs Off-site emergency response [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 54

Two-Group Separation Philosophy Used in all CANDU 6 reactors Ensures a high degree of independence between normally operating process systems, safety systems and safety support systems Includes physical separation, functional independence, and redundancy in how fundamental safety functions are provided Redundancy and separation is also provided within each group Allocating systems to Group 1 or Group 2 is based on the various event sequences and the overall plant responses to these events Creates two functionally and physically independent pathways for providing the fundamental safety functions Failure of a safety function in one group can be mitigated by the other group Enhances defence-in-depth Contributes to achieving nuclear safety objectives [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 56

Two-Group Separation Philosophy Group 1 Normally operating process systems (e.g., HTS, Moderator System, RRS, etc.) Safety Systems SDS1, ECCS Safety Support Systems (e.g., Class IV and Class III power, Main Control Room, etc.) See Note Group 2 Safety Systems SDS2, EHRS, Containment Safety Support Systems (e.g., EPS, Secondary Control Room, etc.) SARHRS *Note: Examples of interconnection between Groups a) Group 1 Support Services to Group 2 during Normal Operation (and AOOs) b) Group 2 Support Services to Group 1 during Accident Conditions c) Group 1 Support Services to Group 2 during Accident Conditions [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 57

Power Coefficient of Reactivity

Power Coefficient Power Coefficient of Reactivity (PCR) -- Overall parameter expressing the combined effect of all short-term reactivity changes as reactor power is varied around an operating point. Not a prompt feedback. Defined as change in reactivity per unit increase in reactor power with a fixed core configuration Expressed in mk/%fp (or pcm/%fp: 1 mk/%fp = 100 pcm/%fp) Dependent on operating conditions such as fuel burnup, fuel and coolant temperatures, extent of coolant boiling / subcooling etc. Dependent on reactor power level In CANDU, the moderator temperature coefficient has a negligible contribution, so PCR is driven by fuel, coolant temperature & coolant density feedbacks: PPP = = T F T F P + T C T C P + D C D C P [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 59

Power Coefficient In CANDU 6 reactors, the design basis is for a near-zero PCR value: Sign is not a part of that basis The following table gives values of PCR calculated with the current physics toolset, not including bias or uncertainty: Reactor Power (%FP) PCR (mk/%fp) 95 +0.0154 105 +0.0204 115 +0.0517 125 +0.0856 Note that PCR is so small that the design uses Liquid Zone Controllers alone to make small and continuous adjustments to maintain a constant power No need to use absorber rods or soluble poison to manage daily reactivity changes [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 60

Coolant Density (or Void) Coefficient of Reactivity

Coolant Density (or Void) Coefficient Coolant Density Coefficient (CDC): Defined as change in reactivity due to change in coolant density Expressed in mk/(g/cm 3 ) when stated as a void coefficient for saturated coolant, mk/%void Dependent on operating conditions such as fuel burnup, fuel and coolant temperatures, extent of coolant boiling /subcooling etc. In CANDU, coolant void coefficient is positive at about 0.13 mk/%void at equilibrium conditions. The coolant density coefficient is slower than the fuel temperature coefficient, with the timescale being set by heat transfer to the coolant (seconds relevant to Loss of Regulation) or by depressurization (tenths of seconds relevant to Large LOCA). [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 62

Design of Core and Coolant Systems The design of the core and associated coolant systems is important in the context of understanding the implication of reactivity coefficients as it establishes inherent characteristics important to the overall behaviour. In LWR reactors, the design of the core and coolant systems is such that it is possible to have a large increase in reactivity (rod ejection or main steam line break), sometimes very quickly (rod ejection). In CANDU reactors, the design of the core and coolant systems is such that the largest reactivity increase (Large LOCA) is slower and smaller in magnitude. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 63

Coolant Void Reactivity Coolant Void Reactivity (CVR) is a figure of merit related to the potential effect of the negative coolant density coefficient: Defined as the change in reactivity due to change from normal operation to a hypothetical state of 100% coolant voiding. Expressed in mk (or $) Dependent on operating conditions such as fuel burnup In CANDU, CVR is positive and ~15 mk (or ~3 $) at equilibrium conditions. As discussed in the next slide, actual reactivity insertion in Large LOCA is significantly less than this. An analogy to this for a PWR might be a Moderator Temperature Reactivity which would be the change in reactivity due to a change from normal coolant temperature to 40 C (-0.6 mk/ C * -265 C +160 mk). Similar to rod ejection or MSLB in a PWR, a Large LOCA is the limiting positive reactivity transient in a CANDU. In order to ensure that a Large LOCA does not result in core damage, the resulting power transient must be limited or compensated for sufficiently by inherent reactor characteristics that engineered safety systems can fulfil their function. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 64

Inherent Reactor Characteristics: Limits to the rate & magnitude of Void Formation The rate of void formation is limited by the inertia of the fluid in the fuel channels, by break size and by break opening time. Note that in safety analysis, break sizes up to 100% guillotine rupture of the largest pipe or header and instantaneous break opening times are conservatively assumed. For most CANDUs, including CANDU 6, the Heat Transport System (HTS) is divided into two independent loops, connected through the common pressurizer. Therefore: Only one loop can lose significant amounts of coolant rapidly. Only the channels downstream of the break can void quickly (figure-of-eight circuit). Hence ~¼ of the core voids rapidly. Void reactivity insertion is < 1$ for the limiting accident in a CANDU 6 (Large LOCA), even in the conservative safety analysis. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 65

CANDU and CNSC Guidance on Nuclear Design for New Designs (also US NRC GDC- 11)

CNSC REGDOC-2.5.2 The CNSC has published REGDOC-2.5.2, Design of Reactor Facilities: Nuclear Power Plants Provides requirements and guidance for new licence applications for NPPs In the section on design of the reactor core, the CNSC provided guidance on nuclear design as follows: The design of the reactor core and associated coolant and fuel systems should take into account all practical means so that, in the power operating range, the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity and power. The consequences of those accidents that would be aggravated by a positive reactivity feedback should be either acceptable, or be satisfactorily mitigated by other design features. This is aligned with IAEA SSR-2/1 Requirement 45 clause 6.6 The CNSC guidance is a close adaptation of one of the US NRC s General Design Criteria: GDC 11 Criterion 11 Reactor inherent protection. The reactor core and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 68

Some Background on US NRC GDC 11 The US NRC developed a suite of General Design Criteria over the period 1965 to 1971. Based on NRC experience in licensing LWRs in the US However, they are considered to be generally applicable to other types of nuclear power units and are intended to provide guidance in establishing the principal design criteria for such other units. Still, there may be water-cooled nuclear power units for which fulfillment of some of the General Design Criteria may not be necessary or appropriate. One of these criteria, GDC 11, is considered to be satisfied in light water reactors (LWRs) by the existence of the Doppler and negative power coefficients. (NUREG-0800). The US NRC has never said how PHWRs (such as CANDU) might satisfy this criterion, as the US NRC has never considered a CANDU licence application. However, there is an indication that CANDU s positive CVR would not be a regulatory barrier from a US NRC review performed in the early 1990 s: this is documented in SECY-93-092, discussed later [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 69

Implications of & Compliance with GDC 11 GDC 11: Reactor inherent protection. The reactor core and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity. This requirement calls for incorporation of some degree ( tends to compensate ) of protection from inherent nuclear feedback characteristics, but existing reactor designs all require engineered safety systems in addition to this. In LWR, the negative Doppler coefficient is the inherent nuclear feedback characteristic that tends to compensate for the net effect of the short reactor period and the relatively fast and/or large possible positive reactivity injection so that engineered shutdown & other safety systems can act to prevent damage to the reactor. In CANDU, the long reactor period is the inherent nuclear feedback characteristic that tends to compensate for the net effect of the relatively slow and small possible positive reactivity injection so that engineered shutdown & other safety systems can act to prevent damage to the reactor. [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 70

LWR Inherent Protection in Overall Response Threat Potential for escalation in power levels that could threaten the core due to very short prompt neutron lifetime and large size of reactivity coefficients Inherent reactor design characteristic includes rod ejection Some events (e.g. rod ejection, MSLB) result in very large and/or very fast reactivity insertion Protection Inherent reactor design limits rate of reactivity insertion for MSLB Large negative PCR tends to compensate for large reactivity insertion even at rod ejection timeframes, limiting the magnitude of the power transient Engineered safety systems (including shutdown system) are able to act effectively Result: inherent protection contributes to resultant protection of the pressure boundary, maintenance of ability to cool, and prevention of significant core damage [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 71

CANDU Inherent Protection in Overall Response Threat Potential for escalation in power levels that could threaten the core due to positive coolant void reactivity feedback Some events (e.g. Large LOCA, Loss of Regulation) result in void formation and hence reactivity insertion Protection Inherent reactor design limits rate and magnitude of reactivity insertion Long prompt neutron lifetime tends to compensate for increased reactivity by maintaining a slow time constant for the event, limiting the magnitude of the power transient Engineered safety systems (including shutdown systems) are able to act effectively Result: inherent protection contributes to resultant protection of the pressure boundary, maintenance of ability to cool, and prevention of significant core damage [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 72

SECY-93-092 In 1993, SECY-93-092 was issued, in which NRC gave preliminary consideration to the licensability of a CANDU-type reactor with positive CVR. This report stated that a positive void coefficient should not necessarily disqualify a reactor design. The document indicated a license application in the US should include analysis of events (such as ATWS, unscrammed LOCAs, delayed scrams and transients affecting reactivity control) that could lead to core damage as a result of the positive void coefficients, such analysis to take into account the overall risk perspective of the designs. This could imply a regulatory expectation that safety analysis in support of a license application include the following: Consideration of AOO events (& perhaps also of DBAs) without scram (i.e. in which one shutdown system does not operate) Including void reactivity feedback in LOPR & Large LOCA events Consideration in PSA of event sequences involving failure to trip on both shutdown systems, subject to probability-based screening The safety case for CANDU reactors already includes all of the above and demonstrates acceptable consequences [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 73

Values that guide us Our values keep us anchored and on track. They speak to how we run our business, how we express ourselves as a group, and how we engage with our stakeholders and inspire their trust. Teamwork & excellence We re innovative, collaborative, competent and visionary. Customer focus Our business exists to serve and add long-term value to our customers organizations. Strong investor return We seek to reward our investors trust by delivering competitive returns. Health & safety, security and environment We have a responsibility to protect everyone who comes into contact with our organization and the environment we work in. Ethics & compliance We re committed to ethical business. Respect Our actions consistently demonstrate respect toward our stakeholders. - Copyright - [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 74