Nuclear Safety

Jacopo Buongiorno

Associa t e Pr of essor of Nuc l ear Science and Engineering

22.06 : Engineering of Nuclear Systems

Hazard

A very large inventory of radioactive fission products

(>GCi/t U ) ,

s ome w ith long half - life (>years)

R a d i o n u c l i d e c o n t e n t o f r e p r e s e n t a t i v e L W R s p e n t f u e l a t d i s c h a r g e a n d 1 8 0 d a y s o f r e p r e s e n t a t i v e L M F B R f u e l a t d i s c h a r g e a n d 3 0 d a y s

A c t i v i t y , C i / t m e t a l

L W R f u e l L M F B R f u e l

3 H

8 5 K r

8 9 S r

9 0 S r

9 0 Y

9 1 Y

9 5 Z r

9 5 N b

9 9 M o

9 9 m T c 9 9 T c

Overarching O bjective of Nuclear Safety

Protect staff, public and environment

Preven t uncontrolle d releas e o f radioactivit y fro m p lant

I mp l emen t a ti on

- H eat removal

- D efense-in-depth:

• Physical barriers

• Design, construction and operation

Heat Removal

 98% of all fission products are retained in the fuel pellet unless t he fuel melts

It is important to keep the fuel “cool” under all modes of normal o p eration:

1) Power mode (steady-state): fission energy generates steam which releases energy in turbine and condenser

2) Shutdown mode (turbine not available): decay heat generates steam, which is dumped directly into con d enser (PWR an d BWR) or a t mosp h ere ( on l y PWR)

3) Refueling mode: fuel is kept under water and decay heat is removed by residual heat removal system (RHRS)

Defense - in - Depth (physical barriers)

There exist multiple physical barriers between the source of radioactivity (the fission products) and the environment/public. The most important barriers are:

1 ) Fuel p ellet: it retains most solid fission p roducts.

2) Cladding: it retains all fission products (gaseous included).

3) Reactor c oolant system: robust h igh - pressure system of pipes + vessel. Most fission products are soluble in coolant and/or deposit on cold surfaces of pipes.

4) Containment: seal tight system is the ultimate barrier to radioactivity release, even if all previous barriers have failed .

D e f e n se -in-D ep th ( desi g n , construction and o p eration )

The concept of defense-of-depth extends to nuclear plant design, construction and operation.

Emphasis is on prevention, protection and mitigation .

1) Prevention. Minimize causes of failures/accidents before they occur:

- D esign reactor with inherent safety features (e.g. negative mo d era t o r , coo l an t an d f ue l reac ti v it y coe ff i c i en t s ) an d margins to failure (e.g. MDNBR>1.3)

- Use o f c hemically compatible materials ( e.g. no graphite and water in core)

- Q uality assurance in component manufacturing and construction (“N-stamp”)

- T horough training of operators + conservative operation

Defense - in - Depth (design ,

c onstruction and operation) (2)

2) Protection. Reactor protection system:

- M onitors plant conditions (e.g. measures temperature, pressure, flo w , powe r , radiation levels)

- R ecognizes precursors to transients/accidents

- A ctuates scram and safet y s y stems

3) Mitigation. When accidents do occu r , mitigate consequences using:

- E ngineered safety systems

- E mergency plan/evacuation

Desi g n-Basis Accident Classification

Undercooling: decrease in secondary-side heat removal (e . g . loss of condenser cooling water)

Overcooling: increase in secondary-side heat

removal ( e . g . loss of feedwater heating)

Overfilling: increase in reactor coolant inventory

(e . g . m ismatch between feedwater and steam flow

in BWR)

Loss o f flow: decrease i n c ore flow r ate ( e.g. trip of reactor pumps)

Loss of coolant: decrease of reactor coolant inventory (e.g. break of primary system pipe)

Desi g n-Basis Accident Classification ( 2 )

Reactivity insertion: uncontrolled insertion of positive

reactivity (e . g . r od drop in BWR)

Anticipated Transients Without Scram (ATWS): a relativel y fre q uent abnormal event ( transient ) with simultaneous failure to scram (e.g. loss of feedwater without scram)

Spent fuel accidents: occurring while handling and storing spent fuel assemblies (e.g. drop a fuel assembly , or critical configuration in fuel storage pool)

External events: an event initiating outside the plant

(e . g .

earthquake ,

hurricane ,

airplane crash)

En g in ee r ed Sa f e t y Sys t e m s

Functions

• Shut - down reactor (i . e . stop the chain reaction) and keep reactor subcritical

• Remove decay heat

• R elieve pressure

• M aintain ( or re p lenish ) reactor coolant inventor y

Requirements

• Redundancy

• D i v e r s i t y

• Physical s eparation

En g in ee r ed Sa f e t y Sys t e m s ( 2 )

Shut-down reactor:

1) Scram c ontrol r ods (fast a cting: <2 sec)

2) Stand-by boron injection (slower acting, never used)

Remove decay heat:

1) Residual Heat Removal System (RHRS) in PWRs and BWRs, o r Isolation Condenser (IC) only in BWRs

BWR exam p le

Courtesy of GE Hitachi Nuclear Systems. Used with permission.

En g in ee r ed Sa f e t y Sys t e m s (3)

Remove decay heat (cont.):

2 ) Emer g enc y Feedwate r S y stem ( EFWS ) in PWRs and BWRs

Image by MIT OpenCourseWare.

Note redundanc y , diversity and physical separation

M. Gavrilas et al., Safety features of Operating LWRs of Western Design, CRC Press, 1995

En g in ee r ed Sa f e t y Sys t e m s ( 4 )

Relieve pressure

1) BWR: Safety/Relief V a lves (S R V s) located on main steam lines

2) PWR: Safety V a lves and Power Operated Relief Va l ve ( P O R V) l ocated o n top o f p r essu riz er

S R Vs and PO R V dischar g e steam into water pools located inside the containment

Courtesy of GE Hitachi Nuclear Systems. Used with permission.

Maintain (or replenish) reactor coolant inventory

The E mer gency Core Cooling S ystem ( ECCS) c omprises:

• High Pressure Coolant Injection (HPCI) kicks in at high P (e.g. <12.5 MPa in PWR)

• A ccumu l a t ors ki c k i n a t i n t erme di a t e P ( e. g . < 4 - 5 MP a i n PWR)

• Low Pressure Coolant Injection (LPCI) kicks in at low P (i.e.  0.1 MPa)

En g ineered Safet y S y stems ( 5 )

Note:

- A ll ECCS water is highly borated

- HPCI an d LPCI are t yp i ca ll y ac ti ve (b ase d on pumps powere d b y emer gency diesel generators) in some advanced L W Rs they can be passive (no pumps or diesels needed)

Image by MIT OpenCourseWare.

M. Gavr ilas et al., Safety featur es of Oper ating LW Rs of W e ster n Design, CRC Pr ess, 1995

Large - Break LOCA

Double-guillotine rupture of the lar g est pipe in primary system, i . e ., cold leg between pump and vessel .

Never happened. It is the worst design-basis accident for L W Rs.

Historicall y ,

Sequence:

treated as a “ bounding ” event .

1) System depressurizes ( blowdown ) and empties very quickly (<20 sec). Can do nothing about this because it ’ s so rapid. Note that the r eactor becomes s ubcritical even if CRs are not inserted, why?

At this p oint the core is uncovered. If nothin g is done , it would melt, why?

15

Large - Break LOCA (2)

2) ECCS (LPCI) kicks i n t o r e fill the v essel a nd r e flood the core. Refill and reflood take a few minutes.

If ECCS fails durin g refill and reflood , one has a severe accident (partial or complete melting of the core). However , ECCS is

designed to be redundant and diverse.

Some advanced L W Rs have passive ECCS. All existing L W Rs in U.S. have active ECCS, i.e., refill and reflood is done with pumps.

Note that ECCS water is heavily borated. Why?

16

Large - Break LOCA (3)

Legal limits for LB-LOCAs

Pl an t mus t sa ti s f y th e f o ll ow i ng requ i remen t s d ur i ng a LB - LOCA :

• No fuel melting

• Peak Cladding T e mperature (PCT) below 1204  C (2200  F), to prevent runaway Zr-steam reaction

Zr+2 H 2 O  2 ZrO 2 +2 H 2 +6500 kJ/kg Zr

• Max oxidation of cladding <17% of original thickness, to prevent cladding failure

• Less than 1% cladding oxidation average, to prevent excessive hydrogen production

• No fuel “ballooning”, to maintain coolable geometry in core

Large - Break LOCA (4)

Analysis of LOCAs:

• Entire d ivisions at vendors t o d o L B - LOCA analysis , importance.

given its

• Sophisticated codes s uch a s R ELAP ( US) , T RAC ( US) ,

C A THARE (Europe), MARS (Korea) used for analysis. They all have the same architecture.

• System is sectionalized and time-dependent conservation equations (mass, momentum, ener gy) are applied to each section.

Solving e quations numerically the P , T , f low a nd other u seful

parameters can be calculated as a function of time in each section. Neutronic behavior (not very important in LB-LOCAs) is s i mu l ate d w i t h s i mp l e ki net i c mo d e l .

18

Lar g e-Break LOCA ( 5 )

Example of RELAP nodalization for LB-LOCA analysis

28 6

28 0

27 8

15 8

18 6

18 0

20 6 20 2

31 0

35 6

03

35 5

35 0

31 1

10 6

11 0

20 9 21 0 21 2 21 4

BR E A K

01

30 0

30 5

31 5

08

04

34 5

34 0

33 3

01

33 0

32 5

32 2

33 5

01

01

30 1

30 6

31 6

08

11 8

11 6

SI

11 4

11 3

A C C

B r oke n Loo p

32 3

I n t a ct Lo op (L u m pe d)

3 intact loops are lumped into one with functioning LPCI train

Lar g e-Break LOCA ( 6 )

Most limiti ng constraint is PCT<1200  C

PCT has two peaks. Blowdown peak (coolant stagnates after break + ener gy redistributes ) and reflood p eak ( refill + q uenchin g) .

Depending on operating conditions and ECCS design, either blowdown peak or reflood peak is most limiti ng.

Large - Break LOCA (7)

Conservatism in LB-LOCA analysis (mandatory for licensing analyses)

1) Stored ener gy (important in blowdown): i nitial f uel T determined using h eat transfer and thermal conductivit y correlations yielding highest T

2) Decay heat vs time (important in reflood): use ANS standard +20%

3) Dischar g e rate through break is calculated using the Moody ’ s model (overestimates dischar g e rate)

4) No return to nucleate boiling after DNB has been exceeded during blowdown. Return to nucleate boiling is allowed during reflood

5) Conservative film boiling correlations to be used

6) Failure of one ECCS train must be assumed (single failure rule)

PCT predicted with these assumptions is usually much higher than realit y , as demonstrated in LOFT e x periment at INL in the 80s .

The Containment

It encapsulates the “nuclear island” + performs three functions

1. Public and Environment Protection

 Retention of radioactivity

 Retention o f missiles

2. Protection of Plant Systems from

 Natural elements (flood and storms)

 Human actions (crashes and ex plosions, acts of sabotage)

 Fires

3 . Structural Support o f S ystems

 Routine service loads

 Seismic loads

 Internal loads during accidents

The Containment ( 2 )

- It is a reinforced-concrete building to perform functions 2 (protection from external events) and 3 (structural support)

- It has a steel liner to perform function 1 (retention of radioactivity)

S e i s m i c r e i n f o r c e m e n t

h 2

h

S h e a r t i e

h 5

h 3 h 4

h 1

A x i a l r e i n f o r c e m e n t H o o p r e i n f o r c e m e n t

Image by MIT OpenCourseWare.

Sy st em 80+™ Tech Papers, ANS M t g., AB B - C E , 1992.

The Containment ( 3 )

The most serious design-basis challenge to the containment is pressurization following a LB-LOCA

Energy “sources”:

- Primary system inventory

- Decay heat

- Chemical reactions (Zr-H 2 O, H 2 detonation)

- Stored energy in hot structures

Image by MIT OpenCourseWare.

The Containment ( 4 )

Two basic types of containment:

1) Pressur e containment . Desi g ned lar g e enou g h to accommodate all mass/energy without exceeding pressure limit during initial spike

2) Pressure-suppressio n containment . To mitigate the initial pressure

spike , i t u ses:

- S uppression pools or

- I ce condensers

Long-term (beyond initial pressure spike) all containments need:

- S prays (keep pressure low + scrub containment atmosphere)

- H 2 /O 2 recom bi ners o r N 2 i nert i zat i on ( prevent H 2 d etonat i on )