IAEA-TECDOC-920

Technical feasibility and reliability

of passive safety systems for
nuclear power plants
Proceedings of an Advisory Group meeting
held in Julien, Germany, 21-24 November 1994

(g)

INTERNATIONAL ATOMIC ENERGY AGENCY

 The IAEA does not normally maintain stocks of reports in this series.
However, microfiche copies of these reports can be obtained from

INIS Clearinghouse
International Atomic Energy Agency
Wagramerstrasse 5
P.O. Box 100
A-1400 Vienna, Austria

Orders should be accompanied by prepayment of Austrian Schillings 100,-

in the form of a cheque or in the form of IAEA microfiche service coupons
which may be ordered separately from the INIS Clearinghouse.
 The originating Section of this publication in the IAEA was:
Nuclear Power Technology Development Section
International Atomic Energy Agency
Wagramerstrasse 5
P.O. Box 100
A-1400 Vienna, Austria

TECHNICAL FEASIBILITY AND RELIABILITY OF PASSIVE SAFETY SYSTEMS

FOR NUCLEAR POWER PLANTS
IAEA, VIENNA, 1996
IAEA-TECDOC-920
ISSN 1011-4289
© IAEA, 1996
Printed by the IAEA in Austria
December 1996
 FOREWORD

There were 432 nuclear power plants in operation in the world at the end of 1994.
Over 17% of the world's electricity needs were supplied by nuclear power in 1994. The
safety of nuclear power has an excellent record, with an accumulated experience of over
7200 reactor-years of operation. Few accidents have occurred in the history of nuclear
energy. The two main accidents, namely Three Mile Island (TMI) and Chernobyl were
caused by human error and the improper shutdown of safety systems designed specifically
to prevent such accidents. The TMI accident demonstrated the importance of containment.
Nearly all radioactivity was contained inside the plant and off-site releases were negligible
(the highest exposure received by anyone during the accident amounted to the equivalent of
a single X ray exposure). The accident at Chernobyl, however, resulted in a considerable
release. Many people's scepticism about nuclear energy has either been started or magnified
by this accident.

The future of nuclear power depends primarily on two factors: how well and how
safely it actually performs and how safely nuclear power is perceived to perform. In response
to this, designers and national and international organizations involved in nuclear power
development, design and generation have paid increased attention to the safety of current and
future nuclear power plants. Enormous efforts have been devoted to this subject worldwide.

Several new designs for future nuclear power plants have been developed. Many of
these designs have adopted passive safety means to accomplish the required functions.
Passive systems rely on natural forces and minimize the effect of human factors. The use of
passive safety is also a desirable method of achieving simplification and increasing reliability.

The design, development and testing programmes of passive safety systems have
reached a mature stage. Some designs, utilizing passive systems to accomplish the required
safety functions, are currently in the detailed design stage. The International Atomic Energy
Agency has long provided a forum for joint discussion and exchange of information on
subjects of international interest. This Advisory Group meeting provided the opportunity to
exchange information on the technical feasibility and reliability of passive safety systems.
 EDITORIAL NOTE
In preparing this publication for press, staff of the IAEA have made up the pages from the
anginal manuscripts as submitted by the authors. The views expressed do not necessarily reflect those
of the governments of the nominating Member States or of the nominating organizations.
Throughout the text names of Member States are retained as they were when the text was
compiled.
The use of particular designations of countries or territories does not imply any judgement by
the publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and
institutions or of the delimitation of their boundaries.
The mention of names of specific companies or products (whether or not indicated as registered)
does not imply any intention to infringe proprietary rights, nor should it be construed as an
endorsement or recommendation on the part of the IAEA.
The authors are responsible for having obtained the necessary permission for the IAEA to
reproduce, translate or use material from sources already protected by copyrights.
 CONTENTS

SUMMARY .................................................. 7

OVERVIEW OF THE KEY ISSUES ON PASSIVE SAFETY (Session I)

Key issues for passive safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

M.R. Hayns, E.F. Hicken
Development of IAEA description of passive safety and subsequent thoughts . . . . . . 23
P.M. Long
Operating experiences with passive systems and components in German
nuclear power plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
M. Moqua

EXAMPLES OF PASSIVE SYSTEMS/COMPONENTS (Session H)

Problems and chances for probabilistic fracture mechanics in the analysis of

steel pressure boundary reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
M. Staat
The research activities on in-tube condensation in the presence of noncondensables
for passive cooling applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
A. Tanrikut
Plant experience with check valves in passive systems . . . . . . . . . . . . . . . . . . . . . . 67
R.R. Pahladsingh
Backup passive reactivity shutdown systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Y u.M. Ashurko, I.A. Kuznetsov

PRESENTATIONS ON PASSIVE SAFETY SYSTEMS/COMPONENTS (Session HI)

Reactivity control in HTR power plants with respect to passive safety

systems (Summary) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
H. Bamert, K. Kugeler
CANDU passive shutdown systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
R. S. Hart, R.A. Olmstead
Active or passive systems? The EPR approach . . . . . . . . . . . . . . . . . . . . . . . . . . 113
N. Bonhomme, J.P. Py
Dimensioning of emergency condensers in accordance with safety requirements . . . . 133
C. Palavecino
Passive heat removal in CANDU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
R.S. Hart, V.G. Snell, LA. Simpson, D.B. Sanderson
Diversified emergency core cooling in CANDU with a passive moderator
heat rejection system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
N. Spinks
Survey of the passive safety systems of the BWR 1000 concept from SIEMENS ... 167
J. Mattem, W. Brettschuh, C. Palavecino
Technical feasibility and reliability of passive safety systems of AC600 . . . . . . . . . 183
W. Niu, X. Zeng
A feasibility assessment for incorporation of passive RHRS into large
scale active PWR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
S.-O. Kirn, S.Y. Sub, Y.-S. Kirn, M.-H. Chang, J.-K. Park
Passive safety systems for decay heat removal of MRX . . . . . . . . . . . . . . . . . . . . 207
M. Ochieti, H. lido, T. Hoshi
Gravity driven emergency core cooling experiments with the PACTEL facility . . . . 219
R. Munther, H. Kolli, J. Kouhia
APLHA - The long-term passive decay heat removal and aerosol retention
program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
S. Güntay, G. Vcaradi, J. Dreier
Core melt retention and cooling concept of the EPR . . . . . . . . . . . . . . . . . . . . . . . 253
H. Weisshäupl, M. Y von
Feasibility of passive heat removal systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Yu.M Ashurko
Availability analysis of the AP600 passive core cooling system . . . . . . . . . . . . . . . 281
M. Syarip, I.R. Subki, M.H. Canton
Passive heat removal system with injector-condenser . . . . . . . . . . . . . . . . . . . . . . 297
K.I. Soplenkov

APPENDIX I: ADDITIONAL PAPERS ON PASSIVE SAFETY

Passive safety systems for integral reactors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

V.S. Kuul, O.S. Samoilov
CANDU safety under severe accidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
V.G. Snell, S. Alikhan, G.M. Frescura, J.Q. Howieson, F. King,
J.T. Rogers, H. Tamm

LIST OF PARTICIPANTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

 SUMMARY

One of the main goals of advanced reactor development is to further enhance nuclear
power plant safety. Advanced reactor designs have generally incorporated improvements for
accident prevention and mitigation which substantially reduce the potential effects of human
error and which could result in significant reduction in emergency planning requirements.

The design of next generation plants has not been driven by public opinion. Even
though improved, public acceptability is considered a prerequisite for the revival of the
nuclear power market. For this reason, many reactor designs have chosen a new approach
to gain the same and possibly higher level of safety, by system simplification and utilization
of natural forces. Development activities in this area are integral parts of the advanced
reactor programmes in many Member States.

Safety enhancements have in a number of the next generation plants to a considerable

extent been attained by utilizing passive safety systems (for a definition of passive and active
systems, see IAEA-TECDOC-626, Safety Related Terms for Advanced Nuclear Plants,
1991). These plants still use some active systems as a first line of defence for different safety
functions. The tangible difference lies in designating the passive systems as the safety-graded
ones for the various functions. This makes the passive systems the assumed available systems
in the event of an accident. Passive safety systems for severe accident prevention and
mitigation have been incorporated into some of the new designs and have been covered in
previous IAEA activities. After substantial basic research and industrial development in
different countries, it was felt that discussion of the technical feasibility and reliability of
proposed passive systems would be very fruitful for all parties involved.

The design approaches and design descriptions of these systems have been presented
at other meetings and conferences, and this meeting, therefore, concentrated on key issues
connected with the technical feasibility and reliability of passive safety systems. Hence, the
papers that were presented and discussed at the meeting focused on key components,
features and phenomena that make passive safety systems feasible or highlighted problem
areas in specific designs.

The meeting provided an overview of the key issues on passive safety. Technical
problems which may affect future deployment, and the operating experience of passive
systems and components, as well as, definitions of passive safety terms, were discussed.
Advantages and disadvantages of passive systems were also highlighted. The philosophy
behind different passive safety systems was presented and the range of possibilities between
fully passive and fully active systems was discussed.

The numerous points made in the discussions support the following consensus:

Advantages of passive systems/components outweigh the disadvantages.

There is a need to address data collection and validation of passive
systems/components, integration of passive systems in the overall safety systems,
regulatory requirements and demonstrability of passive systems.
The degrees of passivity defined in TECDOC-626 are intended for illustration of the
spectrum of possibilities, but do not represent fixed categories.
 Passive components/systems have been used and currently are being used. The
operating experience has been satisfactory. In-service inspection was identified to be
an important area for passive systems.

In order to discuss the issues of passive systems in more detail, examples of

systems/components with a varying degree of passivity were selected. The categorization of
TECDOC-626 was used for the selection of the various examples and to facilitate discussion
of passive systems with similar characteristics. As highlighted in the paper "Development of
IAEA Description of Passive Safety and Subsequent Thoughts", this does not mean that these
categorizations are to be used for special applications (e.g., regulatory aspect).

The steel pressure boundary represents a typical example of a system/component of

category A; passive systems/components with no moving mechanical parts or working fluids
and no signal input or external power source. Probabilistic fracture mechanics (PFM) are an
important part of the reliability analysis of the steel pressure boundaries. The high reliability
of relatively small population of these components represent a main difficulty for providing
exact failure probability by this technique. It was, however, shown that the technique could
provide upper limits for failure probability, and identify also the most sensitive parameters.
PFM could also provide a useful tool to guide design changes, improve quality control or
modify operation where the fracture probability is felt to be too high. It was concluded that
PFM is the best approach in spite of all its shortcomings.

The second passive system category (Category B) includes systems with working
fluids but no mechanical movement or signal or active power input is needed. Heat transfer
for reactor emergency cooling systems based on water natural circulation, or similar systems
for containment cooling systems, play an important role in passive heat removal applications.
The presence or build-up of non-condensable gases drastically degrades the condensation
process and hence inhibits the heat transfer mechanism. The isolation condenser of a passive
containment cooling system was taken as an example for this category. It was concluded that
the condensable film surrounding the heat exchanger surface is very important for the
process. The presence of the non-condensable gases greatly affects the efficiency of the
system. It was also concluded that the orientation and geometry of the system is an important
factor for its efficiency.

Data on the effect of the non-condensable gases and on the effectiveness of heat
removal systems in the presence of non-condensables are system specific and largely
depending on the prevailing conditions and geometry. This makes data collection and model
validation a much more difficult task.

The check valve was taken as a third example for passive safety (category C). Check
valves are widely used in nuclear power plants and in advanced reactor designs. The check
valve is proposed to be used for many of the passive cooling systems. Check valves are
convenient for system isolation up to a given differential pressure. Below a given differential
pressure the isolated system delivers a fluid which is in a stand-by state to perform a given
function (e.g. cooling, make up, reactivity control). Check valves could be used at both high
or low pressure conditions. At the meeting data on actual experience with check valves used
under full reactor pressure, low pressure and at zero differential pressure have been reported.
The reliability of this component is a key issue for passive safety systems. The component,
from practical experience, is very reliable. There is some room for improvement in the check
valve performance at zero differential pressure. The biased-open check valve is designed with
these conditions in mind.
 The intermediate zone between active and passive, where the safety function is
conducted passively once external intelligence initiates the process, forms another category
(D). Reactivity control systems relying on natural forces or stored energy for system
operation fall under this category. Some initiation principles, however, rely on a natural
process or material properties (e.g. temperature induced changes in the mechanical or
magnetic properties of the control mechanism resulting in a large negative reactivity
insertion). Stored energy (e.g. pre-pressurized tank) is another passive mechanism used for
initiation and operation of reactivity control systems. Redundancy, diversity and fail safe
operation practiced in the design and operation of the control systems, in these cases, assure
the required level of performance. With regard to these systems the main outcome of the
discussion was that the need for a signal for process initiation does not by any means degrade
the quality of the system. Moreover, systems of this type have shown high reliability in
actual operation. These systems are incorporated in the designs with some redundancy and
diversity. It is also desirable to have these systems designed to operate in a "fail safe"
manner.

The self-acting stabilization of the neutron reaction in gas-cooled reactors was

presented. The combination of the negative fuel temperature coefficient of reactivity, the
xenon-effect, the low excess reactivity, and the large design margin between the operating
temperature and maximum temperature that the fuel can withstand, constitute an inherent
safety characteristic with respect to a potentially hazardous reactivity insertion in an
appropriate core design. These features contribute to the solution of problems of gas cooled
reactor safety. The first three of these are inherent safety characteristics with regard to
reactivity incidents. Large fuel temperature design margin constitute an inherent safety
characteristic with regard to loss of heat sink. They, however, could not be regarded as
systems since no components could be defined for such a system. This, however, does not
degrade or disregard the strong and desirable effect of the inherent safety characteristics of
this type of reactor.

Specific systems and components were also considered at the meeting.

For the European Pressurized Reactor (EPR) project, numerous passive safety systems
have been considered and criteria with regard to design, operation, safety and cost were used
for the assessment. It was concluded that for large reactors few passive features could
possibly be implemented without substantial effect on the design and cost.

For beyond design basis accidents, there is a general belief that passive safety systems
have advantages. For the EPR, a conceptual core catcher design for core melt retention and
cooling was presented. The approach is to provide a large spreading area for the melt on a
high temperature resistant protection layer. This would then be followed by flooding of the
melt with water. Several experimental programmes are underway to verify some of the
physical phenomena connected with melt spreading and melt interactions, some of which are
being conducted with real corium.

The feasibility assessment of incorporating a Passive Residual Heat Removal System

(RHRS) into a large PWR (System 80+) carried out by KAERI, Republic of Korea, was
presented. Safety assessments showed some advantages specially for beyond design accidents,
but there is an adverse impact to two events. One is the main steam line break and the other
is the inadvertent operation of PRHRS. The combination of these two events may lead to
over-cooling of the reactor; this with the negative temperature coefficient of reactivity could
lead to positive reactivity insertion. PSA evaluation has shown a reduction in the Core
Damage Frequency (CDF) by implementing the PRHRS. The introduction of a large number
of heat exchanger tubes results in the expansion of the pressure boundary, yielding additional
LOCA paths. From a cost point of view, the implementation of the system would result in
an enlargement of the containment to accommodate a PRHR heat exchanger at an elevated
level to allow for natural circulation. Additional containment penetrations and larger external
water storage tanks would also be needed. Licensing issues would also have to be
reconsidered if the PRHR would be safety graded. The over all conclusion of the paper was
not in favour of such modification at present. If the overall nuclear environment changes,
PRHR would be a strong candidate for decay heat removal (DHR) in the case of beyond
design basis events for a large PWR.

The design for an emergency condenser for the new KWU boiling water reactor
design SWR 1000 is truly passive and could prove to be very reliable. The system consists
of a parallel arrangement of horizontal U-tubes connected to two main heads. The top head
is connected to the reactor vessel steam space and the bottom head is connected below the
reactor vessel water level. In normal conditions the tubes are filled with cold water and no
heat transfer takes place. If the water level in the reactor vessel drops the heat exchanging
area is gradually uncovered and the incoming steam condenses on the cold surface and
returns to the reactor vessel. Due to the simplicity of the design, the cost is expected to be
a fraction of the cost of a comparable active system. For this reactor concept it was also
found to be technically feasible and economically possible to adopt several other passive
safety systems. Core flooding, containment cooling and other examples are presented in
another paper on the passive systems used in this concept.

Safety systems of the CANDU reactor for heat removal and water make-up were
presented and the ease of passive safety implementation was highlighted. Due to the concept
of the design, passive safety features are possible even with units in the large power range
(i.e. 900-1000 MWe). The CANDU design relies on passive and active safety systems to
achieve low failure frequency and provide for the maximum diversity.

The AC600 design by China relies totally on passive safety systems to accomplish the
main safety functions. The technical feasibility and reliability of the proposed systems were
presented. Major research and test programmes to verify the feasibility and reliability of the
proposed systems were highlighted.

Analysis of the availability of the AP600 passive core cooling system was presented.
A general description of the different sub-systems was highlighted and plant operation in
normal and accidental conditions was described. The methodology used for the availability
analysis was outlined. System unavailability figures were reported for different options. It
was concluded that the main contributor to plant downtime would mostly be due to valve
unavailability.

The passive safety systems for decay heat removal for the marine reactor designed
by Japan Atomic Energy Research Institute was presented. The idea of a water filled
containment vessel is used to counter a LOCA accident. The natural circulation of water in
the reactor pressure vessel and the water filled containment are regarded as key factors of
the Marine Reactor X (MRX) safety system. Preliminary design showed the effectiveness of
the water-filled containment vessel in the event of a LOCA. Additional work to investigate
the maintainability of the systems/components in the water filled containment is underway.

10
 The principle of operation of a passive heat removal system with an injector-
condenser developed by the All Russian Scientific Research Institute was presented. The
experimental facility used for testing verification of the operation of this system was
described. Results of experiments demonstrated the simplicity and full passivity of the
system. Another feature of this system is the relatively short time between accident initiation
and the beginning of heat removal. The system has also been developed for the specific
requirements of the VVER-440 NPP.

An out of pile experimental facility PACTEL (parallel channel test loop) was
presented. The facility has been designed to simulate the major components and systems of
a commercial PWR during postulated LOCA scenarios and transients. Recent modification
provided for the possibility to conduct experiments modeling passive core cooling systems.
An additional objective of the test facility is to enhance the understanding of the physical
phenomena in passive safety systems working with low differential pressure. Experimental
and theoretical results showed good agreement for most of the different physical events. The
main discrepancy was due to the difficulty in calculation to predict the rapid condensation
in the core make up tank. This calls for further experiments and new computational models
to be developed. The reference reactor for the facility is a LOVIISA type VVER-440.

An analytical and experimental programme (ALPHA) was initiated in 1990 by the

Paul Scherrer Institute. The purpose of the programme is to better understand the long-term
decay heat removal and aerosol questions for advanced light water reactors utilizing passive
safety techniques to accomplish the main safety functions. The ALPHA programme includes
four major items:

PANDA Large scale, integral system behaviour test facility.

LINX Test facility for the thermal hydraulics of natural convection and
mixing in pools and large volumes.
AIDA Aerosol transport and deposition in plena and tubes.

The fourth item is the development and qualification of models and validation of
relevant codes using data obtained from the PANDA and LINX test facilities. A paper
reviewing the above four topics and current status of the experimental facilities was
presented.

The scope of the meeting covered all reactor development lines and, a review of
decay heat removal systems in liquid metal-cooled reactors was presented and discussed. The
paper mainly dealt with the problems of technical feasibility of passive decay heat removal
for fast reactors. Classification of safety systems according to: principle of operation,
location of systems in the NPP, and the mechanism of heat removal were presented. The
paper further focussed on the classification of such systems by the degree of their passivity
and highlighted the advantages and disadvantages. Ways to enhance the degree of passivity
were described. It was concluded that RVACS and DRAGS systems are the preferred passive
systems for Liquid Metal Fast Reactors. The former provides for better efficiency and
extended applicability with regard to power level; where the later is attractive due to the high
operating temperature of the LMFR. Their future usage in advanced fast reactors was also
described.

Several papers were made available by some participants but were not presented
(These papers are given in Appendix I).

11
 Based on the AGM presentations and discussions several interesting observations were
made:

Active or passive safety systems differ in the manner in which safety systems,
components or structures function. In particular, they are distinguished from each
other by determining whether there exists any reliance on external forces or signals.
Passive safety systems rely on natural forces, properties of materials or internally
stored energy.
Passive safety systems and components have been used in the past in NPPs (e.g.
Hydraulic accumulators, check valves, gravity driven control rods for emergency
scram). Active safety systems were the safety graded systems that formed the front
line of defence. Recent designs, however, have proposed the possibility of reliance
on passive systems as the first safety graded systems to react to an emergency
situation. This is seen by many vendors as an option for an economical approach to
achieving a high level of safety and to prolong the period for operator intervention
giving the operator much more time to understand the status of his plant and to take
corrective action, if required.
Passive safety systems rely on natural forces, and hence eliminates active pumps and
valves along with their safety graded power supplies. This could provide for cost
reduction and simplification.
The reliability of a given system or component depends largely on its specific design;
hence redundancy, diversity and single failure criteria should be decided on a case by
case basis.
Inherent safety features with respect to a negative temperature coefficient of reactivity
combined with the large margin between the operating temperature and the
temperature which the fuel can withstand without releasing fission products is seen
by some designers as a category of passivity specially when connected with a passive
safety system for the eventual removal of the after heat. This is the case with the
HTGR design. Others look at it as engineered safety features which cannot be defined
as a passive system, but is nevertheless a highly reliable and effective technique for
meeting a safety requirement.
For certain situations passive safety systems and components are less susceptible to
operator intervention, making them less vulnerable to operator errors. More
emphasis, however, should be put on the design and QA & QC of passive systems
to ensure their operability when required. Passive systems are seen to be less flexible
with regard to accident management.
A large amount of data on the performance of passive systems and components exists
worldwide. Quantification of reliability is still a difficult process for some systems
due to the possibly different modes of failure of passive systems from the more
familiar active systems. Causes for failure of passive systems also differ. Periodic
testing of passive systems/components where possible provides for better reliability
and more data in the long run. Some passive safety systems/components in current
designs do take into consideration such features. The ageing effect on an active or a
passive system may also be different. For active systems replacement of parts could
be the solution, passive systems may require a different solution in some
circumstances.
Passive safety systems relying on a different mode of operation and power
supply(compared to active systems), provide the maximum diversity when deployed
in combination with active safety systems.
In certain conditions where forceful or rapid action is required and at zero or very
low power, active systems may be more suitable to attain certain safety functions.

12
 In the case of the very remote possibility of severe accidents such as core melt and
corium management, inter alia passive safety systems are expected to provide better
handling of these conditions
Some utilities present at the meeting see little difference between deployment of active
or passive systems and base their choice of a safety system mainly on the safety level
that could be attained, the reliability of the system and last but not least the cost
factor, regardless of the degree of passivity of the system. There is, however, a
strong tendency from the vendors and R&D organizations side to employ passive
safety systems to improve NPP safety in the small and medium size range.

These observations, and the discussions following the presentations, formed the basis
for a final discussion on open issues, such as, modeling, experiments and benchmarks,
leading to the following general conclusions and recommendations for future activities.

Conclusions

1. The safety approach for advanced nuclear power plants basically remains the same
as for existing plants. All safety systems, passive or active, are based on the defense-
in-depth concept. No conflict exists in the employment of passive or active systems.
Passive systems, in combination with active systems, provide for diversity and do
improve the safety level of advanced reactors.
2. Utilization of passive safety systems and the general relaxation of conditions (larger
coolant inventories, negative temperature coefficients etc) provide for a longer grace
period and relieve operators from immediate action. On the other hand, accident
scenarios have been widened to include severe accidents, and passive systems are
often used for the mitigation of such accidents.
3. The reliability of passive safety systems should be seen from two main aspects

systems/component reliability
physical phenomena reliability

The first calls for well engineered safety components with at least the same level of
reliability as active ones. The second aspect is concerned with the way the natural
physical phenomena operate in a particular system and the long term effect of the
surrounding on the properties of the system components. It calls for the identification
and quantification of the uncertainties in the interaction between the phenomena, the
immediate environment and the system. The latter should be complimented by the use
of PSA for design optimization. Identification of modes/causes of failure and the
collection of existing data from actual experience along with results from current
experimental investigations would provide information on influences on the functional
reliability of the passive systems.
4. Many Member States conduct substantial work on the design, modeling, and
development of passive safety systems. This could be substantially enhanced by global
coordination of information exchange on the subject.
5. Coordination of activities on the quantification of reliability of passive safety systems
and components could be accomplished through:

mutual exchange of available PSA on passive systems,

discussions on available methods to evaluate uncertainties in the physical
correlations,
review of different types of passive systems,

13
 identification of failure modes of passive components (e.g. pressure
boundary),
gathering of relevant data (e.g. experience with passive safety systems),
validation of codes at available test facilities (e.g. influence of non-
condensable gases),
specific PSA on innovative passive safety systems (e.g. emergency
condensers).

14
OVERVIEW OF THE KEY ISSUES ON
PASSIVE SAFETY

(SESSION 1)
 KEY ISSUES FOR PASSIVE SAFETY XA9743154

M.R. Hayns
European Institutions,
AEA Technology,
Harwell, Didcot,
Oxfodshire,
United Kingdom

E.F. Hicken
Forschungszentrum Jülich, ISR,
Jülich, Germany

Abstract

This paper represents a summary of the introductory presentation made at this Advisory
Group Meeting on the Technical Feasibility and Reliability of Passive Safety Systems. It
was intended as an overview of our views on what are the key issues and what are the
technical problems which might dominate any future developments of passive safety
systems. It is, therefore, not a "review paper" as such and only record the highlights.

WHAT ARE PASSIVE SAFETY SYSTEMS

Need for a consistent definition. It is clear that the terminology has been interpreted
differently in the past and this has led to confusion and, worse, to a loss of credibility for
'passive' systems. It is strongly recommended that the IAEA definition is widely adopted
and used as a means of helping to alleviate this difficulty.

• The need to differentiate between 'systems' and 'features'. Also aligned to the general
problem of definition, it is necessary to have a clear differentiation between 'systems' and
'features'. A 'system' is usually a complete set of engineering components and
instrumentations and control systems, the ECCS or secondary shut down are examples.
Clearly to engineer a totally passive 'system' is much more difficult (if at all possible)
than to have passive 'features'. Features in this case are meant to include, for example,
natural circulation (when used as a means for heat removal) or stored energy devices
where the 'mechanism' for storing the energy is the "feature".

• The role of natural phenomena. Natural phenomena are, of course, at the heart of any
device or process. However, in the context of passive safety, natural phenomena are
often called upon to act without the need for other input. The obvious example is Gravity
which can be relied upon to ensure rods fall into the core or that natural circulation has
a driving force. However, from the point of view of quantified safety, natural phenomena
have to be shown to be able to operate under all conditions eg under out of normal heat
transfer conditions (boiling, two phase flow) or earthquakes. Reliance upon natural
phenomena is much more complicated than simply relying upon Gravity to be there.

In any discussion of passive safety, or indeed of natural phenomena, the phrase 'inherent safety1
is often used. We believe this is a potentially misleading phrase and should be avoided.

17
WHY USE PASSIVE SYSTEMS?

In order to answer this question, it is useful first to simply list the attractions, and, of course,
potential detractions of the use of such systems.

Attractions
• Simplicity. In general passive systems do not, by their very nature, call upon complex
control systems nor upon external power sources which may need to be both redundant
and diverse. Because of this they should also be easier to licence once the basic
processes are satisfactorily understood.

• Safety. The principal rationale for postulating passive systems is that they offer a
solution to improved safety without an unacceptable increase in costs. The argument for
a change, however, is extremely complex. Current (modern) reactor designs are clearly
considered to be 'safe enough1 by the regulatory bodies, the owners and to a large extent
by the political powers in most western countries. Furthermore, with the low activity
generally in the nuclear industry there is little opportunity presently for new innovative
designs. The full potential of passive systems can only be realised once the demand for
nuclear power is re-established and as a part ofthat, there is a demand for such safety
systems.

Detractions

• Lack of data on important phenomena. There is a perhaps surprising lack of data on the
phenomena of interest in the particular circumstance under which they would be expected
to operate. This is especially true since these 'phenomena1 will have to be understood to
a level appropriate to nuclear safety standards.

• Need to understand performance in a wide range of conditions. This applies clearly to

all conditions within the normal operating envelope for the system. However, there is
now an increasing need to be able to determine system performance outside this
envelope. This applies certainly to accident management procedures, but also to the
requirement to understand severe accident behaviour in order to satisfy developments in
regulatory requirements.

• Unknown (untested) response from regulators. In either normal (design basis) or out of
normal conditions, passive systems will need to be shown to conform to the expectations
of regulators. Whilst there may be clear advantages in having simpler systems, it is not
clear yet whether regulators will feel able to license them. This may be of particular
difficulty in those countries operating prescriptive licensing regimes since the
introduction of passive systems will require a change in the regulations.

Overall, the real 'prize' to be won if passive safety features can be incorporated into the design
of next generation plant is a combination of the following:

improved safety margin at lower cost

a tool to help improve public perception of nuclear power. (But noting that public
perception is not a good driver for the design process)
clear demonstration of the ALARA principle.

18
The latter of these is important since it may be argued that the passive systems are as low as
achievable in an absolute sense. Given that these are the pro's and con's of passive safety systems
and that we believe that the ultimate rewards justify continued efforts, what are the basic
technical issues which need to be addressed? The following represent only the obvious 'high
level' technical issues. The symposium addresses many of these and in much more detail.

• Quantification of reliability. The reliability of systems is absolutely key to their

incorporation into any larger engineered systems. This is not just because the failure rate
is important in safety calculations, but also because the requirements placed on other
parts of the system will be defined by it. For passive systems, there does not exist a large
database of relevant experience which can be used as a starting point, such as there is
(was) for valves, electric motors etc when this kind of data was first needed to quantify
systems reliabilities. It is necessary to establish what methods are available to determine
the reliability of such systems. Analogous problems arise in the determination of the
reliability of software based systems. Also, the reliability of this type of system needs
to be established over a wide range of conditions.

• Fitness for purpose of passive systems. Whilst passive systems may seem attractive, eg
for heat removal it is necessary to demonstrate that they can cope with all of the demands
put upon them. For example, they may be too slow for safety grade applications. In
other circumstances they may require operator intervention to initiate them violating
operational rules oj requiring non passive means for initiation. It is also possible that
they may degrade operational performance so much that they are uneconomic. Examples
of the latter could be where decay heat removal systems operate continuously, even
during normal operation and the heat loss might be unsustainable.

• Plant ageing. This is one of the most important aspects of the performance of current
plant. The lessons are clear in that unexpected problems always occur as the plant ages
and continuing programmes are needed to ensure that plant use is optimised. The
pressure on the economic aspects of nuclear power means that this will certainly continue
into the future as current plant lives are extended as far as is safely prudent and that new
designs will need to be able to demonstrate unequivocally that the predicted life will be
achieved. In many cases this life is being extended to 60 years or more. For passive
systems there is a total lack of data on the performance of the phenomena under such
conditions. Examples might include - degradation of stored energy devices, the blockage
of heat transfer routes with deposits, environment effects on structural materials for any
changes to chemical composition of coolant systems etc. In addition, there is the
question of testing of systems which may degrade, but are of themselves 'untestable'. An
example of this is a heat removal system which only operates under accident conditions,
and the generation of such conditions is not normally attempted, or even allowed.
Further issues associated with plant ageing include such things as the effects on passive
systems of maintenance or up-grading of other parts of the plant which could have a
deleterious effect on the passive systems performance, or even major back fitting of, eg
control systems which would need to be examined very closely for any interaction with
existing passive systems.

Technical Feasibility of Innovative Systems. If a 'passive system1 involves innovative

components or aspects then there is likely to be a need for an extensive demonstration of
the technical feasibility. An example of this is the amount of work required to "prove"

19
 the hydraulic lock on ASEA's PIUS systems. And, even though there is now an
appreciable body of evidence it has never been tested in the regulatory domain. Also, the
use of vortex diodes as proposed in the SIR™ design is innovative so far as power reactor
systems are concerned.

In Service Testing. All systems, whether passive or not require some sort of hi service
testing regime. Passive systems either have to be 'testable', or to have an overwhelmingly
powerful case that it is not required. Two examples serve to make the point.

passive containment cooling. Heat removal through thick concrete containment

structures is poor. Therefore removal of heat requires some kind of heat
exchanger system. Some designs which have been proposed are passive and
simply rely upon temperature differences for their operation. These systems have
to be very large if they are to cope with the heat loads associated with severe
accidents. Their capability may be decreased through a number of mechanisms,
eg surface degradation, oxidation etc. Full scale testing is not possible so some
form of inspection plus component testing would have to be devised.

bursting disks. This is the most obvious puzzle when it comes to in service
testing. No disk can be 'tested' since if the test is successful it will have, by
definition, failed. Normally, this is circumvented by arguing for strong quality
assurance during manufacture, coupled with frequent random tests from
production examples.

Maintainability. It has not been proven that passive systems can be designed for ease of
maintenance, nor to minimise radiation exposure. There are cost implications for both
circumstances. It is not clear that there will be such difficulties with passive systems but
as with other practical aspects of their implementation this has yet to be demonstrated.

HYBRID SYSTEMS

Finally, under the heading of basic technical issues, there is the question of mixed or hybrid
systems. In many cases passive systems are being proposed as add-ons or alternatives for
existing plant. This brings into question the cost savings and even safety margins since 'active'
engineered systems will be needed anyway, along with their safety grade back up power,
diversity of operation and quality/reliability associated with nuclear plant. Unless the passive
system has genuine cost and safety advantages when used alongside active equipment then it is
very unlikely to be welcomed by the operators. The obvious advantage of passive systems is
when they can replace the need for aH active (safety grade) systems in a plant. Such innovative
plant are clearly for the future, the question of course is how to leap-frog current designs to bring
them into play on the right timescale.

CONCLUSIONS

The authors believe that the attractions of passive systems outweigh the detractions and that they
should form the basis of advanced designs of reactors. However, it is not an open and shut case

20
and there is a need for a programme covering the basic issues addressed in this paper to ensure
their availability on a timely basis. The principal requirements are:

• completion of the phenomenological database

• demonstration of the operability of passive systems

• integrated, total concept designs maximising the positive contributions of passive systems

• clarification of regulatory requirements

Implementation of such a programme by either vendors and owners, or Governments (acting

alone or in concert) will require an act of vision and confidence in the future prospects of nuclear
energy.

21
 DEVELOPMENT OF IAEA DESCRIPTION OF PASSIVE XA9743155
SAFETY AND SUBSEQUENT THOUGHTS

P.M. LANG
US Department of Energy,
Washington D.C.,
USA

Abstract

The description of passive components and systems published by the IAEA

in its TECDOC-626 was developed in the course of a Technical Committee Meeting
held in Sweden and two subsequent Consultants Meetings held in Vienna. This
description is reviewed and discussed in terms of the philosophies behind it,
alternatives considered, problems encountered, and conclusions drawn. Also
discussed is an Appendix to the TECDOC, which illustrates the spectrum of
possibilities from passive to active by describing four typical categories of
passivity.
Subsequent thoughts on passive safety include a discussion of its
advantages and disadvantages, concluding with a summary of current views and
problems with it.
Introduction
The description of passive components and systems published by the IAEA
in its TECDOC-626'1' was developed in the course of a Technical Committee
Meeting held in Vasteras, Sweden, and two subsequent Consultants Meetings held
in Vienna. During these meetings, many proposals for descriptions of the
various terms were offered and discussed, and a series of drafts of the
descriptions that ultimately were published as the TECDOC were prepared,
repeatedly reviewed, and revised. This process iterated both on the
descriptions of the various terms and on the specific terms to be included or
excluded from the document. The process as it relates to passive safety is
discussed here, as it may shed some light on what passive safety is and is
not, and how the term should properly be used. This discussion includes
consideration of alternatives that were suggested, issues that were raised and
resolved, and conclusions that were drawn. Although the author participated
actively in the meetings and discussions, the published description and the
discussions that were part of its development represent the various views of
the participants and the consensus that was reached, rather than primarily the
views of the author.
Participation in this kind of analysis, discussion, and documentation
sensitizes one to the issues and problems and has led to the author's
subsequent observation and consideration of how passive terminology is being
used by others, including particularly outside the nuclear field. Work on
advanced plant designs utilizing passive safety systems subsequent to the
publication of the TECDOC is also leading to a clearer understanding of the
advantages and disadvantages of such systems. Such subsequent thoughts on
passive safety, including current views on it, are also presented below.
Vasteras Meeting Proposals
The author did not offer a specific proposal for describing passive
components and systems at Vasteras, but rather offered a framework within
which a good description should fit, as follows. It should conform with the
common-sense, public understanding of the term; it should agree with usage in
other technologies perceived by the public as hazardous; it should agree with

23
common, every day experience such as with automobiles, aircraft, and fire
protection; it should not be at variance with dictionary definitions although
it should include more refinement and specificity than those definitions; and
it should be clear and easy to apply, without ambiguity, and with easy
determinability as to whether any piece of hardware conforms to the
description. Dictionary definitions of passive center around the negative
concepts of "not acting but acted upon" and "not active". Active in turn is
defined in dictionaries as "in-action, moving, causing or initiating action or
change". Previous definitions of passive safety in the nuclear technical
literature included the concepts of coming into action in the event of an
accident without switching operations or additional energy supplies' , or
alternatively without an external and continual energy input except for the
initial activation energy'3'. At Vasteras, the author suggested that active
engineered safety systems depend for their functioning on humans, external
power sources, mechanical or electrical devices, and the like. In contrast,
the functioning of passive systems depends on their inherent or self-contained
properties and the laws of nature. 4Further, it was emphasized that neither
kind of system is immune to failure' '.
Other Vasteras proposals of particular interest were those of
Forsberg1 ', Aritomi and Tominaga'6', and Voznesensky and Fyodorov(7). Forsberg
offered the attractively simple concept that passive safety engineering avoids
the use of moving parts. Aritomi and Tominaga distinguished between active
and passive by focusing on whether reliance is placed on external mechanical
and/or electrical signals and forces; this phrasing was ultimately accepted by
the consultants for the description of a passive component in the TECDOC.
While all the other participants appeared to be searching for a single, sharp
criterion dividing active from passive, Voznesensky and Fyodorov offered the
view that passivity has different degrees or stages, depending on which of a
series of criteria are satisfied, with only the higher stages avoiding the use
of mechanical, moving parts. Their suggestion led to the discussion contained
in Appendix A of the TECDOC, which describes the "Range of Possibilities from
Passive to Active".
Peseri pti on of Pass i ye Component and Passive System
TECDOC-626 provides the following descriptions of a passive component
and a passive system. A passive component is "A component which does not need
any external input to operate". A passive system is "Either a system which is
composed entirely of passive components and structures or a system which uses
active components in a very limited way* to initiate subsequent passive
operation". The asterisk on "limited way" refers to Appendix A of the
TECDOC, which provides some typical additional criteria that may be imposed on
the initiation process:
Energy must only be obtained from stored sources such as batteries
or compressed or elevated fluids, excluding continuously generated
power such as normal AC power from continuously rotating or
reciprocating machinery;
Active components are limited to controls, instrumentation and
valves, but valves used to initiate safety system operation must
be single-action relying on stored energy; and
manual initiation is excluded.
Issues in Drafting of the TECDOC Descriptions
Early drafts of the TECDOC utilized the no-moving-parts concept in the
description of a passive component, but with a footnote which listed
exceptions such as rupture disks, safety valves, check valves, and the like,

24
each of which was considered passive by at least some of the consultants.
This approach turned out to be unsatisfying, both because there was
disagreement as to whether a specific component such as a check valve should
be included in the list of exceptions, and because the list of exceptions
appeared to be somewhat arbitrary and perhaps incomplete; i.e., no good
criterion for permitting exceptions seemed to exist. Some of the discussion
of specific components, such as check valves, brought out that the component
may have low reliability, and its acceptance as passive was questioned for
that reason. Further discussion led to the acceptance of passive vs. active
as descriptive only of the principle of operation, without necessarily
implying any judgement of reliability. Even so, the concept of no external
input eventually was preferred for the description of a passive component.
The principal difficulty with the "external input" concept arises from
the interpretation of the word "external", especially how it relates to the
boundaries drawn to-define a component and a system. If one chooses to define
any particular system sufficiently all-inclusive, all component inputs could
be said to be internal to the system, and systems normally considered active
would fit the description of passive. For this reason, the description of a
passive system was formulated in terms of consisting of passive components,
rather than directly in terms of external input to the system. This led to
the further question of whether it might not be desirable to develop a further
term and description for certain systems which appear to the outside observer
to have all the properties of being passive, but which on close examination
are found to utilize active components. Several drafts of the TECDOC included
the description of such automatic systems under the term "self-acting system";
i.e., without explicitly using the word passive. This description was finally
deleted from the TECDOC as it was thought that self-acting was not widely
used; as discussed in the penultimate paragraph of the Introduction to the
TECDOC, it was desired to avoid the coining or promoting of new terms throuch
the TECDOC. Nevertheless, from the point of view of human factors
engineering, such self-acting systems exhibit the distinctive feature of
passive systems of not requiring human intervention.
Advanced designs which have been termed "passive plants" are under
development in the United States and to some extent also in other countries.
These designs make much greater use of passive safety systems and therefore
represent important lines of further development. They do not, however, use
purely passive components exclusively for all safety functions; to attempt
such use would be extremely difficult or perhaps impossible and would probably
not be desirable in terms of the overall performance of the designs. Some of
the safety systems of these designs use external signals in certain limited
ways to initiate their subsequently purely passive operation; this is covered
in the IAEA description of a Passive System in general terms and is described
specifically in Appendix A of the TECDOC under the heading of Category D. The
philosophy underlying this, as discussed in the Appendix, is that a spectrum
of possibilities exists between passive and active, rather than an absolutely
sharp and clear dividing line. Although the Appendix describes four different
categories of passive systems, these were considered illustrative only, and
the possible existence of additional categories was indicated.
Subsequent Thoughts
After the drafting of the TECDOC, the author became aware of the fact
that in automobile safety in the United States, the term "passive" is now
formally and legally defined as automatic; i.e., as synonymous with the term
"self-acting" as described previously. For example, automobile insurance
discounts are offered for Passive Restraints or Passive Belting Systems, which
are defined only as automatic and which have numerous electrical and
mechanical components that are actuated and powered through means external to
the systems. This suggests that an additional Category E could be added to

25
the Appendix of the TECDOC for this kind of system, as being in the
intermediate zone between fully passive and fully active.
The advantages and disadvantages of passive safety from the point of view of
the designers of passive plants is becoming clearer, as more experience is
gained with the design and licensing of plants utilizing passive safety
systems. The most-important advantages are that passive systems are not
vulnerable to external failures, such as failures of power sources, and that
they are less subject to human errors of omission. They also can be designed
for less need of operator intervention during accidents (longer grace periods)
and usually permit greater simplification. A still unresolved licensing
question in the United States is whether active systems performing safety
functions need to be safety grade, if they are backed up by passive systems on
which ultimate reliance for safety is placed. Countervailing disadvantages of
passive systems as opposed to active ones include weaker driving forces which
result in quantitative uncertainty in flows and perhaps just enough safety
action rather than generous margins, more difficulty and time to restore
normal operation after their actuation, bulkier equipment within containment,
in some cases better protection of the public than of the plant investment,
and in some cases inherent limits on the unit size of reactor if the effective
functions of passive safety are to be retained.
When passive safety began to be strongly promoted a few years ago, it
was also generally offered as a means to enhance public acceptance of nuclear
powerplants. The work of Bisconti'8' has shown that the public reaction in
the United States to passive safety systems is more negative than positive.
It is thought that rather than associating this term with its technical
advantages, the public perceives it as identified with lazy, lethargic, or
doing nothing, and probably feels that active protective measures should be
undertaken in the event of an accident.

Concluding Remarks
Some passive components and systems have been used in nuclear reactors
since the earliest reactors built; there can be no question about the
feasibility of most such applications. In recent years, proposals have been
made for new, radically different, and much broader applications of passive
safety systems. Although questions of feasibility may credibly be raised with
respect to some of these proposals, it is thought that on the whole most such
applications are technically feasible and that the more important issue is
whether such applications are technically and economically justified in
comparison to alternatives employing less or even no passivity.
The different categories of Appendix A of the TECDOC were intended to
illustrate the concept of the spectrum of possibilities from passive to
active; they were not intended to be (and are not) either all-inclusive or to
be used for applications such as categorization of specific systems. Such
categorization could be misused for promotional purposes or even worse, as
regulatory considerations. Passive safety should be viewed as an engineering
tool -- one of a number of possible solutions to an engineering problem, not
necessarily the only or the best one. Passive safety should not become an
engineering or regulatory objective for its own sake. Hence, a fully passive
plant (e.g., relying only on the highest or higher categories of passivity of
Appendix A) may not even be desirable -- even if achievable, which is very
doubtful.
The best use of passive safety systems appears to be for ultimate
protection; the first line of defense is usually better served by the systems
used for normal operation, which are usually active systems.

26
 ACKNOWLEDGEMENT

The author is indebted to Mr. Trevor Cook for very useful discussions,
particular with regard to the advantages and disadvantages of passive systems.

REFERENCES

1. IAEA-TECDOC-626, "Safety related terms for advanced nuclear plants",

IAEA, Vienna, September 1991.
2. Buerkle, W. and Braun, W., "Inherent Safety Features of Advanced Light
Water Reactors", Proceedings of IAEA Conference on "Nuclear Power
Performance and Safety", Vol. 4, p.538 (1988).
3. Nagasaka, H. et al., "Study of Natural Circulation BWR with Passive
Safety", Proceedings of the International Topical Meeting on Safety of
Next Generation Power Reactors, p.153, American Nuclear Society (1988).

4. Lang, P. M., "A Discussion of Definitions and Usages of Terms Implying

Highly Desirable Nuclear Safety Characteristics", Proceedings, Technical
Committee Meeting on Definition and Understanding of Engineered Safety,
Passive Safety and Related Terms, Vasteras, Sweden, 30 May - 2 June,
1988, p.147.
5. Forsberg, C., "Implications of Passive Safety Based on Historical
Industrial Experience", Ibid., p.120.
6. Aritomi, M. and Tominaga, K., "Definitions of Safety-Related Terms",
Ibid., p.84.
7. Voznesensky, V. A. and Fyodorov, V. G., "Basic Theses and Terms of
Concepts of Light-Water Reactors with Improved Safety in the USSR",
Ibid., p.154.
8. Bisconti, A. S. and Livingston, R. L., "Speaking about Advanced Designs:
Simple is Best", Nuclear News, Vol. 32, No.11, p.46 (September 1989).

£¡
 OPERATING EXPERIENCES WITH PASSIVE SYSTEMS AND
COMPONENTS IN GERMAN NUCLEAR POWER PLANTS

M. MAQUA
Geselschaft für Anlagen- and Reaktorsicherheit, XA9743156
Cologne, Germany

Abstract

Operating experience with passive systems and components is limited to the equip-
ment installed in existing NPPs. In German power plants, this experience is available
for equipment of the IAEA categories A, C and D. The presentation will focus on typi-
cal examples out of these three categories. An overview will be given on the number
of reported events and typical failure modes. Selected failures will be discussed in
detail.

Regarding piping in PWRs and BWRs about 123 defects in nuclear heat generation
and reactor auxiliary systems were reported in the German national event reporting
system. The analysis of defects in piping with small diameters shows no differences
between PWRs and BWRs. At least 7 ruptures occurred in pipes with small diameters.
Most of the defects have been through-wall cracks with subsequent leakage. The be-
haiviour of pipes with large diameters is different in BWRs and PWRs. In PWRs very
few defects were detected in pipes with large diameter. In BWRs pipes with large di-
ameter were affected too. In BWRs two main areas of concern have been reported:
defects at WB-35 pipes and cracks in the heat affected zones near welds in austenitic
pipes. Through-wall cracks with subsequent leakage did not occur. The overall operat-
ing experience with piping in safety systems shows the validity of the design assump-
tions and low failure probabilities.

The evaluation of operating experience shows that the reliability of check valves and
butterfly valves are within the expected range. But, reported events reveal specific
problems of these components, eak tightness and mechanical failures of check valves
and butterfly valves are major points of interest.

Recently, significant degradation occurred in the diverse thermal actuation mechanism

of fire dampers. These defects highlight the importance of regular inservice inspec-
tions of so-called "passive" actuations.

The scram system is another area of passive actuation of systems. Only about 30
events have been reported in the German reporting system regarding deficiencies in

29
control rod drop or possible precursors. Only 2 events occurred where single rods
were not inserted. Main contributors to deficiencies in the scram system were
leakages and failures in hydraulic actuation system in BWRs as well as rupture of con-
trol rod pins in PWRs.

The operating experience indicate high reliability of passive safety systems and com-
ponents. The events reported in the German event reporting system reveal some pos-
sible common cause failure mechanisms for different components. The importance of
regular in-service inspections has been highlighted by some events.

1 Introduction

The reliability of passive safety systems is often assessed higher than that of active
systems. The evaluation of operating experience can be used to verify this assump-
tion. Operating experience is limited to those systems and components already in-
stalled in existing NPPs.

Operating experience of German light water reactors was evaluated regarding re-
ported events with degradation of passive components. These components belong to
the IAEA categories A, C and D. The presentation will focus on typical examples of
these three categories.

The presentation is based on the German licensee event reporting system. The re-
porting system is not intended to provide reliability numbers. But, the qualitative
evaluation can give hints on the reliability of these passive components. The events
reported are focused on safety systems, therefore the valuation is limited on compo-
nents installed in these systems.

Based on the events reported in the German event reporting system was evalutaed
regarding the number of degradations of passive components and the type of the fail-
ures. The components evaluated were pipes and valves. In addition, degradations in
the fail safe scram systems were investigated.

2 Operating Experiences with Piping in German LWRs

The reported events were evaluated regarding defects in piping IM. The period of in-
vestigation covers the period from 1974 to May 1994. The former East German reac-
tors were not considered.

30
The investigation was further limited by some missing information. Several reports did
not contain the diameter of the pipe or the exact cause. In single event reports the lo-
cation of the deficiency was not described in detail. In these cases assumptions have
been made e.g. whether the deficiency was located in the pipe or at the stud of the
vessel.

Table 1 summarizes the data base of the investigation. For PWRs, fifty-six events
have been reported. Twenty deficiencies have been in the nuclear heat generation
systems, thirty-six events dealt with deficiencies in reactor auxiliary systems. The re-
sults of the investigation regarding BWRs are similar. Overall, fifty-nine events have
been reported, twenty-nine in the nuclear heat generation systems and thirty events
occurred in the reactor auxiliary systems.

With respect to the number of plants (14 PWRs and 7 BWRs) and their start of opera-
tion, the number of events reported per plant and year can be calculated. Regarding
the above mentioned limitations of the data base, the general behavior of piping in
PWRs and BWRs is comparable. The result of more detailed investigations is given in
the tables 2-7.

The operating experience of systems regarding piping are not significantly different
between PWRs and BWRs. The main causes for cracks respectively ruptures have
been fatigue, corrosion and manufacturing deficiencies for PWRs and additionally for
BWRs the combination of corrosion and manufacturing deficiencies. Through-wall
cracks with leakages contributed most to the relevant failure modes in PWRs. These
cracks occurred mainly in piping with small diameters (Tab. 6). In German BWRs
through-wall cracks were the main failure mode for piping with small diameter. In pip-
ing with large diameters crack indications were detected in austenitic material.

Table 1 : Systems Evaluated Regarding Piping Events

System

PW8 NHGS* 20 0.15

RAS* 36 0.18
BWR NHGS 29 0.24
RAS 30 0.24

NHGS« Nuclear Heat Generaton System, RAS« Reactor Auxiliary Systems - (Events reported until May 1994)

31
Table 2: Causes of Reported Cracks and Ruptures*

Cause : mm , - \• . sw« i
Fatigue 26% 15%
Corrosion 16% 22%
Erosion 2% 7%
Manufacturing 28% 20%
Corrosion + Manufacturing 3% 26%
Fatigue + Manufacturing 9% 3%
Fatigue + Corrosion 2% 2%
Cause not reported 14% 5%
Events reported 64 59

* Only Nuclear Heat Generation Systems and Reactor Auxiliary Systems - (Events reported until May 1994)

Table 3: Reported Failure Modes*

Failure Mode \ PWH BWS

Rupture 0% 2%
Rupture with leakage 5% 5%
Crack 6% 34%
Crack with leakage 86% 56%
Leakage 3% 3%
Events reported 64 59

* Only Nuclear Heat Generation Systems and Reactor Auxiliary Systems - (Events reported until May 1994)

Table 4: Affected Piping Material*

Material PWft mm
Austenitic Steel 73% 63%
Ferritic Steel 5% 27%
Nickel basis alloy 2% 0%
Others 6% 7%
Not reported 13% 3%
Events reported 64 59

' Only Nuclear Heat Generation Systems and Reactor Auxiliary Systems - (Events reported until May 1994)

32
Table 5: Location of Failure*

Location ; PWR mm xjx

Basis material 30% 39%
Weld 67% 58%
Flange/Seal 3% 3%
Events reported 64 59

' Only Nuclear Heat Generation Systems and Reactor Auxiliary Systems - (Events reported until May 1994)

Table 6: Diameters of Pipes Affected in PWRs*

Diameter Craok Rupture Others

ND^15 25% 3% -
15>ND^25 11 % 2% -
25>ND^50 13% - -
50>ND^100 14% - -
100<ND;>250 3% - 3%
ND > 250 2% - -
Not reported 24% - -
Events reported 59 3 2

' Only Nuclear Heat Generation Systems and Reactor Auxiliary Systems - (Events reported until May 1994)

Table 7: Diameters of Pipes Affected in BWRs*

Dtarneier Crack Rupture Others

ND^15 14% 3% -
15>ND^25 14% - -
25 > ND £ 50 - - -
50>ND¿100 5% - -
100<ND^250 7% - -
ND > 250 14% - -
Not reported 37% 3% 3%
Events reported 53 4 2

' Only Nuclear Heat Generation Systems and Reactor Auxiliary Systems - (Events reported until May 1994)

33
With respect to the piping material austenitic steel was mostly affected. In BWRs fer-
ritic steel piping contributed significantly. Two generic issues occurred in German
BWRs regarding piping: Cracks in WB-35 as well as cracks in titan-stabilized austeni-
tic steel. Weld areas including the heat affected zones contributed about 60 % to the
reported German events with pipe failures. The manufacturing deficiencies mentioned
above occured at the weld area.

In general, there is no need to reveal the assumptions used in PSA. For German
BWRs the goal and scope of in-service inspection have to be revised.

3 Operating Experience with Passive Components in German

NPPs

Three types of passive components are discussed in depth: Check valves, butterfly
valves and fire dampers. It must be considered that these components are not really
"passive" but acting without auxiliary supply systems like electrical or instrument air
systems. Generally, the reliability of these passive components are significantly lower
than those of structural elements. The analyses presented here are based on re-
ported events in the German event reporting system. These events alone are not suf-
ficient to set up reliability numbers.

Four different types of failures have been considerd for valve deficiencies. The failures
to open and the failures to close, respectively, take into account deficiencies in the ac-
tuation of the valve, e.g. solenoid failures. Mechanical failures are deficiencies of
valve internals, e.g. fastening bolts of flaps. Internal leakages are categorized as
"leakage". These four categories are used in figure 1 and figure 3.

3.1 Check Valves

Regarding check valves, two major types of defects have been reported:

Internal leakages

Mechanical failures

The results are shown in figure 1. There are remarkable differences between the oper-
ating experience of check valves (or butterfly valves) in standby systems and operat-
ing systems, respectively. Open check valves in operating systems fail significantly

34
 Mechanical Failure
40%

Failure lo dose
14%

Fig. 1 : Type of check valve failures reported

43 check valves affected

more often, especially due to flow induced vibration, than check valves in standby sys-
tems. These check valves are closed in normal operation.

The distribution of check valves failures with respect to their systems (see figure 2)
shows that check valves of the feedwater system contribute at most. The other valves
are mainly installed in stand-by systems.

3.2 Butterfly Valves

The amount of butterfly valve deficiencies reported is comparable to those of check

valves. Mechanical failures were the main defect (figure 3).

At least six-teen (of thirty-eight reported) butterfly valves failures were caused by
loose flaps in the pipes due to insufficient fastening. Cracks respectively ruptures of
bearing bolts were another major failure type. Figure 4 shows the systems which were
affected by the butterfly valve failures.

3.3 Fire Dampers

Fire dampers in ventilation ducts are part of the structural fire protection measures.
They prevent the spreading of fires through the ventilation system to other fire zones.
Closing of fire dampers has to be regarded as a single measure within the fire protec-
tion concept. This concept takes also into account non-closing of individual fire damp-
ers without significant degradation of the system function.

35
 Failure to close
16%
Mechanical failure
63%

Failure to
open 5%

Leakage
16%

Fig. 2: Systems affected by check valve failures

Low Pressure Safety Injection System

7% High Pressure Safety Injection System
Power Supply for Shutdown
System 7%
Residual Heat Removal
System 16%

Others 9%
Feedwater S'
33%
Emergency Diesel
Generator 7%

Main Steam System

Emergency Feedwater System 9% 5%

Fig. 3: Type of butterfly valves failures reported

38 butterfly valves affected

Main Steam Sys'^Ti

24% Feedwater System
18%

Cooling Water
System 29%
Other Systems
24%
Residual Heat Removal System 5%

Fig. 4: Systems affected by butterfly valve failures

36
It should be mentioned that structural fire protection components are not licensed and
supervised by the nuclear regulatory authorities, but that authorities and testing facili-
ties are involved which usually supervise the application of fire protection components
in industrial plants and conventional buildings. Therefore the licensing process and
supervision is not equivalent to the procedure applied on safety systems of nuclear
power plants.

The first malfunction of the thermal actuation mechanism was detected during the an-
nual inspection of fire dampers located in the ventilation system for controlled areas in
one NPP. During this inspection the function of the electrical remote actuation and the
manual actuation were checked, and a visual inspection of the inner and outer parts
of the dampers was performed. The visual inspection revealed deficiencies at the ther-
mal actuation mechanism of one fire damper. To prove proper function the fusible ele-
ment was removed, but the damper disc did not close.

At subsequent tests of the thermal actuation mechanism at 652 fire dampers in this
NPP 109 dampers showed the same deficiencies with identical cause. It should be
mentioned that all fire dampers affected closed properly at the previous check of the
electrical and manual actuation.

Following this incident, GRS recommended inspections of the thermal actuation

mechanism of fire dampers at all nuclear facilities in Germany. During these inspec-
tions further malfunctions were detected, including different types of fire dampers from
several manufacturers. In total, up to May 1994 deficiencies were found in 8 NPPs
and in one reprocessing plant. 9 different designs from three manufacturers are af-
fected. Most of the deficiencies identified are systematic failures. However, some of
the malfunctions can be regarded as single failures.

Although a variety of designs is affected, some common aspects have been observed.
Up to now following root causes are identified:

• The designs of the thermal actuation mechanisms of the affected fire dampers are
not robust enough. Minor irregularities in manufacturing and installation, or the op-
erating conditions can result in malfunction.

• There are indications of deficiencies in the quality assurance process. It seems

that the fire dampers are not tested as a whole by one institute, but that different
parts and functions are examined by different testing facilities. A further problem is

37
 that the combination of electrical remote and thermal actuation is almost exclu-
sively applied in NPPs and therefore no experience is available from conventional
facilities, which could have been of use for quality assurance.

• Appropriate in-service inspections were not performed in the past. The thermal ac-
tuation mechanism was usually not tested by actually melting the fusible element,
but by removing it manually or even only by optical inspection. These inspections
have been proved to be not sufficient.

4 Operating Experiences with Shut-Down Systems

Shut-down systems of PWRs and BWRs are differntly designed. In PWRs The operat-
ing function and the scram function are performed by operating in German NPPs have
two different driving systems:

The control rod drive mechanism in PWRs is a magnetic jack assembly which ensures
a step by step motion during operation and the scram function. The drive mechanism
in BWRs consists of a motor-driven operational system and a hydraulic scram system.
The scram functions of both reactor types is designed according the "fail-safe" princi-
ple. With respect to the IAEA category D the operating experience of the fail-safe sys-
tem was evaluated for this report. Three different failure modes were taken into
consideration:

Scram function was not available or potentially not available (precursors),

defects in the Actuation mechanism, and

defects in control function.

The overall experience of the "fail-safe" part of the shut-down systems in German
PWRs and BWRs is excellent. Nevertheless, significant differences in the deficiencies
detected can be revealed between PWRs and BWRs. These differences are based on
the different actuation principles.

For German PWRs only ten events have been reported. The various failure modes
(see figure 5) do not show any significant main deficiency. German BWRs experi-
enced twenty-five events (figure 6). The hydraulic actuation system was the main con-
tribution. But, there was no event that affected more than three rods at a time. A
remarkable event revealed possible ageing of Teflon seals in valves of the hydraulic
actuation system. The regular inspections have to consider this effect.

38
 Rupture of Prolonged Rod
Pins 40% irop Time 20%

Swelling of Pins'
10%
Uncomplete
Insertion 30%
Breakers 10%
10 events reported

Fig. 5: Reported failures and precursors which could have prevented control rod
insertion (PWR)

Hydraulics 32%

Mechanics
4%

Poison
Curtain 4%

Leakage
36% Cracks in
Control Rod
20%

25 events reported Dirt 4%

Fig. 6: Reported failures and precursors which could have prevented control rod
insertion (BWR)

5 Conclusion

The operating experiences of passive system respectively components was analyzed

with respect to the IAEA categories A, C and D. Basis of the analyses were the re-
ported events in the German event reporting system. Reliability numbers cannot be
drawn only from events. But, it may be concluded that the reliability numbers are well
in the determined range used in risk studies.

The overall experience with passive system and components is excellent. But, There
may be one general area of interest which has to be highlightened. Several events re-

39
veal degradation of components which were not detected in time (i.e. before a failure
occured). This was caused by too long inspection periods or unsufficient inspection
extent. Examples of these in-service inspection deficiencies are the non-destructive
tests of austenitic pipings as well as the functional tests of butterfly valves and fire
dampers.

REFERENCE

IM Bienussa, K., Reck, M.

Evaluation of Piping Damages in German Nuclear Power Plants Presenta-
tion on the 20th MPA Seminar, October 6 - 7, 1994

40
EXAMPLES OF PASSIVE SAFETY
SYSTEMS/COMPONENTS

(SESSION II)
 PROBLEMS AND CHANCES FOR PROBABILISTIC XA9743157
FRACTURE MECHANICS IN THE ANALYSIS OF STEEL
PRESSURE BOUNDARY RELIABILITY

M. STAAT
Forschungszentrum Mich GmbH,
Institute for Safety Research and Reactor Technology,
Jülich, Germany

Abstract

It is shown that the difficulty for probabilistic fracture mechanics (PFM) is the general problem
of the high reliability of a small population. There is no way around the problem as yet.
Therefore what PFM can contribute to the reliability of steel pressure boundaries is demon-
strated with the example of a typical reactor pressure vessel and critically discussed. Although
no method is distinguishable that could give exact failure probabilities, PFM has several addi-
tional chances. Upper limits for failure probability may be obtained together with trends for
design and operating conditions. Further, PFM can identify the most sensitive parameters,
improved control of which would increase reliability. Thus PFM should play a vital rôle in the
analysis of steel pressure boundaries despite all shortcomings.

1. Introduction: The Problem for Probabilistic Fracture Mechanics

In predicting the failure pressure for 134 longitudinally flawed pipes and vessels with four en-
gineering methods the 'best' method was within ±10% (±20%) in only 40% (60%) of all cases
/!/. This poor result can only partly be attributed to the concepts used and their mathematical
formulations. The other reason is the large uncertainty introduced by insufficient material
characterisation and a lack of control over the many influences, Since most of these uncer-
tainties are of a stochastic nature one could expect probabilistic fracture mechanics (PFM) to
resolve the problem. Unfortunately this is only possible in a narrow sense to be explained in
the present paper. In terms of failure probability P f any computation must be poor in principle
if Pj-is small as is best understood from Fig.l.

In probabilistic structural or fracture mechanics a generalised reliability index /?E may be

computed with an accuracy similar to that expected for the deterministic prediction of a safety
factor. Transforming /?E to failure probability P,= O(-/?E), where 0 is the standard normal dis-
tribution function, is very sensitive and strongly amplifies any error if the reliability is high.
Predicting ßE = 5 within ±10% yields Pf= 1.9'10"8...3.4-10'6. Thus for close bounds of ßE even
the order of magnitude of Pf remains questionable. Moreover, actual failure often results from
gross errors in design, production or operation and may not be adequately treated probabilis-
tically. However, problems are small for small reliability because ßE = 2 within ±10% yields
Pf=1.4-10-2...3.6'10-2.

Assuming that /?E is in any way more precise than Pf would be a complete misunder-
standing. Both are mathematically equivalent since the transformation is one-to-one and thus
ßE = -O"I(Pf). The deterministic safety factor as a reliability measure gives no quantitative an-
swer and is sometimes even qualitatively wrong. It is not generally order-preserving i.e. a
component with a lower deterministic safety factor may be more reliable. This is because the
deterministic safety margin does not contain the uncertainty and the different behaviour of
different failure modes. A convincing and easy-to-follow textbook example of the limit analysis
of a portal frame is given in /2/ on pp. 139-141.

43
 Fig. 1. Failure probability vs generalised reliability index.

Only under the conditions of mass production or an otherwise huge population of suffi-
cient homogeneity may reliability be evaluated by the statistical treatment of direct observa-
tion. The direct observation of failure probabilities of non-nuclear pressure vessels and the
transfer to nuclear ones poses further questions. But a few conclusions have been drawn /3/.
Note as additional comment that the population is necessarily small and of older design and
production with little knowledge of properties, operation history, and homogeneity of popu-
lation. The sensitivity observed in parameter variations in PFM calculations indicates that ho-
mogeneity is highly questionable and that failure statistics hardly apply to just similar compo-
nents. The decrease of Pf with improved design and quality control or its increase with
particular service conditions such as stress corrosion cracking or neutron irradiation cannot be
assessed by direct observation. Experimental verification of low Pf must be excluded by com-
parison with the effort of numerical experiments known as Monte Carlo Simulation (MCS).
Even these numerical experiments are hardly feasible without limiting their number by some
variance reduction, by Importance Sampling (IS) or Stratified Sampling /2/. The basic problem
of small Pf of a small population persists. If Pf is assumed to be in the order of P and no var-
iance reduction can be employed the number of (numerical or real) experiments may be esti-
mated to be N = (l-P*)/(e 2 P*) where e is the desired relative error /2/. Therefore 106 exper-
iments (or simulations) are needed to prove P = 10 within +100% (i.e. e= 1 just to check the
order of magnitude). The formula says that one failure is expected in 106 experiments which
may or may not occur. It also says that a prediction within +10% needs 10 simulations.

It therefore becomes necessary to investigate the possible contribution of computational

probabilistic fracture mechanics (PFM) to the assessment of the reliability of passive compo-
nents which are not mass products in a positive manner. Despite the provoking section title
there is no particular problem for PFM but rather a problem of high reliability of a small
population. It is a vicious circle: collecting strength data is equivalent to observing the reli-
ability of the tension specimen. If the population is too small it is too small for both activities.

44
2. Numerical Method

The failure function (limit state function) g(x) of all variables (basic variables) x=(a, a/c, K. ,
RF, C, a , <7s)T used in the fracture mechanics model is defined such that g(x)<0 in case of
failure, and g(x)>0 otherwise. Since all basic variables x are uncertain they may be treated as
stochastic variables X with the joint cumulative distribution function FX(X). Then the failure
probability Pf is the probability that g(x)<0, i.e. Pf = P(g(x) < 0). It is computed with a code
which was developed starting from the ZERBERUS code using FORM/SORM /4/,/5/.

If X = (Xj,X 2 ,...) T is independent but not normally distributed, the reliability problem is
transformed into the space of independent standard normally distributed variables
U = (U1,U2,...)T. The point u* on the failure surface g(x)=h(u) = 0 closest to the origin is called
design point. The transformation is derived from the condition #
F.(x.)
*
= <I>(u.)
1
on the marginal
distribution F.(x.). Assuming the failure surface is smooth, u is computed iteratively with the
^ I 1 . . * . . *
Rackwitz-Fiessler algorithm. The design point u in standard normal space is u = - / ? « ,
where the absolute value of the reliability index ß is the local minimum distance from h(u) = 0
to the origin, and a is the unit normal to the failure surface in u . Then:

• the failure probability Pf = O ( -ß ) is obtained using a linear approximation of h(u) = 0 in

FORM (a quadratic approximation in SORM).
• the design point x is obtained from u by inverse transformation. Its components are the
values assumed by the stochastic variables at the most probable point of failure.
• the sensitivity factors are the components of a, and are a measure of the influence produced
by the individual stochastic variables on failure probability.
• Pf may be improved by MCS with IS around the design point, its numerical error esti-
mated, and the design point checked.

The latest major structural changes of the code, which are relevant for the present calcu-
lations, are the completed implementation of pre-service and in-service inspection (PSI and
I SI). The variables of crack depth and shape may become dependent after inspection and a
Rosenblatt transformation /2/ is used to transform these variables into standard normal space.

3. Analysis Conditions for a Reactor Pressure Vessel

The Japanese round robin /6/,/7/ may serve as an appropriate starting point since it already
gives some flavour, of the problems and chances for PFM. However, it becomes necessary to
extend its limited stochastic approach at least gradually to some material data. Similarly, its
linear elastic fracture mechanics (LEFM) approach must be extended to an elastic plastic
analysis. The beltline portion of a typical reactor pressure vessel is analysed as a plate of
thickness t = 200mm and width 2b= 12.6m using the design data taken from /8/. All necessary
data is also given in /6/,/7/ and will not be repeated here.

3.1 Failure Criteria

The fracture and leak criteria given in /6/,/7/ must be completed and modified from /9/ yielding
a 'break' probability which could be more appropriately called failure probability

= P(° > «2») • 0)

45
It is the probability that the crack opening stress a exceeds the critical stress a2D of a semi-
elliptical surface crack. Instead of the simple leak criterion yielding
P
leak = ( ^ °-8/
P a and a
< °2D and kjc> \) (2)

an upper bound is used

P80 = P ( a > 0 . 8 / ) > Pleak . (3)
This is the probability that the crack will penetrate 80% of the wall. In /6/,/7/ eq. (2) was used
but only the reduced condition in eq. (3) was given /9/.
With these definitions the RPV shows leak-before-brcak behaviour (LBB) in a probabilistic
senseifP
break < P leak i - e ' i f
Pf< Pleak • W

Here the less demanding condition

Pf<P*0, (5)
is used although it should be noted that other definitions may be more rational but also more
critical /9/. For P. k ~P b k, no definite conclusion can be drawn since the calculated proba-
bilities are uncertain due to unavoidable deficiencies in both the modelling and data base.

3.2 Material Data

Fatigue crack growth and fracture toughness KIC at 300°C is treated deterministically in /6/,/7/
but gradual decrease due to thermal ageing
r 135 MNm~3/2 for t < 14.5years
IC (
l 145.95- 9.43 log,,,/ for t > 14.5 years >

and neutron irradiation

r 135 MNm~312 for F(t) < 0.361
/c (7)
~ l 3.29 -118.71 F~°]02 for F(t) > 0.361 '

where F is neutron fluence (I019ncm"2), is taken into account. "It should be noted here that the
chemical contents of the material tested were slightly modified for an acceleration study of
thermal ageing phenomena, and that the above K{C values seem somewhat lower than actual
values of operating power plants..." /?/. Therefore the given decrease is unlikely to hold for
standard A533 Grade B Class 1 (Germany: 20MnMoNi55, France: 16MND5) material and
cannot be transferred to the stochastic treatment of data.

At 300°C the mean values ± standard deviation for K,c are taken from /8/
KIC = 202 ± 49MNm~312 , (8)

and for the flow stress cr = 0.5(R p02 + Rm) from /5/
aF = 485 ± 23Armm~2 . (8)

The standard deviation of Kjc seems conservative for modern steel production. That of of is
perhaps a little optimistic. A Weibull and a normal distribution are used for both in turn.

46
3.3 Crack Size and Shape

All cracks found in /8/ are converted in a conservative manner to the uniform type of internal
semi-elliptical surface crack. The depth a of cracks caused by manufacture was derived from
experience with non-nuclear vessels to be exponentially distributed with the density
f — 1 -*-a (Q\
J(a) ~ A pe , \7)

where X = 0.161 mm"1, /3/,/8/.

The crack length 2c is introduced through the geometric ratio c/a as a shape variable. A
lognormal distribution with the density
, i ¡ ln(c/a) - m \ 2
l
f(cla) = ^ e-2(——5——; , (10)

where m= 1.336 and a = 0.538, is assumed in /10/.

Crack size and shape are modified if all cracks found by PS I are repaired (introducing no
new cracks). The probability of non-detection PND(a) giyen ¡n ¡61,111 is completed from /10/
yielding

, (11)
A
where erfc is the complementary error function and

A — a min{2c, DB] , A = a DB .
Here Dß = 25.4mm is the diameter of the ultrasonic beam, £ = 0.005 a residual chance of over-
looking deep cracks, and a* is the crack depth at which PND = 0.5. This equation poses some
problems for FORM/SORM since a and c/a are dependent after inspection. Alternatively

PND(a) = * + O-«) e~"a , (12)

from /8/ is used with ¿t = 0.1 134 mm"1 (corresponding to a* = 6. 11 mm) and the same t. This
widely used function has the disadvantage that the chance to detect a crack becomes inde-
pendent of its length 2c.
Clearly e.g. crack depth is defined only up to wall thickness t, thus 0<a<t. Therefore all
densities are truncated and normalised for finite lower and upper bounds of their arguments,
resulting in the densities given in /6/,/7/ for the above equations. Further truncation may be-
come necessary since limit load solutions are given in closer ranges in the literature. No corre-
lation between the above stochastic variables is assumed before inspection.

4. Computations for a Reactor Pressure Vessel

The comparison with /6/,/7/ is also a comparison of methods. FORM/SORM gives more in-
sights by providing design points and sensitivity factors as additional information about the
problem. All probabilities refer to one crack, and no residual stress due to welding is considered
in the calculations.

47
4.1 Crack Size and Shape as Deterministic Variables

Crack growth is the only reason for Pf increasing with time if K.c is constant in an LEFM
analysis. Fig. 2 shows the FORM and SORM results together with the seven different MCS
(with IS or mostly Stratified Sampling) in /6/,/7/ for years of operation under design conditions.
Both FORM and SORM are sufficiently accurate; the SORM solution seems to be closer to
the majority of the computations. It should be pointed out that the FORM/SORM solutions
may change slightly with starting point and with convergence of the optimisation whereas the
MCS results may improve with the number of samples. Similarly FORM/SORM solutions may
be improved by IS around the design point. In practice, one is content if Pf is found within a
factor of two and P,ea|c within a factor of five /6/. If K]C is varied as a deterministic parameter
it is found that P. . is about one order of magnitude less than Psn at K i r = 135MNm~ 3 / 2 and
5/2
leak' Pgo at K I C = 200MNm" /9/. It has become clear by now that one is interested only in
orders of magnitude. Thus FORM results are sufficiently accurate for all computations to fol-
low.

1E-06n
—•FORM
u
E
u
SORM
CO
Round-Robin M C S
JO
a
,£>
1E-07-

O
»*—
SD

J2
=3
E
=3
O

1E-08- I i i
5 10 15 20 25 30 35 40
Operation years

Fig. 2. Time histories for Pf of the RPV for different methods of computation.

The idea in /?/ of using PFM in a criterion for life-extension judgement is as follows:

• First, compute P, at design life from the design loads, operating conditions and material
data. Define this Pfdesi as design criterion.
• Second, compute the time from start of operation until the designed Pfdes¡ n is reached
under the actually measured loads, operation conditions and material data. This gives a
new time until end-of-life (EOL).

This idea is used to discuss the effects of reduced neutron fiuence F (by measurement or by
leakage reducing fuel-charging schemes) and of different intervals for ISI. ISI may change Pf

48
only if followed by repair. This is possible for the RPV in principle as recently demonstrated
by the FÉNIX project for the twenty-year-old Unit 1 at Oskarshamn, Sweden /I I/ (actually the
RPV itself was found to be free of cracks). For obvious reasons the frequency of such repairs
cannot be high.

Here an 'old design' with F(40years)=3'10 ncm is compared with an 'evolutionary de-
sign' with F(60years)= M019ncm~2 according to the limits set in /12/. The decrease of KIC and
increase of P f is shown in Fig.3 and Fig.4 for the two designs together with the effect of thermal
ageing. Note, that the time scale is lost and the two effects cannot be compared if one does not
specify a designed lifetime. The above comparison may be used with any kind of ageing passive
component. From the flat slope, the lack of data, and the sensitivity of the prediction it should
be clear that no sharp time may be given but necessary actions may be indicated. The situation
is not very different in deterministic lifetime predictions.

r-,140n
CM

120-

' *s,1
— No decrease V.

«•*. .

110-
— Thermal ageing
- - Neutron Irradiation
Reduced Irradiation

100- • i i i * i ' i * i * i
C) 10 20 30 40 50 61
Operating years

Fig. 3. Decrease of Kic with ageing and different irradiation conditions.

Results of PFM similar to those in Fig.4 may be interpreted differently if one is not pri-
marily interested in lifetime predictions. They actually show the possible loss or gain in reli-
ability for different scenarios. Since both interpretations use only relative changes the absolute
values of Pf may be in error. Parameter variations and different stochastic assumptions should
be used to discover whether these relative changes are stable.

4.2 Material Data as Additional Stochastic Variables

Assuming a Weibull distribution, but compensating by lifting K,c to the usual values, changes
Pf only slightly in an LEFM analysis, see Fig.5. Modelling effective PSI can reduce Pf by one
or two orders of magnitude. The optimistic PSI model in eq. (12) may compensate the pessi-
mistic distribution f, „ eq.(9) leading to an overall realistic statistical modelling according to

49
 1E-05n

.IE-06-
o
o

Pf, no decrees«
i IE-08-
15 — Pf, thermal ageing
E
21E-09- - - Pf, neutron Irradiation
Pf, reduced Irradiation
| 1E-10-
i — P80
3
1E-11-

1E-12-
10 15 20 25 30 35 40 45 50 55 60
Operating years

Fig. 4. Increase of Pf with ageing and different irradiation conditions.

/13/. With the p used there is a 50% chance of finding 6.11mm deep cracks. Obviously the
function used for modelling PND has a great influence since a* = 6.35mm taken from /10/ re-
duces Pf further by one order of magnitude. /6/,/7/ are more pessimistic about PSI and ISI us-
ing a* = 31.75mm for PSI, which was given in /10/ for austenitic steels.

No pre-servlce Inspection
1E-06-, — asp, 501 detection for 6.11mm

§
o --• arfe 50Z «tetaetfon for 31.75m
— - - vric, 50Ï detadlon for 6.35mm

£ 1E-08-

J 1E-09-
o

1E-10- I I I I————I I ! — — — — I I I ! — — — — I
5 10 15 20 25 30 35 40 45 50 55 60
Operating years

Fig. 5. Time histories for Pf of the RPV for different effectiveness of PSI.

50
 It is important to notice that despite the uncertainty about Pf its relative increase in 60
years is between 53% and 61% for all four curves in Fig.5. This is quite stable but about one
order of magnitude lower than the relative increase found in Sec.4.1 with deterministic K.C. In
this simplified modelling a has the greatest influence with a sensitivity factor of about -0.9.
Tab.l shows that this rôle is taken over by K]c in the completed modelling (but with positive
sign since P/- increases if the design point of K.^. decreases. This is opposite for a). Obviously
the uncertainty about a stochastic variable of medium sensitivity results in moderate uncer-
tainties about Pf and allows for stable predictions of relative changes i.e. the trends for Pf .
Better control of KJC reducing its standard deviation would reduce its sensitivity.

TABLE 1. INFLUENCE OF PS I FOR 40 YEARS OF DESIGN OPERATION

(Design points, sensitivity factors and failure probabilities, see Fig. 5.)
a K

[mm]
c/a [MNnr3'2]
IC
Pf
Case
dcsignp. sensit. designp. sensit. designp. sensit. FORM SORM
7
NoPSI 35.7 -0.52 2.73 -0.26 66.6 0.81 i.i-io- 8.9- 10-8
exp, a* = 6. llmm 20.3 -0.47 2.67 -0.22 49.0 0.86 7.4- lO'9 3.9- JO'9
erfc, a* = 31.75mm 26.0 -0.45 2.61 -0.24 55.4 0.86 4.510-8 -
erfc, a* = 6.35mm 10.4 -0.34 3.06 -0.26 36.0 0.91 1.2-10-' -

Suppose now e = 0.0. Then increasing À in a parameter variation may be interpreted as ei-
ther representing the possible influence of PS I (in the sense of eq. (12)) or a shift of initial crack
distribution towards shallow cracks (in the sense of eq. (9)) by extracting some deep cracks
from the population with improved production /9/. The left line for X = 0.161mm"1 in Fig.6
represents the non-nuclear vessels with no PSI. It is reasonable to assume that nuclear vessels
are not worse than that but can be improved by controlled production and PSI up to the right
line for ^ = 0.161mm"1 + ^ = 0.2744mm"1. Thus the optimistic PSI model in eq. (12) may com-
pensate the pessimistic distribution L*, eq.(9) leading to an overall realistic stochastic model-
ling according to /13/.
If one uses the R6 method /14/ for interpolation between LEFM and limit analysis (LA)
there are two contributions to Pf shown in Fig.6 (at 40 years of operation with design loads)
and identified by inspection of the design points in Fig.7. The first failure mode caused by low
toughness is not missed by LEFM. The second new one is the plastic collapse of deep half-
through cracks. Since both failure modes are weakly correlated Pf is the sum of both contrib-
utions /15/. It is impossible to combine twu deterministic safety factors in a similar way. The
large scatter in KIC data leads to a high sensitivity and slow reduction of Pf with improved
vessel (i.e. increasing A). Changing the distributions of KJC and of from Weibull to normal
distribution with the same mean values and standard deviations reduces the low toughness
contribution by about three orders of magnitude. The plastic collapse contribution is not af-
fected because of the low sensitivity factor of 0.1 (or less) for a^. This is not surprising since a
fairly narrow distribution was assumed for af. Conservatively secondary stress was not ex-
cluded in LA.
On the basis of the simple criterion in Sec.3.1 no LBB behaviour could be demonstrated
probabilistically. The situation becomes 'worse' for improved vessels because PSI followed by
repair removes the large cracks thus further reducing PgQ. The reliability is increased, however,

51
 1E-04-1
— Pf, Welbull, low toughness
IE-OS- — Pf, Welbull, deep crocks

'S 1E-06- - - Pf, Normal, low toughness

u
Pf, Normal, deep crocks
tn
E1E-08-
_o
-o 1E-09-
o.
J 1E-10-
^5
ElE-11-
CJ
1E-12H
IE-13 T I I I
.100 AW .200 .25Q .300
.350 .400 .450 .500
[1/mm]

Fig. 6. Pf vs parameter A for different distributions (40 years design operation).

Pf, Welbull, low toughness

140- - -«.___
— Pf, Welbull, deep cracks
E.120H - • - Pf, Normal, low toughness

jhOO- - — Pf, Normal, deep cracks

PBO
i 80H

60-

40-

20-

T T T
.100 .150 .200 .250 .300
.400 .450
.350 .500
[I/mm]

Fig. 7. Design points for a vs parameter A for different distributions (40 years design operation).

52
for all probabilities are reduced by PSI. The RPV of the Siemens/KWU HTR-Module reactor
is thinner at core level than the design point for a in Fig.7 for the Pgo calculations. Thus the
simple criterion makes LBB more probable for this RPV /9/ (in these calculations primary stress
was correctly excluded in LA). But the questions should be postponed for refined criteria.
Comparing the results in /5/,/l.S/ for the whole primary circuit pressure boundary of the
HTR-Module helps identify the part and mode of most probable failure. It is found that normal
operation contributes to risk more than the accident conditions in /15/. Finally, note that all
probabilities come closer together as they increase with reduced quality of the RPV.

5. Conclusions: The Chances for Probabilistic Fracture Mechanics

If the population is small failure statistics, experimental and numerical predictions of safety
face the same problem of high reliability. There is a particular chance for the numerical ap-
proach because it breaks failure down into all possible contributions, for which, stochastic
models of the physical process can be made. Thus extrapolation from a small data base is
supported by a model of the distribution functions of the stochastic variables. Although not
mentioned this was done for most distributions used in the text (e.g. an exponential distribution
of crack-depth may be derived from certain possible reasons for the existence of defects in welds
/16/). However, it was shown that the choice of distribution for a sensitive variable has a great
influence on failure probability. By the very nature of the problems identified in Sec.2 there is
no optimal solution. Asking for the value of very low failure probabilities of a small population
is asking too much. However, there is a clear sub-optimal solution.

Summarising, one can conclude that with all the different stochastic models and even with
the more conservative assumptions about the distributions the reliability of the RPV proves to
be high and Pf may even be much lower than this. For the safety of the whole plant it is not
so relevant to know exactly how small Pf might be. But it is of prime concern to know an upper
bound for its value and its change during operating years. Therefore target values for Pf and
for its increase in time may be generated for critical passive components by probabilistic safety
analyses (PSA) and it remains the objective of PFM to demonstrate that these single passive
components are not worse than the demands under realistic but still conservative assumptions.
If Pf is too high for a component PFM may be used to guide its improvement by changing
design, improving production and quality control, or by modified operation. For existing plants
there are several means to move the material back towards its original conditions (including
crack distribution). PFM may demonstrate their effectiveness. Low Pf should be regarded as
an operative value and should not be taken as an absolute value for the reliability properties
of a component /5/./16/.

There is a similarity and a fundamental difference between deterministic and probabilistic

fracture mechanics. In deterministic analysis a crack size and shape is conservatively postulated
and material data and loading are handled in the same pessimistic spirit. Then the answer 'yes'
or 'no' is given with no quality of the confidence in this answer. In PFM distributions for the
above data are conservatively selected and the answer 'no' is chosen. Then the confidence in
this answer is quantified. Of course, both kinds of analyses can be done in a best-estimate sense
as well. Besides giving the more complete answer PFM has the chance to monitor all possible
realisations of data, conditions, and all possible failure modes together with all their possible
interactions at one time. Finally, since Pf (and the generalised reliability index /?E) are the only
rational reliability measures, PFM has the chance to help identify components, conditions, lo-
cations and modes of the most probable failure together with the possible influences of different
conditions and possible actions.

53
 What remains to be done? For the RPV stochastic models for fatigue crack-growth should
be used or developed for ageing and neutron irradiation. Existing models for all variables may
be checked for possible improvement. The methodology should be applied to other pressurized
passive components. Other ageing phenomena may come into play for other passive compo-
nents such as stress corrosion cracking /17/ or creep crack-growth /18/. Sensitivity factors as
computed by FORM/SORM methods may be of some help in identifying the most influential
data and in guiding research into the most productive areas. Reducing the scatter in sensitive
data will reduce both failure probability and uncertainty of its prediction. The invention of
some variance reduction for real experiments, thus reducing the number necessary, would be
the major breakthrough. Finally the reader may consult /19/ for "The meaning of probability
in probabilistic safety analysis".

REFERENCES
/ l/ W. Stoppler, D. Sturm, P Scott, G. Wilkowski, Analysis of the failure
behaviour of longitudinally flawed pipes and vessels.
Nuclear Engineering and Design, 151 (1994) 425-448.
/ 2/ O. Klingmüller, U. Bourgund, Sicherheit und Risiko im konstruktiven
Ingenieurbau. (Vieweg, Braunschweig, 1992).
/ 3/ R.F. Cameron, G.O. Johnston, A.B. Lidiard, The reliability of pressurized
water reactor vessels. In: Probabilistic fracture mechanics and reliability,
ed. J.W. Provan (Martinus Nijhoff, Dordrecht, 1987) pp.269-323.
/ 4/ L. Cizelj, M. Riesch-Oppermann, M., ZERBERUS - the Code for Reliability Analysis
of Crack Containing Structures, Kernforschungszentrum Karlsruhe,
Report KfK 5019 (April 1992).
/ 5/ M. Staat, Probabilistic assessment of the fracture mechanical behaviour
of an HTR-module primary circuit pressure boundary.
Nuclear Engineering and Design, 160 (1996) 221-236.
/ 6/ G. Yagawa, et al., Japanese Round Robin Analysis for
Probabilistic Fracture Mechanics. SMiRT 11 Transactions Vol. G,
Tokyo, Japan, paper G30(M)/2, (1991) 331-336.
/ 7/ G. Yagawa, et al., Study of Life Extension of Aged RPV
Material Based on Probabilistic Fracture Mechanics - Japanese Round Robin,
ASME PVP-233 (1992) 69-74.
/ 8/ W. Marshall et al., An Assessment of the Integrity of
PWR Pressure Vessels. (UKAEA, London, 1982).
/ 9/ M. Staat, Reliability of an HTR-module primar)' circuit pressure boundary:
Influences, sensitivity, and comparison with a PWR.
Nuclear Engineering and Design, 158 (1995) 333-340.
/10/ D.O. Harris, E.Y. Lim, D.D. Dedhia, Probability of Pipe Fracture in
the Primary Coolant Loop of a PWR Plant: Volume 5. Probabilistic Fracture
Mechanics Analysis. Report NUREG/CR - 2189, UCID - 18967 (1981).
/l l/ N.G. Sjöqvist, Oskarshamn l - das Projekt FÉNIX. In: Alterungsmanagement bei
Kernkraftwerken, S VA Vertiefungskurs, Winterthur, Nov. 1994, paper 5.2, SVA Bern.
/12/ RSK-Leitlinien für Druckwasserreaktoren.
Gesellschaft für Reaktorsicherheit, Köln (Oct. 1981).
/13/ W.E. Pennell, Heavy-Section Steel Technology Program Overview.
Nuclear Engineering and Design, 142 (1993) 117-135.

54
/14/ R. Harrison, K. Loosemore, I. Milne, A.R. Dowling, Assessment of
the Integrity of Structures Containing Defects, CEGB/R/H/R6, Revision 2 (1980).
/15/ M. Staat, Reliability of the Primary Circuit Pressure Boundary of an
HTR-Module under Accident Conditions. In: Safety and Reliability Assessment.
An Integral Approach, ed. P. Kafka (Elsevier, Amsterdam, 1993).
/16/ R. Wellein, Applications of PFM in the nuclear industry to reactor pressure vessel,
main coolant piping and steel containment. In: Probabilistic fracture mechanics
and reliability, ed. J.W. Provan (Martinus Nijhoff, Dordrecht, 1987) pp.325-350.
/17/ P. Pitner, T. RüTard, B. Granger, B. Flesch, Application of probabilistic
fracture mechanics to optimize the maintenance of PWR steam generator tubes.
Nuclear Engineering and Design, 142 (1993) 89-100.
/18/ H. Riesch-Oppermann, A. Bruckner-Foit, Probabilistic fracture mechanics
applied to high temperature reliability.
Nuclear Engineering and Design, 128 (1991) 193-200.
/19/ St.R. Watson, The meaning of probability in probabilistic safety analysis.
Reliability Engineering and System Safety, 45 (1994) 261-269.
 TBDE RESEARCH ACTIVITIES ON IN-TÜBE CONDENSATION
IN THE PRESENCE OF NONCONDENSABLES FOR PASSIVE
COOLING APPLICATIONS
minium....-.-....-----..
A. TANRIKUT XA9743158
Turkish Atomic Energy Authority,
Ankara, Turkey

Abstract
The introduction of nuclear power becomes an attractive solution to the prooiem of
increasing demand for electricity power capacity in Turkey. Thus, Turkey is willing to follow the
technological development trends in advanced reactor systems and to participate in joint
research studies. The primary objectives of the passive design features are to simplify the design,
which assures the minimized demand on operator, and to improve plant safety. To accomplish
these features the operating principles of passive safety systems should be well understood by an
experimental validation program. Such a validation program is also important for the
assessment of advanced computer codes which are currently used for design and licensing
procedures. The condensation mode of heat transfer plays an important role for the passive heat
removal applications hi the current nuclear power plants (e.g. decay heat removal via steam
generators in case of loss of heat removal system) and advanced water-cooled reactor systems.
But it is well established that the presence of noncondensable gases can greatly inhibit the
condensation process due to the build-up of noncondensable gas concentration at the liquid/gas
interface. The isolation condenser of passive containment cooling system of the simplified
boiling water reactors is a typical application area of in-tube condensation in the presence of
noncondensable. This paper describes the research activities at the Turkish Atomic Energy
Authority concerning condensation in the presence of air, as a noncondensable gas.

1. INTRODUCTION

A part of our long term research and development efforts in Turkey is planned to
concentrate on passive systems and advanced fuels. The research on passive systems mainly
comprises the computer code assessment studies and includes the applications for both old and
new generation reactor systems. The research work concerning the application of condensation
in the presence of air, as a noncondensable gas, was first undertaken for a Once Through Steam
Generator (OTSG) type of PWR, for which, experimental data were available. These
experimental data were obtained from the 2x4 test loop of University of Maryland at College
Park (UMCP) and addressing a very important safety issue so called the loss of residual heat
removal system after reactor shutdown. The experimental data were used for the assessment of
RELAPS computer code and both the effect of Nusselt model, incorporated in the code as the
condensation model, and the effect of nodalization were investigated. But the lacking of
measurements for the inside of SG has led us to the conclusion that the separate effect test is
strongly needed for the investigation of in-tube condensation and the effect of noncondensables
on the condensation mode of heat transfer. Thus, an experimental study, which will enable us for
the fundamental investigation of condensation in the presence of air, was planned in corporation
with the Department of Mechanical Engineering of the Middle East Technical University
(METU), Ankara, in the frame of a project between the Turkish Atomic Energy Authority
(TAEA) and METU. The project is now in the design stage of the separate effect test facility.
The planned experimental investigations will cover a wide range of mixture flow rate, i.e. nearly
stagnant steam-air mixture flow and forced convection condensation, with respect to different
pressure and air mass fraction values.

57
2. THEORETICAL BASIS

The Nusselt laminar film condensation model [1] is widely used in system analysis
codes, such as RELAPS and TRAC, and considered as a base model for our investigations. The
model needs to be improved since the analytical derivation of the model is valid for situations
where the steam is basically stagnant. In cases where the steam flows past cold surface, the
model will predict the heat transfer rate that is significantly too low. However, one of the basic
assumptions of the analytical derivation of Nusselt, that is, linear temperature distribution exists
between wall and vapor conditions, can be considered reasonable in forced convection
conditions since the resistance of the condénsate film is further diminished because of the
thinning, rippling and waviness. But since the influence of turbulence, due to waviness and
rippling, is not incorporated in the Nusselt model McAdams suggested to increase the heat
transfer coefficient by 20% [2].

The application of Nusselt model, incorporated in advanced computer codes, is another

problematic area since the nodalization scheme can highly affect the results. The volume length
(L) selected is the input for the average heat transfer coefficient (h oc (I/ L)025) and it should,
preferably, be the length of effective condensation. Problems may be encountered when fine
nodalization model is applied since the logic behind the derivation of the model originally
assumes the film re-development in each volume where the condensation prevails. But, instead,
the film thickness will increase continuously in downward direction, irrespective to the nodal
model selected. Thus, the model as coded in computer programs can be expected to overpredict
the heat transfer coefficient when the condensation length is discritized by fine mesh model.

As mentioned above, the condénsate film provides the only heat transfer resistance in
case of pure vapor condensation whereas the main resistance lies in the gas/vapor boundary layer
if small amounts of a noncondensable gas are also present. Minkowycz and Sparrow reported a
50% or more reduction of heat transfer rate due to an air mass fraction as low as 0.5% [3]. Many
experimental investigations reveal the fact that the diffusional resistance is the dominant factor
for the reduction in heat transfer in the presence of a noncondensable gas. From the
computational point of view, the presence of noncondensable gas urges us to use fine node
models for better axial gas mass fraction distribution which then results in above explained
drawback in predicting the local heat transfer coefficient.

Traditionally the reduction factor, which is the function of partial pressure of steam in
RELAPS [4], has been used for reducing the heat transfer coefficient. This approach needs to be
improved since degradation of the heat transfer coefficient strongly depends on this factor. Some
recent experimental investigations have shown that the diffusive mass transfer resistance in the
gas/steam boundary layer, through which the heat transfer consists of the sensible heat transfer
and the latent heat given up by the condensing vapor, controls the heat transfer mechanism, that
is, the presence of the noncondensable gas is the actual cause of the existence of temperature and
concentration gradients. The theoretical approach of the experimental investigation (performed
by using a vertical tube with 46.0-mm-i.d.), undertaken at Massachusetts Institute of Technology
(MIT), Cambridge, have revealed that the general form of the local Nusselt number is the
function of Reynolds (mixture), Schmidt, Jacob nondimensional number groups, and gas mass
fraction [5]. The comparable work available on this subject is that of Vierow and Schrock at the
University of California Berkeley (UCB), and the correlation obtained for the local heat transfer
coefficient is the function of the heat transfer coefficient for pure steam condensation based on
Nusselt model, condénsate film Reynolds number and air mass fraction. The experiment,
performed at the UCB, was made using a 22.0-mm-i.d. vertical tube, natural circulation air-
steam system [5].

58
 3. RELAPS SIMULATIONS

The RELAPS simulations comprise the major part of the work undertaken for the
investigation of condensation in the presence of noncondensable. These simulations are aimed to
study the capability of the code to capture the phenomena observed in the experiments. For this
purpose, our investigations are based on two experimental data sets, that are, the data from
UMCP integral test facility and MIT separate effect test facility. Apart from the simulations of
test facilities, a parametric study for the Inherently Safe Boiling Water Reactor (ISBWR) is also
carried out.

3.1 THE SIMULATION OF THE UMCP INTEGRAL TEST FACILITY

The operational characteristics of the test facility during the experiment, performed for
the simulation of loss of residual heat removal system after reactor shutdown, may be considered
to be different than those of the passive safety systems of new generation reactor types. This
simulation leads us to understand the major role of the condensation phenomenon for heat
removal performance and the effect of condensation on primary loop parameters. The simulation
capability of RELAPS is also assessed against the experimental data.

The integral test facility is installed at, and operated by, the University of Maryland, and
is a 1/500 scaled model of a Babcock and Wilcox PWR with two loops [6]. The heat addition
into the loop is accomplished by means of 15 heater rods of 2.54 cm diameter and 0.6096 m
active length. The two steam generators are of Once-Through Steam Generator (OTSG) type
and made of 28 tubes. The tubes are 3.905 m long and have an inside diameter of 29.97 mm and
an outside diameter of 31.75 mm.

The experiment is initialized at cold conditions, i.e. the system is under atmospheric
condition, temperature is 30 °C, and primary loop is drained down to pressurizer surge line
connection. The hot steady-state condition is reached by the establishment of Boiler-Condenser
Mode (BCM) and general characteristics of this condition are: system pressure is 440 kPa, upper
parts of vessel and hot-leg are at saturation temperature (-145 °C), and SG primary level is 75%.
The thermal power during BCM is 34.9 kW and heat removal via SG is mainly by means of
condensation. The UMCP test facility is simulated by RELAPS [7] and the role of condensation
and the inhibiting effect of air on condensation process, as predicted by RELAPS, is given in
Fig. 1 and the primary system pressure at the BCM predicted by RELAPS code is as close as
5.5% compared to the experimental data (Fig. 2). It is to be noted that air is accumulated above
the water level in the SG and the major part of heat transfer by condensation takes place in the
uppermost volume.

3.2 THE SIMULATION OF THE MIT TEST FACILITY

The experimental apparatus [5] consists of an open cooling water circuit and an open
noncondensable gas/steam loop. The main components of the gas/steam part of the facility are
the boiler vessel (4.5 m height, 0.45 m inside diameter) and cooled vertical test section, that is,
the condenser tube. The tube is 2.54 m long (effective) and has an outside diameter of 50.8 mm
and an inside diameter of 46.0 mm. The condenser tube is surrounded by a jacket pipe (62.7 mm
inside diameter).

Experiments are performed for air-steam mixture inlet temperatures of 100, 120, and 140
°C. At each inlet temperature setting, the steam flow rate is varied by using different boiler
power levels (6, 13, and 20 kW). The inlet air mass fraction is varied from 10 to 35% for each

59
 Steady State Boiler-Condenser Mode -- 25
(at 166 mm)

I
+ 15 g

I
10

-- 5

4 5 6 7 8 10
VOLUME NUMBER (Top to Bottom)

Figure 1. Heat Transfer Characteristics of UMCP Steam Generator at the BCM

so 100 ISO 200 250 300

TIME (m ¡nute)

Figure 2. System Pressure of UMCP Test Facility during Loss of Residual

Heat Removal System and Loss of Feed Water System Accidents

inlet temperature and power level setting. A similar test matrix is formed for helium-steam
mixture, that is, for different mixture inlet temperatures (100, 120, and 140 °C) the steam flow
rate is varied by using 6 and 13 kW power settings. The inlet helium mass fraction is varied
from 2 to 10% [5].

60
 The main objective of the experimental investigations, performed at MIT, is to measure
local heat transfer coefficients for steam condensing in the presence of air or helium inside a
tube. Moreover, this study aims to represent the operating characteristics of the Isolation
Condenser (1C) which is the main component of the Passive Containment Cooling System
(PCCS) of Simplified Boiling Water Reactor (SBWR) design.

A RELAPS model of MIT test facility is prepared (Fig 3) and RELAPS results, obtained
for different cases in the test matrix, are compared to the experimental data. Since there are few
forced convection in-tube condensation studies in open literature and most of them can not
represent the operating characteristics of the 1C, the MIT data could enable us to extend our
simulation capabilities to the passive safety systems of advanced reactor designs.

Two typical RELAPS results are compared with the experimental data in Figs. 4 and 5.
The parameters selected, for the comparison, are the heat transfer coefficient and the air mass
fraction with respect to the channel length. The case is characterized by the operating conditions,
namely, the inlet mixture temperature is 120 °C and the inlet air mass fraction is 0.08. For fixed
inlet conditions, the heat transfer coefficient decreases by the accumulation of air. The RELAPS
prediction for air mass fraction follows the trend of experiment very closely (especially at the
entrance region) while the prediction for heat transfer coefficient yields an overestimation
compared to the experimental data. But it is interesting to note that the heat transfer coefficient
calculated for the uppermost volume is very close to the experimental data. Another important
parameter to be considered is the effective condensation length which is the function of axial air
mass distribution. The effective condensation length, for the case presented in Figs. 4 and 5, is
overpredicted by the code.

3.3 THE SIMULATION OF THE INHERENTLY SAFE BOILING WATER REACTOR

CONCEPT

The Inherently Safe Boiling Water Reactor (ISBWR) concept is a 340 MWe (1000
MWt), natural circulation, indirect cycle small boiling water reactor [8,9]. The design features a
multi-cavity Prestressed Concrete Reactor Vessel (PCRV) which contains all primary loop
components (i.e. reactor, steam separator, subcooler/preheater, condenser/evaporator). Fig. 6
shows a section view of the ISBWR. Under normal operation, the naturally circulated primary
fluid rises vertically in chimney after exiting from the core and enters the steam separator. The
separated steam in the steam separator rises through in chimney cavity and then goes through the
steam by-pass orifice to the upper section of downcomer cavity where the Condenser/Evaporator
(C/E) is located. The saturated water goes through the water by-pass orifice to the lower section
of the downcomer cavity where the Subcooler/Preheater (S/P) is located. The secondary loop
coolant flows in the S/P tubes and is heated up, and then goes to the C/E tubes and is
evaporated. The ISBWR is inherently safe against any primary breaks. However, any kind of
secondary fault (e.g. feed water pump trip, rupture of one of the S/P or C/E tubes) may lead to
loss of heat sink. In that case, the steam driven jet injector uses the decay heat steam to pump
water from suppression pool to cool the reactor core.

The primary loop operation characteristics are function of the secondary loop pressure,
inlet temperature, and mass flow rate. Condensation without noncondensable occurs on the main
steam generator tubes which is not a part of safety system of ISBWR. In the ISBWR, the
condensation on the C/E tube outside surface plays main role for the system steady-state
operation parameters.

61
 SV222 TV503
VJ112

Pill P402 P502

Boiler
Pnmary(Tube) Side Secondary (Shell) Side

Non Condensables Makeup

Source Water TV501
Source

VJ414
SV403

P404
Condansate
Collector

Figure 3. RELAPS/MOD3 Nodalization for MIT In-tube Condensation Experiment Setup

í -
1.8 . B
T mix = 120 C , W air = 0.08
1
•M
1.6
£9J s~^
1.4 o

5S"- n
| si-
1 1 0.8
L« •*— '
_ • MTT-EXP
t 0.6 ™ D
S a
4 RELAPS
£ °-
0.2 D
a
n -
0 0.5 1 1.5
Distance from Air/Steam Mixture Inlet (m)

Figure 4. Axial Variation of Heat Transfer Coefficient

62
 1.1 -
1 • •
a
•
o
•
D
•
D
0.9 0

g 0.8 « T mix = 120 C , W air == 0.08

"'RS 0.7
£ 0.6 D

S
O- 05
U.3

°'4
?
. r-EXP
« MT
< 0.3 D
a RELAPS
0.2 B 1————
0.1
n - j i———————————————— 1
0 0.5 l 1.5 2 2.5
Distance from Air/Steam Mixture Inlet (m)

Figure 5. Axial Variation of Air Mass Fraction

Figure 6. Section View of the Inherently Safe Boiling Water Reactor (ISBWR)

63
4. THE PROJECT RELATED TO THE EXPERIMENTAL INVESTIGATION OF IN-TUBE
CONDENSATION IN THE PRESENCE OF AIR

The experimental data available for in-tube condensation in the presence of air are very
limited and most of the experimental correlations developed are applicable for the particular
system for which they were developed. It is also needed to assess the experimental data available
in the open literature with some independent experimental measurements provided that the
experimental conditions are similar.

An experimental program was planned in cooperation with the Department of

Mechanical Engineering of the Middle East Technical University (METU), Ankara, for the
investigation of in-tube condensation in the presence of air in the frame of a project between
TAEA and METU. The project is now in the design stage of the facility.

The project aims to investigate the condensation phenomenon for two different cases.
First, the case corresponding to the operating conditions of SG of UMCP test facility, i.e. the
lowest part of the SG tube is full of water and some amount of air is accumulated just above the
water level. In this case, only the vapor flows -with relatively low Reynolds number- from top of
the SG tube and the water level is kept constant throughout the experiment. The mass of air
accumulated above the water level can affect the effective condensation length. The second case
planned is for forced convection condensation. The test matrix proposed for this case will
comprise different system pressures (1-5 aim) with the variation of inlet air mass fraction for
each pressure setting. The effect of mixture Reynolds number will also be considered. There are
two condenser tubes, planned to be used for the experiments, with different inside/outside
diameters (25.0/32.0 mm, 47.0/51.0 mm) and same total length (-2.0 m).

5. CONCLUSIONS

The annular film condensation of vapor inside vertical tubes is extremely important for
applications concerning chemical and power industries. By the investigations regarding
condensation in unconfined spaces it has been well established that the existence of
noncondensable gases can greatly inhibit the condensation process, and in turn, the heat transfer
performance of heat exchangers. Among such investigations there are also theoretical and
experimental studies for plane surfaces, with different orientations, to simulate the cooling
conditions of containment wall. But the experimental investigations addressing the research on
in-tube condensation in the presence of noncondensable(s) for passive cooling applications of
new generation reactors are very limited in the open literature.

The experimental and computational research activity for in-tube condensation in the
presence of noncondensable(s) is planned and launched by TAEA to make contributions in the
area of passive cooling applications. The mechanism beyond the effect of noncondensable gases
for the degradation of heat transfer rates by the condensation process is rather complicated.
Thus, the research program is also supported by the theoretical investigations.

REFERENCES

[1 ] Collier, G.G., Corrective Boiling and Condensation, McGraw-Hill, New York (1981).
[2] McAdams, W. H., Heat Transmission, McGraw-Hill, New York (1954).
[3] Minkowycz, W. J., Sparrow, E. M., "Condensation Heat Transfer in the Presence of
Noncondensables, Interfacial Resistance, Superheating, Variable Properties, and
Diffusion," Int. J. Heat Mass Transfer, Vol. 9, pp. 1125-1144 (1966).

64
[4] Carlson, K. E., "RELAP5/MOD3 Code Manual, Vol IV: Models and Correlations,"
EG&GIdaho(1990).
[5] Siddique, M., Golay, M. W., Kazimi, M.S., "The Effects of Noncondensable Gases on
Steam Condensation under Forced Convection Conditions," Massachusetts Institute of
Technology, MIT-ANP-TR-010 (1992).
[6] Hsu, Y. Y., "Final Design Report for the UMCP 2X4 B&W Simulation Loop,"
University of Maryland (1984).
[7] Tanrikut, A., Heper, H, Bayraktar, N., Gunel, I., "The Simulation of Loss of Residual
Heat Removal System after Reactor Shutdown," Annual Meeting on Nuclear Technology
'94, Stuttgart (1994).
[8] H. S. Aybar, "Simulation of The OSU Inherently Safe Reactor Design Using RELAPS",
ANS Transaction, Vol. 70, pp. 236-237 (1994).
[9] H. S. Aybar, T. Aldemir, "Simulator Development For The Ohio State University
Inherently Safe Reactor Using The DSNP Language", Mathematical Methods and
Supercomputing in Nuclear Application, H. Küsters, E. Stein, W. Werner (Eds.), Vol. 1,
pp. 831-841, Kernforschunszentrum Karlsruhe GmbH (1993).

PAOSH(S)
left BLANK
65
 PLANT EXPERIENCE WITH CHECK VALVES IN PASSIVE SYSTEMS

R.R. PAHLADSINGH
GKN Joint Nuclear Power Plant,
Dodewaard, Netherlands

Abstract
In the design of the advanced nuclear reactors there is a tendency to introduce more passive
safety systems. The 25 year old design of the GKN nuclear reactor is different from the present
BWR reactors because of some special features, such as the Natural Circulation- and the Passive
Isolation Condenser system. When reviewing the design, one can conclude that the plant has 25
years of experience with check valves in passive systems and as passive components in systems.

The result of this experience has been modeled in a plant-specific "living PSA" for the plant.
A data-analysis has been performed on components which are related to the safety systems in the
plant. As part of this study also the check valves have been taken in consideration. At GKN, the
check valves have shown to be reliable components in the systems and no catastrophic failures
have been experienced during the 25 years of operation.

Especially the Isolation Condenser with it's operation experience can contribute substantially
to the insight of check valves in stand-by position at reactor pressure and operating by gravity
under different pressure conditions.

With the introduction of several passive systems in the SBWR-600 design, such as the
Isolation Condensers -, Gravity Driven Cooling - and Suppression Pool Cooling System, the issue
of reliability of check valves in these systems is actual. Some critical aspects for study in
connection with check valves are:

- what is the reliability of a check valve in a system at reactor pressure, to open on demand.
- what is the reliability of a check valve in a system at low pressure (gravity), to open on
demand.
- what is the reliability of a check valve to open/close when the stand-by check valve is at
zero differential pressure.

In this paper the plant experience with check valves in a few essential safety systems will be
described and a brief introduction will be made about the application of check valves in the design
of the new generation reactors.

1. INTRODUCTION

The information for this presentation is retrieved from the GKN Level 1 PSA model. The
plant experience presented, comes from those systems and components which are modeled in the
PSA.

The systems which will be reported are those where check valves have a passive function or
where the whole system is a passive safety system.

2. HISTORY

To obtain an objective picture about check valves which are operating at low differential
pressure it is worth making a historical review.

Check valves developed to perform quick action and also operate under minimum differential
pressure are not new; the swing check valve with outside lever and weight is an old application.

67
 The check valves used at GKN are mainly of the "swing-type" as shown in figure 1. Figure
2 shows some of the check valves as installed in the plant.

PS A data-analyses show only one (1) registered failure of the check valve T40-04022 (see
figure 4 on page 74) over a time-window of 19 years.

Failure Mode: backflow (leakage) of this check valve.

No action was taken because the leakage had stopped.

CAST STAINLESS STEEL CHECKVALVE

with vertical hanging disk and membrane-seal

USEINDEN'/MANNESMANN TEK 501-J1Í-4

FIG. 1. Swing check valve

68
CAST STAINLESS STEEL CHECKVALVE ®(D(D(D (D(D©(1
with vertical hanging disk and
membrane-seal

ON 15-100
PNt/10/10/25/40 ON 125-200
PN 10/18/25/40

lu$EINO(N5)WNNISM«HNtlll Ml-lll-t

FIG. 2. GKN check valves

3. SYSTEMS WITH PASSIVE COMPONENTS

At GKN the systems which are worth mentioning in connection with passive check valves
are:

The Isolation Condenser System (NCS system):

This system is the passive system at GKN and will be the main system in this report. The 4
inch check valve in the 1C discharge line is closed and exposed to reactor pressure; it is
located in the reactor chamber and installed horizontally in the piping to the reactor vessel.

Systemdata:
- Water Level in 1C (Top) : 39.100 mm
- Injection nozzle on Reactor Vessel : 28.468 mm
- Water level in Reactor Vessel : 27.325 mm
- Maximum watercolumn : 10.632 mm

The Low Pressure Core Flooding system (KIS system):

This system has the function of core flooding at pressures below 1.57 MPa. The four (4)
main 8 inch check valves, two in series in each KIS discharge line have a passive function
and are installed in horizontal and vertical positions. One of the valves in each line is
exposed to reactor pressure while the maximum pressure for the second check valve is below
1.57 MPa.

Systemdata:
- Injection nozzle on Reactor Vessel : 28.875 mm

The Standby Liquid Control System (NGS system):

The function of this system is to inject a boron-solution in the reactor-vessel. The piston-type
check valve has a passive function and is exposed to reactor pressure.

Systemdata:
- Injection nozzle on Reactor Vessel : 28.163mm.

3.1. Isolation condenser system (NCS)

3.1.1. Intended Function

The Isolation Condenser System (fig. 3) is a safety-system with the design-basis that, after a
scram and isolation, the decay-heat can be removed through a closed water/steam cycle (through
natural circulation) assuring that the reactor pressure is maintained below the opening pressure for
the Automatic Depressurization System (ADS). The system is considered as a "stand-by" passive
system.

Capacity : (Measured) 14MW.

at:
Operating pressure : 5.49 MPa.
Temp, tubeside : 270 °C
Temp, shellside : 100 °C

3.1.2. Failure Mode

The failure mode for the Isolation Condenser in the GKN-PSA is:
ISOLATION CONDENSER FAILS.

70
3.1.3. Reliability

The present system unavailability in de PSA, for the NCS-system is 3.44xE-02.

3.1.4 Component/System availability

The unavailability of the discharge piping of the Isolation Condenser is the main contributor
to the unavailability of the NCS-system with 3.29xE-02. The contribution of the failures of the
check valve to this number is 1.7xE-03.

3.1.5 Lifetime

The 1C is a part of the primary reactor support systems and has to be available as long as the
reactor will be in operation.

3.1.6. Testing Requirements

The check valve T-18020 and the motor operated valve (MOV) 18005 are yearly tested
simultaneously according to plant-procedures. This test is done before refuelling and with open
reactor vessel.

1C tests after refuelling : 26.

As shown in Table I, the 1C has been seventeen (17) times in operation under different
power- and pressure conditions and for various time-intervals.

3.1.7. MM

The 1C will automatically come in operation when reactor pressure reaches 8.14 MPa. The
motor operated valve 18005 will open and control the reactor pressure at 8.14 MPa to prevent
ADS actuation. The 1C can also be operated manually from the control room. Manually opening of
the MOV 18005 is also possible locally in the reactor building.

3.2. Low pressure core flooding system (KIS)

3.2.1. Intended Function

The Low Pressure Core Flooding System (fig. 4) is a safety-system for injection of water to
cover the reactor-core under LOCA conditions whereby the pressure is below 1.57 MPa.

Discharge pressure : 1.57 MPa.

Capacity : 180 nrMv1
Temperature : 95 °C (max.)

3.2.2. Failure Mode

The failure mode for the Low Pressure Core Flooding system in the GKN-PSA is:
THREE OF THE FOUR KIS PUMP STRINGS NOT AVAILABLE.

3.2.3. Reliability

The present system unavailability in the PSA, for the KIS system is: 3.76xE-03, (Short
Term).

71
-J ENS 9 5
N) TABLE i. ISOLATION CONDENSER IN OPERATION

GKN ISOLATION CONDENSER IN OPERATION FWS FEED WATER SYSTEM

File: GKNICS.XLS I_SCRAM ISOLATION SCRAM
Date: 17NOV1994 SD SHUT DOWN

Timespant Pressure (ato.)

Date: Event: Description From: Till: Start! End:

1 03SEP68 SCRAM ICS IN OPERATION AFTER SCRAM. 70.00 70.00

2 26OCT68 TEST TEST ICSbundle #1 and #2' AND 12:42 15:01 70.00 70.00
INCREASE POWER FROM SMWe to 52MWe.
3 06DEC68 TEST TEST ICS AT START-UP @ ISMWe. 22:35 23:07 70.00 70.00
4 04JUL69 I_SCRAM ICS IN OPERATION TO CONTROL 00:58 68.00 68.00
REACTOR PRESSURE.
5 22AUG69 TEST WATERHAMMER TEST. REACTOR PRESSURE 02:00 07:25 7.00 1 55.00
FROM "7" to "55" ato.
6 28JAN70 SD ICS TAKEN IN OPERATION TO KEEP 10:04 16:01 5.40 ( 4.00
PRESSURE @ "4" ato.
7 01JUN70 TEST TEST FROM "0" to "55" ato. 01:27 07:50 0.00 55.00
8 23SEP70 SD ICS IN OPERATION TO REPAIR RHR. 08 :00 11 :00 3.20 1.50
9 30SEP70 TEST TEST FROM "1" ato TO "55" ATO. 15:10 21:00 1.00 55.00
10 02OCT70 I_SCRAM ICS IN OPERATION TO CONTROL PRESSURE 16 :16 23 :10 73.00 69.00
@ "68" ato. (LOSP : 3 kV).
11 190CT70 TEST ICS IN OPERATION ® "1" ato. 11:34 13 :19 1.00 |Í i.oo 1
12 04DEC73 SD ICS IN OPERATION ® "5" ato. i.c.w. 08 :30 21:25 5.00 5.00
LEAKAGE RHR. (ALSO TURBINE BEARING).
13 01JUL75 FWS ICS IN OPERATION THROUGH JULY 05. 11:58 5 day s j 2.00 | 2.00 |
FW LINE NOT AVAILABLE.
14 04FEB76 I_SCRAM ICS IN OPERATION TO CONTROL PRESSURE 02 :24 03 :16 70 . 00 70.00
(FAILURE IN 75 MVA TRF-COOLER).
15 18AUG84 I_SCRAM ICS IN OPERATION "3 minutes" AFTER 08:33 12 : 09 76 .00 10.00
I_SCRAM ADS-CHAIN 2 FAILURE.
16 24FEB88 I_SCRAM ICS IN OPERATION AFTER LOSP 3kV. 13:42 19:00 76.00 38.00
17 24MAY88 I SCRAM ICS IN OPERATION DURING ADS-TEST. 14 :02 15 :30 70.00 45.00
 18006

STEAM RELEASE TO ROOF

RADIATION MONITORS REACTOR BUILDING

EMERGENCY
CONDENSER
n
WATERHOSE D—M
COUPLING

REACTOR
18020 VESSEL

\ •«- TO TURBINE
CORE

LOWER PRESSURE
EMERGENCY
COOLING

VENTING
MAIN CONDENSER

U) FIG. 3 Schematic of NCS - system

 REACTOR
CHAMBER

REACTOR
VESSEL

N /
CORE
/__N

4020 4022

4020A 4022A

SUPPRESSION SUPPRESSION
POOL POOL

<&
T)

©- HD
-v*-

KIS-P1 KIS-P3 KIS-P2 KIS-Pí.

-**-

FIG. 4 Schematic of KJS-system

3.2.4 Component/System availability

In the unavailability of the KIS system the CCFs for the check valves have an important
contribution. If this system has to be improved one might consider a different type of check valves
in one of the KIS discharge lines.

3.2.5 Lifetime

The KIS as a part of the ECCS is a primary reactor support system and has to be available
as long as the reactor will be in operation.

74
3.2.6 Testing Requirements

The discharge lines with check valves T40/04020 and T40/04020a resp. T40/04022 and
T40/04022a are tested yearly after refuelling according to plant-procedures.

Discharge line tests after refuelling : 26.

The KIS system up to the isolation valves is tested monthly.

3.2.7 MM

The KIS will automatically come in operation after either one of the following signals:

- high pressure drywell

- opening of the ADS-valves

The KIS system can be put in operation manually from the control room and the KIS-pumps
can be started locally.

3.3. Standby liquid control system (NGS)

3.3.1 Intended Function

The Standby Liquid Control System (fig. 5) is a safety-system for injection of a boron-
solution (natriumpentaboraat) in the reactor vessel to bring down the reactor from "full power" to
cold "sub-critical" condition".

Discharge pressure : 10.59 MPa.

Capacity : 1.14m 3 .h''
Temperature : 50 °C

3.3.2 Failure Mode

The failure mode for the NGS system in the GKN-PSA is:
NGS FAILS TO DELIVER LIQUID POISON TO REACTOR.

3.3.3. Reliability

The present system unavailability in the PSA, for the NGS system is: 4.06xE-02.

3.3.4 Component/System availability

The unavailability of the system is mainly determined by the valves in the common
discharge header. The marginal improvement which is possible in the reliability of the system is a
result of the system design. The operator has to start the NGS system manually and the basic-event
related to the failure of this action has a probability of 3.00xE-02.

3.3.5 Lifetime

The NGS is a part of the primary reactor support systems and has to be available as long as
the reactor will be in operation.

75
 NGS-Ï1

ELECTRICAL
HEATING
ELEMENTS

NGS-Î2

REACTOR REACTOR
BUILDING CHAMBER

-Ä-Ä-

NUS-PI

17019
REACTOR

-Ä-Ä-

o PIPE-HEATING
NGS-P2

FIG. 5 Schematic of NGS-system

3.3.6 Testing Requirements

The check valve T-17019 and the MOV 17008E are yearly tested simultaneously according
to plant-procedures.

This test is done after refuelling and with closed reactor vessel.

Number of test after refuelling : 26.

76
3.3.7 MM

The NGS system is manually put in operation from the control room and the NGS-pumps
can be started locally.

DISK OPEN APPROX. 15*

«rf NO PRESS. OlFFHnENTTAL
FLOW
WLET END
HARD-FACED SEAT

KARO-FACH? SEAT

1. Beft 11. _
Z. Í2. HtogePto
(A)CosBaemasgta 13. Besang!«***
14.
3. ßaaüss. Bofam 15. Staff
4. SKA* 16. Amatare
5. me 17. Huang
6. Corar 1Í. Stttorframe
7. Où* «i 19. CoS
f. Gaum, «BOT» «i &. EoeoderShw
A Rassss 21. MrOap
10. HogsPta 22. aottBeamg

FIG. 6. Biased-open check valve

4. TECHNICAL SPECIFICATION ON REPORTED CHECK VALVES.

System + Injection Valve Valve

level in RV Type Position Pressure

NCS (1C) Swing Horizontal 7.55 MPa

28.468 mm

KIS-Line 1 Swing (1st) Vertical 7.55 MPa

28.875 mm Swing (2nd) Vertical <1.57 MPa

KIS-Line 2 Swing (1st) Vertical 7.55 MPa

28.875 mm Swing (2nd) Horizontal <1.57 MPa

NGS (Boron) Piston type Horizontal 7.55 MPa

28.163 mm

77
5. NEW DESIGNS

To improve the check valves to be installed in the passive systems of the new General
Electric SBWR-600 reactor figure 6 shows the design of the biased open check valve for the
Gravity Driven Cooling System (GDCS). This valve with a GE patent has been designed and the
testing program for this model will start soon.

6. CONCLUSIONS

Plant Data-analysis shows that in the 25 years of operation no catastrophic failures with
check valves have been experienced in safety systems at GKN-Dodewaard nuclear power plant.

The Isolation Condenser System with it's "swing check valve" has been in operation for at
least 43 times (17 + 26) under various plant conditions and has shown that natural circulation in
the passive Isolation Condenser has performed it's function upon request.

Automatic testing of passive components/systems during operation can also be a method to

verify the function and thus guarantee the availability of these systems.

The objective for the new design for check valves is to improve the performance of the
valve at low differential pressures.

The reliability of check valves is an important safety issue in the design in passive systems
for the new generation reactors.

7. CONSEQUENCES OF EXTREME LOADS

All check valves presented in this report are subjected to reactor pressure. During operation
or tests no catastrophic failures were detected.

8. REDUNDANCY AND DIVERSITY

Redundancy and diversity could improve the NCS-, KIS- and the NGS system. Because of
accessibility problems and exposure-dose, which is expected to be substantial when installing the
redundant component, other solutions where chosen to bring down the Core Damage Frequency
(CDF).

78
 BACKUP PASSIVE REACTIVITY SHUTDOWN SYSTEMS X.W43160

Yu.M. ASHURKO, L.A. KUZNETSOV

Institute of Physics and Power Engineering,
Obninsk, Russian Federation

Abstract

The paper reviews self-actuated shutdown systems (SASSs) for liquid metal-cooled
fast reactors (LMFRs). Principles of operation are described, advantages and drawbacks
analyzed, and prospects for application in advanced fast reactors examined.

Ways to improve reactor self-protection via reactivity feedback amplification and

related problems are discussed.

1. INTRODUCTION

A major task to be achieved in advanced reactors is to ensure reactor self-protection

in the case of the most severe accidents, i.e., unscrammed loss-of-flow (ULOF), unscrammed
loss-of-heat sink (ULOHS) and unscrammed transient-over-power (UTOP).

Hence, reactor safety is to be ensured in the case of any accident, even under
conditions of total active system failure, i.e., by means of inherent safety features and
specific self-actuated systems and elements.

Reactor shutdown is a key safety function that should be effective in any accidental
event.

Reactor power can be lowered to the safety level under the conditions of active
reactor protection system failure via effective negative reactivity feedback, self-actuated
shutdown systems or simultaneous application of both.

Interest in self-actuated shutdown systems has never ceased. However, it was

advanced reactor concepts as well as high modern safety standards that led to SASS
development. A wide range of experiments to prove self-actuated shutdown systems
feasibility are being conducted in parallel with theoretical studies. For instance, SASSs
application in LMFRs is currently under study.

Simultaneously, the full potential of inherent LMFR safety features is being

investigated. Here most comprehensive way of attaining reactor self-protection is negative
reactivity feedback amplification.

The present paper discusses the requirements of self-actuated shutdown systems and
LMFR characteristics, and analyzes advantages and disadvantages of some of the means as
well as their prospects.

2. GENERAL REQUIREMENTS OF PASSIVE SHUTDOWN SYSTEMS

The general requirements of passive shutdown systems in sodium-cooled fast reactors

are determined taking into account the following pre-requisites. The system should ensure
termination of the accident and transition of the reactor to a safe condition. In practical

79
terms, this implies the impossibility of fuel element melting and coolant boiling.
Requirements for a self-actuated shutdown system of this kind for the BN-800 fast reactor
are as follows:

It should be efficient enough to shut down the reactor (about -0.8 % Ak/k).
It should be activated by a core outlet sodium temperature of 650°C or by an in-core
coolant flowrate drop below 0.6 of the nominal value.
The delay between reacting the trip point and operation of the passive system should
not be long enough to lead to multiple fuel pin cladding failure (delay not exceeding,
2 sec), nor to sodium boiling in the core (delay not exceeding 5 sec).
It should differ in design from the standard shutdown system.
It should be insensitive to displacements due to temperature in the upper part of the
reactor.
The absorber position hi self-actuated shutdown system devices should be under
control.
Unloading of self-actuated shutdown system devices by the standard transfer machine
should be practicable.

3. CLASSIFICATION OF SELF-ACTUATED SHUTDOWN SYSTEMS

Self-actuated shutdown systems can be classified according to their methods of

influencing neutron flux, according to their principles of operation and the range of accidents
the system is intended for, or according to the form of the absorber.

Solid absorber insertion into the core is used to influence neutron flux hi virtually all
backup passive reactivity shutdown systems for fast reactors except for gas expansion
modules (OEMs), whose operation is based on varying the neutron leakage.

The actuation principles employed hi the devices differ greatly. They are as follows:

absorber rods or balls suspended in the coolant flow which go down into the core
when the coolant flowrate drops,
coolant expulsion from the core in the event of pump turn-off,
temperature-induced changes hi magnetic properties of the materials used in the
control rod latches, which result hi the rods being released;
temperature-induced changes hi the form of the materials used in the latches which
result hi the rods being released;
elongation of special elements caused by coolant temperature increase and resulting
in absorber rod release and insertion hito the core;
direct connection of the latch to a standard power supply.

4. BACKUP PASSIVE SHUTDOWN SYSTEMS FOR FAST REACTORS

4.1. SADE system

The EFR project employs the so-called "third shutdown level" based on passive
principles hi order to bring the reliability of the shutdown system to the required level. The
SADE system is a part of this system. It employs passive means to block the power supply
to electric magnets of some groups of DSD (diverse shutdown rods) after loss of power in
the primary circuit pumps.

80
 SADE is a passive system. The fact that it uses the rods of the standard shutdown
system may be considered its major drawback. The system is applicable to ULOF and
ULOHS types of accidents. A similar system is provided for the U.S. Advanced Liquid
Metal Reactor (ALMR).

4.2. Control rod enhanced expansion device (CREED)

CREED is the second component of the "third shutdown level" for the EFR. It is a
self-actuated shutdown system with absorber rod insertion into the core resulting from an
mcrease in the core outlet temperature. The purpose of the device is to prevent sodium from
boiling in the core.

The EFR project studied two variants of the CREED concept. One is based on
thermal expansion of a fixed mass of liquid sodium (Fig. 1), while the other depends on the
elongation of a stack of bimetallic washers (Fig. 2) 121. These variants have a common
principle for absorber rod delatching. A temperature rise results in displacement of one

4
î 1

\ 2
Ü
, t
-T"3 »
t
y——
• ———
=39
_ Spring
HT" "•"' =13a
M————— 9
m== L
if

;.—— Metallic
ft I Bellows
j: *: ;

t î t
Sodium
Container

_ ^ ^
t

1
Ball&
- Socket
TA
Joint
tt
ci za

t> t!
Hot Absorber Hot
Sodium
m
Coolant Sodium
Flow

FIG. 1. Enhanced thermal expansion hydraulic ring concept.

81
 Disc Spring
Column

Bimetallic Ring
Column

Ball & Socket

Joint

tt
Hot Hot
Absorber
Sodium coolant Sodium
Flow

FIG.2. Enhanced thermal expansion bimetallic ring concept.

element of the socket in a ball and socket joint resulting in release of the balls and allowing
the absorber rod to drop into the core.

CREED is an effective remedy for ULOF and ULOHS accidents. It ensures that the
maximum permissible sodium temperature, 900°C, is not exceeded.

Among the advantages of CREED we can note its complete independence from the
main reactor shutdown systems and its compact form.

Application of the principle of solid absorber rod insertion which is employed in the
standard shutdown systems, constitutes the main drawback of CREED. In addition, the latch
is not immune to failure, e.g., as a result of coolant impurity deposition on it, or when two
elements in contact with each other get stuck together. The actuation temperature threshold
for these devices may vary widely. The devices cannot be reset.

4.3. Gas expansion modules (GEMs)

These devices are based on variations in neutron leakage from the core due to changes
in coolant volume (Fig.3). The device in question is intended for reactor protection in ULOF

82
accidents /3/. A cut in primary pump power leads to a drop of core inlet pressure which in
turn results in a drop in the sodium level in the GEM.

FIG. 3. Gas expansion module.

A device of this type has been tested in the FFTF reactor and has proved to be
operational. At present GEMs are planned to be used in the PRISM reactor design. They
are intended to provide negative reactivity insertion of about -$0.5 - $0.8.

This method of negative reactivity insertion is characterized by fast response, does

not employ moving parts, can be used many times without special operations to reset it, and
is easy to control.

It has the following drawbacks:

It is not multipurpose: it is practicable in the case of only one accident, i.e.,

loss-of-flow through the reactor core (ULOF).
GEMS are most efficient in small-power reactors in which neutron leakage
plays a major role; their efficiency in more powerful reactors is much lower.
The efficiency of a GEM decreases at low coolant flowrate.
Special procedures must be developed and employed for installation of a GEM
into the reactor.
Coolant can trap the gas from GEM, especially in transient regimes (pump
startup, flowrate change, accidental transient), which may lead to a decrease
in its efficiency.

4.4. Flow suspended rods

The principle of operation of hydraulically suspended rods is as follows. Under the

normal conditions of reactor power operation absorber rods are suspended hi the coolant
flow, their absorbing part being above the core. In ULOF accidents when the coolant
flowrate through the core ceases, the rods go down into the core under their own weight
(Fig.4) 14, 51.

Some time ago these rods were studied as a passive safety device within the British
CDFR project. They had an independent circulation loop with a special pump that turned
off simultaneously with the primary circuit pumps hi the case of a power cut.

Development of such devices is now under way in Russia.

The Russian variant is based on the flow-suspended rods containing boron carbide,
which are placed in a standard shutdown system subassembly. The subassembly is placed
in the core and its actuation is induced by the changes of coolant flowrate hi the core.

83
 p=p. non G<0,5G r
C=G,

absoroer

FIG. 4. Passive secondary shutdown system

with flow-suspended rods for BN-800.

In order to prevent absorber rods from rising during reactor shutdown in the event
of unauthorised increase in flowrate above the allowable level, provisions are made for the
hydraulic relief of the actuating part. The rods are returned to the upper working position
with the help of grips before power increase takes place.

Devices of this kind are being developed for BN-600 and BN-800 reactors /4/. Their
flowrate actuation threshold has been set at 0.6 of the nominal value. Thus, reactors can be
also run on two out of three working loops.

Numerous in-core and simulation experiments have been made in order to confirm
the correct operation of these flow-suspended rods.

The actuation mode of the rods has been tested in the BR-10 reactor, inclusive of on-
power operation. Design characteristics including the time of insertion into the core (0.7 sec
and 1.2-sec for different variants) were substantiated. Longevity tests are underway in the
BR-10 reactor; the devices in question are actually being used as the standard reactor
protection system.

84
 A full-scale simulation of such a device for the BN-600 reactor is being tested in a
hydraulic (water) mock-up. Results concerning the characteristics of such devices when
employed in power reactors were obtained. These include the time of insertion of the rods
into the core which were 4.7 and 6.1 sec for two variants. These characteristics ensure
reactor shutdown with a temperature margin to sodium boiling exceeding 200 °C.

These devices have the following advantages:

simple actuation principle employed;

rather fast response providing a considerable temperature margin to sodium
boiling;
can be used many times with only a simple inspection and resetting procedure
to restore the operational configuration of the device.

The drawbacks are as follows:

it is not multipurpose, i.e., it can only be used in loss-of-flow accidents

(ULOF).
it employs the same principle of solid absorber rod insertion as the standard
shutdown system.
it has a limited range of allowable coolant flowrate values in the core.
operational parameters may change due to changes in hydraulic characteristics,
i.e., due to the deposition of impurities or oxides on the flow part of the
device and its elements.

4.5. Absorber balls shutdown system

The self-actuated shutdown system proposed hi /6/ is similar in its principle to the
flow suspended rods. The difference is that it employs flow suspended absorber balls instead
of rods. In addition, in order to widen the range of accidents by which the device is actuated,
it contains a shutoff valve actuated by a thermal device based on a Curie point magnet. The
latter is actuated by the increase of the coolant temperature and blocks the passage of coolant
through the shutdown device, which also results in the insertion of absorber balls into the
core (fig.5).

Due to the above, the device has some advantages over the flow suspended rods:

it is more versatile and ensures safety not only in ULOF, but also in UTOP
and ULOHS accidents;
it uses a different principle of absorber insertion into the core as compared to
the standard shutdown systems, which enhances its immunity to common
mode failure;
significant deformation of the core cannot prevent the insertion of the
absorber.

We can also list the following drawbacks:

Absorber balls can leak from the device if it loses integrity;

The possibility of the absorber balls jamming in the upper or lower position
cannot be excluded;

85
 — uy
L.-2 $>
^

42 ""r \_ 1
INCHES » V « ^ C E N T R A L BYPASS

1^ i
FLOW TUBE

^ ^ '* ^r
_ >• t -
•^>-C
> — HYDRAULICALLY
•»*• *"" SUPPORTED
j> ABSORBER B A L L S
"

Î
— HEXAGONAL
•> REACTOR
ELEMENT

CORE
20NE

^ LOWER G R A T E
J

FLOW SHUTOFf
ASSEMBLY USING
C U R I E POINT
MAGNETIC DEVICE

e.» c Sail Concept

FIG 5

The possibility of self-welding of the absorber ball cannot be ruled out.

4.6. SASS based on curie point magnets (CPM)

Development of SASSs based on Curie point magnets is underway in Russia /4, 5/
and Japan 111.

Magnetic materials are used in the latch that holds the absorber rods above the core.
The materials lose their magnetism at a definite temperature. Thus, in accidents involving
temperature increase the absorber rod is released and dropped into the core.

In Japan, research on such devices is based on electromagnets, while in Russia

devices of this kind are developed as fully autonomous.

A most important task is to find materials that significantly change their magnetic
properties within the desired temperature range. For the device under development in
Russia, the actuation temperature, i.e., the temperature of the coolant, is taken to be 650-
670°C with the condition that the actuation time should not exceed 5 sec. A very important
feature of the magnetic material for the autonomous variant is the weight it can hold.

In order to ensure the desired rated load the following configuration of the CPM is
used. It consists of a permanent magnet made of magnetic alloy with axial magnetization,

86
 Drive rod

Armature

Magnet

FIG. 6. Mock-up design of magnetic actuating device.

a surrounding screen made of ferrous-nickel alloy with a Curie point of 620 °C, and the
armature made of Armco iron which is connected to the absorber rod.

Fig.6 shows a mock-up design of the CPM device for an experiment in a sodium rig.
The experiment tested its rated load in a flow of sodium in the temperature range of 300 -
680°C, with a rate of temperature increase in the device of about 12°C. The rated load of
the device in a gaseous atmosphere is about 8.2kg at room temperature and 2.8kg at 680°C.
To study the effects of irradiation, magnetic material specimens have been placed in the BR-
IO reactor.

These S ASS devices have the advantage of versatility and can be used to prevent any
type of accident.

Their drawbacks are as follows:

They employ the same principle of solid absorber insertion into the core as the
standard shutdown system;

87
 The device may fail to demagnetize due to either insufficient temperature
increase in the temperature-sensitive material or increase in its sensitive
temperature. The former may result from changes in thermohydraulic features
of the device and the basic, thermo-physical properties of the thermosensitive
material. The latter may be due to changes in temperature / magnetic
properties as a result of gap reduction, e.g., due to accumulation of some
magnetic material from the coolant, swelling of the material, etc., or Curie
point rise and changes in magnetic permeability.
The latch may fail to release despite demagnetization of the material, e.g., due
to adhesion of the magnet and the rod.

4.7. SASS based on shape memory alloys

Such devices are currently under development in Russia /4, 5/ and in Japan.

The absorber rod is held above the core with the help of a SASS device based on
shape memory alloys. When the temperature of the latch reaches a certain level it changes
its form and releases the absorber rod which falls down into the core. A method for shaping
the material as applied to different rod designs is being developed.

Ti-Ta and Ti-Ta-Hf alloys with a shape recovery temperature of 650° C were selected
for the purpose. Currently corrosion studies and mechanical tests are underway.
Investigations of titanium alloy in the form of a disk spring pack show that these elements
can provide the following characteristics - an actuation time of Is, a stroke of 6-8 mm, and
a force developed of 700 N. Also tested is a titanium-based alloy with addition of rhodium
which would have the required level of shape memory temperature.

The device can be used in different types of accidents. The drawbacks are as follows:

principle of solid absorber insertion common with the standard systems;

possible irradiation-induced changes of the properties of the material.

4.8. General comments on SASS devices

Analysis of the SASS devices under development shows that;

a) Solid absorbers are mostly used (except for GEMS), usually in the form of rods (the
only exception is the use of absorber balls).
b) Hence, they all belong to passivity category C (except for GEMS, which belong to
category B) /8/.
c) The principle of solid absorber insertion, which is common to standard shutdown
systems, makes most of the self-actuated devices vulnerable to common mode failure
simultaneously with that of standard shutdown systems. Common mode failure may
be caused by absorber rod jamming due to core deformation resulting from swelling
or transient conditions, etc. (except for absorber balls and GEMS).
d) Only temperature-actuated SASS devices are applicable to different types of accidents.
SASS devices adapted to coolant flowrate changes can be used for a limited range of
accidents (ULOF).

As to application of SASS devices in advanced reactors, temperature-activated

devices, which are applicable to all severe accidents, are considered the most promising.

88
SASS devices sensitive to specific types of accidents should be used in combination with
other means so that the whole range of possible accidents is covered.

Development of SASS devices with a liquid absorber is very promising. It will raise
the degree of passivity to category B. At present, preliminary studies of such a device using
cadmium or indium as an absorber are underway. The device is temperature-actuated and,
hi addition, functions as a means of reactivity feedback amplification hi the initial stage of
the accident.

5. Analysis of the effect of reactivity feedback amplification

Reactivity feedback amplification is an effective and universal means of reactor self-

protection in the case of severe beyond-design-basis accidents.

In sodium-cooled fast reactors, this implies that even in the most severe accidents
sodium boiling and fuel melting do not take place. However, in some cases avoiding sodium
boiling and flow melting can be seen as a conservative measure in avoiding core damage.
For instance, in the case of negative sodium void effect of reactivity (SVER), sodium boiling
and fuel melting in the limited central part of fuel pins does lead to rapid onset of damage
to the core. At present, the SVER value in the core of the BN-800 reactor is close to zero
(-0.1% Ak/k).

Analysis of the relations between reactivity feedback components that provide reactor
self-protection and taking hito account the dynamic factor effects, shows that, in order to
ensure reactor safety in the most severe ULOF accident, it is the reactivity feedback
components determined by the temperature of the coolant hi the core and hi the core outlet
that should be amplified 191.

These components may be as follows:

the effect of radial expansion of the core;

the effect resulting from the insertion of absorber, into the core, e.g., due to
control rod drivers expansion;
thermal expansion of specific sensitive elements placed hi the coolant flow.

However, reactivity feedback amplification may lead to reactor instability, instability

boundaries being closer than is called for by self-protection requirements.

As an example, Figs. 7-12 show the calculation results for two transients for a BN-
800 reactor type under ULOF conditions.

In the first transient (Figs. 7-9) an additional reactivity component, besides the usual
ones is introduced. It is caused by changes in the temperature of sodium, at the outlet of fuel
subassemblies in the core with a reactivity coefficient at this temperature being equal
to -2*10"5/°C. This corresponds to an increase of core radial expansion.

It is obvious that the reactivity feedback amplification is insufficient to prevent sodium

boiling in the core. However, it also induces reactor instability. This is due to the fact that
the response of the component in question to the initial disturbance takes place with a
significant phase shift. This fact requires careful analysis of the effects caused by expansion
of control rod drivers and their displacement with respect to the core.

89
 100 200 300 400 500 600
1 - Neutronic reactor power
2 - Coolant flow rate in the core
3 - Coolant flow rate in the seconder} circuit

FIG. 7. Accident ULOF for the reactor BN-800.

Application of negative reactivity feedback depending
on core outlet sodium temperature.

80E-3

40E-3

OOE+0 -

-4 OE-3

-8 OE-3

-1 2E-2
0 100 200 300 400 500 600
1 - Temperature reactivity effect (without core radial expansion)
2 - Amplified negative reactivity feedback
3 - Net reactivity

FIG. 8.

90
2500.0

2000.0

1500.0 -

1000.0 -r----xVc

500.0
100 200 300 400 500 600
1 - Maximum fuel temperature in the pin centre (LEZ)
2 - Maximum fuel temperature in thé pin centre (MEZ)
3 - Maximum fuel temperature in the pin cjiitre (HEZ)

FIG. 9. Accident ULOF for the reactor BN-800.

Amplification of negative reactivity feedback depending
on core outlet sodium temperature.

1.2 T

1.0

0.8

0.0-
200 300 400 500 600
\ - Neutronic reactor power
2 - Coolant flow rate in the core
3 - Coolant flow rate in the secondary circuit

FIG. 10. Accident ULOF for the reactor BN-800.

Amplification of negative reactivity feedback depending
on sodium temperature in the core midplane.

91
 8.0E-3 -r

4.0E-3 -•

OOE-t-0

-1.2E-2
0 100 200 300 400 500 600
•f - Temperature reactivity effect (without core radial expansion)
2 - Amplified negative reactivity feedback
3 - Net reactivity

FIG. 11. Accident ULOF for the reactor BN-800.

Amplification of negative reactivity feedback depending
on sodium temperature in the core midplane.

800.0 -r

700.0 -

600.0 -

500.0
100 200 300 400 500 600
1 - Core outlet sodium temperature (LEZ)
2 - Core outlet sodium temperature (MEZ)
3 - Core outlet sodium temperature (HEZ)

FIG. 12.

92
 In order to ensure reactor stability in the case of reactivity feedback amplification, use
can be made of sensitive elements operating on coolant temperature changes averaged over
the height of the core.

Figures 10-12 show the results of calculations of the variant in which the thermo-
sensitive element is placed in the median plane of the core. The reactivity coefficient
is -6*10~5/°C. The process of lowering reactor power in this case is seen to take place
without self-sustained oscillations. Sodium in the core does not boil.

6. Conclusions

The above SASS devices significantly enhance the reliability of the reactor shutdown
function, making the reactor passively safe and ensuring its self-protection against, some or
all beyond design basis accidents.

It would be expedient to use SASS devices in advanced reactor designs.

Reactivity feedback amplification is an effective means of increasing reactor self-

protection in severe accidents. A thorough analysis of reactor stability is necessary in this
case.

REFERENCES

1. C.H.Mitchell, M.G.Pelloux. EFR Shutdown System. Intern. Topical Meeting,

Obninsk, Russia, October 3-7, 1994, vol. 4, pp. 6.74-6.85.
2. D. N. Millington. The EFR Reactor Protection System and Third Shutdown System for
Risk Minimization. Specialists' Meeting on "Passive and Active Safety Features of
LMFRS", Oarai, Japan, 5-7 November 1991, pp. 139-144.
3. P.M.Magee, A.E.Dubberley, G.L.Gyorey, AJ.Lipps and T.Wu. Safety
Characteristics of the U.S. Advanced Liquid Metal Reactor Core. Specialists'
Meeting on "Passive and Active Safety Features of LMFRS", Oarai, Japan, 5-7
November 1991, pp. 199-205.
4. Yu.K.Buksha. The Status of Work in the USSR on Using Self-protection Features of
Fast Reactors, of Passive and Active Means of Shutdown and Decay Heat Removal
System. Specialists' Meeting on "Passive and Active Safety Features of LMFRS",
Oarai, Japan, 5-7 November 1991, pp. 64-69.
5. Bagdasarov Yu.E., B-Uksha Yu.K., Voznesensky R.M. and etc. Development of
Passive Safety Devices for Sodium-Cooled Fast Reactors. Intern.-Topical Meeting,
Obninisk, Russia, October 3-7, 1994, vol. 4, pp. 6.51-6.57.
6. E.R.Specht, R.K.Paschall, M.Marquette and A.Jackola. Hydraulically Supported
Absorber Balls Shutdown System for Inherently Safe LMFBR's. Intern. Meeting on
Fast Reactor Safety and Related Physics, Chicago, Illinois, October 5:8, 1976, vol.2,
pp. 683-695.
7. M.Moriyama. Development of a Self-Actuated Shutdown System and Its Reliability.
Specialists' Meeting on "Passive and Active Safety Features of LMFRs", Oarai,
Japan, 5-7 November 1991, pp. 163-170.
8. Safety Related Terms for Advanced Nuclear Plants. IAEA-TECDOC-626, September
1991.

93
9. H.A. KyaneiiOB, H.B. CaBHHOBa, H.A. meKOTOBa, KD.A. JleöeaeB, A.JI. KOHO-
KOTHH, A.B. JlaaaHOB, B.A. MeflBCflKOB. OCHOBBI caMosamnmeHHOCTH peaKTo-
poB na obiCTpwx nefiTponax H rryTH noBLimemw 6e3onacHocxH peaKTOpa xnna
BH-800. CoBercKo-aMepHKancKHo ceMHHap "TIpoGjieMbí jiniieHSHpOBaHiw peaKTO-
pOB na öticTpbix HeftTpOHax", ANL, Illinois-Idaho, 29 October - 3 November, 1990.

94
PRESENTATIONS ON PASSIVE SAFETY
SYSTEMS/COMPONENTS

(SESSION III)
 • »... ••>•••> (••• I B I I I I H B I I •!••• HUI MBH |

REACTTVTTY CONTROL IN HTR POWER PLANTS WITH XA9743161

RESPECT TO PASSIVE SAFETY SYSTEMS

H. BARNERT, K. KUGELER
Institute for Safety Research and Reactor Technology,
Research Centre Julich GmbH,
Julich, Germany

(Summary)
The R & D and Demonstration of the High Temperature Reactor (HTR) is described in
overview. The HTR-MODULE power plant, as the most advanced concept, is taken for the
description of the reactivity control in general. The idea of the "modularization of the core" of
the HTR has been developed as the answer on the experiences of the core melt accident at
Three Miles Island. The HTR module has two shutdown systems: The "6 rods"-system for hot
shutdown and the "18 small absorber pebbles units"-system for cold shutdown. With respect to
the definition of "Passive Systems" of IAEA-TECDOC-626 the total reactivity control system
of the HTR-MODULE is a passive system of catagory D, because it is an emergency reactor
shutdown system based on gravity driven rods - and devices -, activated by fail-safe trip logic.
But reactivity control of the HTR does not only consist of these engineered safety system but
does have a self-acting stabilization by the negative temperature coefficient of the reactivity,
being rather effective in reactivity control. Examples from computer calculations are presented,
and - in addition - experimental results from the "Stuck Rod Experiment" at the AVR reactor
in Julich. On the basis of this the proposal is made that "self-acting stabilization as a quality of
the function" should be discussed as a new catagory in addition to the active and passive
engineered safety systems, structures and components of IAEA-TECDOC-626. The
requirements for a future "catastophe-free" nuclear technology are presented. In the appendix
the 7th amendment of the atomic energy act of the Federal Republic of Germany, effective 28
July 94, is given.

97
 CANDU PASSIVE SHUTDOWN SYSTEMS

R.S. HART, R.A OLMSTEAD

AECL CANDU,
Sheridan Park Research Community,
Mississauga, Ontario,
Canada

Abstract

CANDU incorporates two diverse, passive shutdown systems (Shutdown System

No. 1 and Shutdown System No. 2) which are independent of each other and from the
reactor regulating system. Both shutdown systems function in the low pressure, low
temperature, moderator which surrounds the fuel channels; the shutdown systems do not
penetrate the heat transport system pressure boundary.

The shutdown systems are functionally different, physically separate, and passive
since the driving force for SDS1 is gravity and the driving force for SDS2 is stored energy.
The physics of the reactor core itself ensures a degree of passive safety in that the
relatively long prompt neutron generation time inherent in the design of CANDU reactors
tends to retard power excursions and reduces the speed required for shutdown action,
even for large postulated reactivity increases.

All passive systems include a number of active components or initiators. Hence,

an important aspect of passive systems is the inclusion of fail safe (activated by active
component failure) operation. The mechanisms that achieve the fail safe action should
be passive. Consequently the passive performance of the CANDU shutdown systems
extends beyond their basic modes of operation to include fail safe operation based on
natural phenomenon or stored energy. For example, loss of power to the SDS1 clutches
results in the drop of the shutdown rods by gravity, loss of power or instrument air to the
injection valves of SDS2 results in valve opening via spring action, and rigorous self
checking of logic, data and timing by the shutdown systems computers assures a fail safe
reactor trip through the collapse of a fluctuating magnetic field or the discharge of a
capacitor. Event statistics from operating CANDU stations indicate a significant decrease
in protection system faults that could lead to loss of production and elimination of
protection system faults that could lead to loss of protection.

This paper provides a comprehensive description of the passive shutdown systems

employed by CANDU.

1.1 OVERVIEW DESCRIPTION

The CANDU reactor is equipped with two physically independent safety

shutdown systems (SDS1 and SDS2) that are physically and functionally independent of
each other and of the reactor regulating system.

Shutdown System No. 1 (SDS1) consists of mechanical shutdown rods which drop
by gravity, enhanced by springaction, into the core (between the columns of fuel
channels) when a trip signal de-energizes clutches which hold the shutdown rods out of
the core during normal plant operation.

99
 Shutdown System No. 2 (SDS2) injects a concentrated solution of gadolinium
nitrate into the low pressure moderator between the rows of fuel channels to quickly
render the core subcr'rtical. The injection is initiated by de-energizing fast acting valves,
which are held closed during normal plant operation, to pressurize the individual poison
tanks associated with each of the injection nozzles with helium.

A computerized monitoring and test system provides the operator with indications
of all shutdown system parameters and automates testing. The system prompts the
operator, executes the testing, and records the test results. For each shutdown system,
trip parameter instrumentation and logic is tested in such a way that the complete system,
from variable sensing to final trip action is tested (for example, each shutdown rod tested
by partial drop into core). A test is automatically terminated if another trip channel goes
into a tripped state. The test frequency assures that the reliability requirement of not
more than one shutdown system failure in one thousand demands is satisfied.

1.2 PASSIVE/FAIL-SAFE FEATURES

The shutdown systems are functionally different, physically separate, and passive
in that the driving force for SDS1 is gravity and the driving force for SDS2 is stored
energy.

Passive features are extensively applied throughout the detailed implementation

of the shutdown systems. The design of each component of both systems and the
response of the systems to loss of supporting services such as electrical power or
pneumatics is subjected to detailed failure modes and effects analysis which is used to
ensure passive, fail safe features are inherent in the mechanical, electrical and pneumatic
aspects of the design. For example, loss of electric power to the electromagnetic
clutches that hold the shut-down rods poised above the core, result in a rod drop of SDS1
shutdown rods. Loss of the instrument air supply or electrical power to some or all of
the valves associated with the poison injection for SDS2 will result in fail safe action,
achieved by "air-to-close", "spring-to-open" valves. Failure of any critical component of
the trip logic or the physical shutdown mechanism also results in fail safe action.

Passive concepts have been embedded at many levels of the detailed design and
realized in innovative ways. For example, the patented CANDU, PWdog passive
watchdog timer, incorporated into the design of the independent computers that perform
the trip detection logic for each of the two shutdown systems (see Appendix I). This
device achieves extremely high reliability by combining a very low electronic component
count with the use of passive, capacitive stored energy discharge, to ensure that fail safe
action continues if extensive computer self checks indicate potential faults. Essentially,
if the computer finds no faults in rigorous periodic self checking, it opens and closes
digital output contacts. The continuous, opening and closing of these contacts on a rigidly
uniform and precise time increment schedule, creates an alternating current magnetic field
that in turn ensures energy transfer through a simple transformer, coupled to a capacitor
(a transformer coupled RC circuit). The energy in the capacitor maintains closed
shutdown contacts. Even a slight deterioration in the consistency of the execution time
performance of the computer, or a non compliance in any one of hundreds of trip
computer internal and external hardware and software self checks will result in the
collapse of the magnetic field, the discharge of the capacitor and a reactor trip. The only
conceivable failure mode is the simultaneous welding of the redundant shutdown contacts
which initiate the passive systems.

100
1.3 OPERATIONAL HISTORY

Historically, CANDU was among the first reactors to include fail safe computers in
safety systems with the PDCs (Programmable Digital Comparators) used in the CANDU 6
reactors (early 1980s). PDCs were used to implement the trip decision logic for the
process trip parameters.

CANDU plants have had excellent operating statistics. The four CANDU 6 stations
(Wolsong 1, Embalse, Gentilly 2 and Point Lepreau) have a total of 45 years of operating
history without a single unsafe failure reported. All PDC failures have been safe failures
which can be contrasted with the experience with the conventional portions of the system
where about 1/4 of the failures are potentially unsafe; i.e. temporarily diminish the
redundancy of protection, until corrected. This is due largely to the design that employs
features such as self-checks, "continuous" testing, hardware watchdog timers, etc., which
convert unsafe faults into safe failures (i.e. trip the channel). From the production
reliability viewpoint, there have been no spurious reactor trips attributed to protection logic
related failures. Table I summarizes the operational data.

This experience has confirmed the original reasons for using fail safe digital logic;
that it enhances safety availability (converts unsafe failures into safe ones), and improves
production reliability.

Table I

Lepreau I G.S.
Protection System Reliability Data
1982 July 25 to 1987 September 30

Conventional
Equipment Computers
Potential Production Loss 35 23

Potential Protection Loss 63 0

The detailed descriptions of SDS1 and SDS2 in the following sections provide
more insight into the design and it's passive features.

2. SHUTDOWN SYSTEM NO. 1 (SDS1)

2.1 General Arrangement

The first method of quickly terminating reactor operation when certain parameters
exceed defined operating limits, is the release of the spring-assisted gravity-drop
shutdown rods of SDS1. SDS1 employs a logic system having three independent
channels which detect the requirement for reactor trip and de-energize direct current
clutches to release the shutdown rods into the moderator region of the reactor core.

The mechanical shutdown rod units, which are part of shutdown system no. 1,
rapidly insert neutron-absorbing rods into the core to shut the reactor down. Each
mechanical shutdown unit, shown in Figure 1, comprises a shutdown rod, a vertical guide

101
 SHUTDOWN NEGATOR
DRIVE ASSEMBLY SPRING TO
REWIND DAMPER
CABLE POSITION LIMITER PLATES - LINK
BETWEEN MAIN AND DAMPER SHAFTS
THIMBLE ROD READY ALSO ENGAGE POSITION STOPS
FLANGE INDICATOR DRIVE MOTOR AND
.WORM REDUCTION OEAH
UPPER SHIELD ELECTROMAGNETIC
PLUG CLUTCH BETWEEN
IDLER AND
MAIN SHAFTS

POTENTIOMETER
LOWER POSITION INDICATOR
- BELLOWS
SHIELD PLUG -
CABLE
REACTIVITY MECHANISMS GUIDE TUBE
DECK STRUCTURE TOP 'SPRING SHUTDOWN ROD
BEVEL REDUCTION GEAR
A. AND SPUR REDUCTION GEAR
ON IDLER SHAFT

DRIVE MECHANISM SCHEMATIC

SHIELD
PLUG SPRING '"I

SHUTDOWN ROD ACCESS TUBE -

ACCELERATOR
SPRING THIMBLE ——
PUSHROD ON
SHUTDOWN ROD SHIELD TANK
SHELL

SPRING IN
POISED SHIELD
POSITION WATER GUIDE TUBE/GUIDE
SPRING HOUSING TUBE EXTENSION
SCREWED JOINT

CALANDRIA
'SHELL

BOTTOM OF
ABSORBER
REACTIVITY MECHANISMS
DECK STRUCTURE BOTTOM
(POISED)
-ACCESS TUBE PERFORATED
"GUIDE TUBE
THIMBLE
MODERATOR CALANDRIA
TUBES

o
GUIDE TUBE
" EXTENSION

-SPRING HOUSING

VAULT AIR

LOCATOR
ASSEMBLY
ABSORBER SECTION
OF SHUTDOWN
ROD (POISED) ~~"~^
CALANDRIA
SHELL

9ÍOI80-2.3.S-9

Figure 1 Mechanical Shutdown Rod Unit

102
tube, and a winch-type drive and release mechanism, along with its shield plugs and
accelerator spring assembly. The tubular element section of each shutdown rod is a thin
cadmium absorber tube sheathed in stainless steel. It is supported on a tubular push-rod
which is suspended from a stainless steel wire rope, that is wound onto the sheave of its
drive mechanism. The shutdown rod cable is passed straight through a vertical hole in
the shield plug. Radiation streaming is blocked by the push-rod, since the rod is always
in the shield plug when the reactor is operating. The sheave is coupled by an
electromagnetic friction clutch to its electric motor through a gear train. When the clutch
is de-energized by a shutdown trip signal, the sheave is released and the rod falls under
the force of gravity. A supplementary initial acceleration is imparted directly to each rod
by the compressed accelerator spring when the sheave is released. The fall of the rod
is arrested near the end of its travel by hydraulic braking on the shaft within the drive
mechanism. After the reason for the trip has been established and when the operator
decides to restart the plant, the following occurs: When the clutch is energized, upon
clearance of the trip signal, the rod is raised by the motor-driven sheave. The vertical
position of each rod is measured by an electrical sensor on the sheave shaft. The travel
of the rod is physically limited by dog-plate mechanisms and shaft rotation end stops
inside the drive. A second position sensor, the "rod ready" indicator, directly monitors the
presence of the rod in the withdrawn position, to verify that it is ready for use. Magnetic
reed switches mounted in the shield plug sense a permanent magnet mounted in the top
of the rod. Consistent with the CANDU safety philosophy of separating safety and
regulating functions, the clutch is part of the safety system. The winch motor used for
shutdown rod withdrawal is controlled by the regulating system, but cannot engage the
shaft to withdraw the rod when the clutch de-energized.

The design is based on triplicated measurements of each variable, with protective

action initiated when any two of the three trip channels are tripped. A single loop
component or power supply failure will not incapacitate or spuriously invoke the operation
of the safety system. As indicated in Table II, there are nine types of measured variables
which can initiate a reactor trip through SDS1. The selection of variables ensures that
there are redundant sensing parameters for all categories of process failures identified.
A SDS1 reactor trip can also be manually initiated by the operator.

Table II

Shutdown System No. 1 Trip Parameters

Item Trip Parameter Detector Type

a. Neutron Power Vertical In-Core Detectors
b. Rate Log Neutron Power Ion Chambers
c. Heat Transport System Flow Differential Pressure Transmitters
d. Heat Transport System Pressure Pressure Transmitters
e. Reactor Building Pressure Differential Pressure Transmitters
f. Pressurizer Level Differential Pressure Transmitters
g- Steam Generator Level Differential Pressure Transmitters on each
Steam Generator
h. Steam Generator Feedline Pressure Pressure Transmitters on Individual
Feedlines
i. Moderator Level Differential Pressure Transmitters

103
 There are three independent channels, D, E and F, having completely independent
and physically separated power supplies, trip parameter sensors, instrumentation, trip
computers, and annunciation. SDS1 uses general coincidence voting logic; i.e. the
shutdown rods are dropped when any two of the three channels trip, regardless of the
parameters causing the channel trips. A simplified block diagram of one channel is
shown in Figure 2. The trip system is monitored to provide a positive indication of the
state of the trip logic, by verifying the correct operation of all contacts when each channel
is tested. The shutdown rods are divided into two banks: each bank is supplied with dual
90 volt dc power supplies for the clutches. Each clutch coil is held energized by the
contacts of a separate relay. The high volt-ampere rating of the clutch dictates this
arrangement to ensure no relay contact overrating. For each variable monitored, a test
capability is provided by which a trip condition is simulated establishing that the channel
and parameter trip logic function as designed. The testing frequency is determined based
on the target unavailabilities for each parameter.

2.2 Instrumentation Power Supplies

2.2.1 Displays

All the information required on the tripping parameters and the status and operation
of the system can be displayed on CRTs in the main control room and the secondary
control area, at the operator's command.

2.2.2 Power Supplies

Separately channelled to Group 2A, Class I and Class II power supplies are
connected to each of the SDS1 channels. The logic and instrumentation have been
designed so that a channel trips on loss of power. Fuse failure or loss of power to
individual transmitters results in a channel trip, and is annunciated.

2.2.3 Annunciation

Annunciation for SDS1 is provided in the secondary control area and in the main
control room (using buffered outputs from the secondary control area). The SDS1 control
room panel contains window equivalent alarms which indicate the state of trip parameters.
When a parameter reaches the trip level, these windows show an alarm state. The
parameter and channel trip statuses are connected to the plant display system through
a fibre-optic link for annunciation and event sequencing. During upset conditions, the
time and the sequence of SDS1 parameters exceeding their limits may be printed out on
demand. Helium tank pressure, valve position, poison tank level, helium makeup supply
pressure and poison front position are indicated in the main control room and secondary
control room. The quick-opening valve limit switches are also used to monitor the valve
stroking time during channel test.

3. SHUTDOWN SYSTEM NO. 2

3.1 General Arrangement

SDS2 is the second method of quickly terminating reactor operation when certain
parameters exceed defined operating limits. Reactor shutdown is via the rapid injection
of concentrated gadolinium nitrate solution into the moderator through horizontal nozzle

104
 TO SAFETY
SYSTEM MONITOR

TRIP PARAMETER
TEST
J

PARTIAL PARTIAL
DROP TEST OF DROP TEST OF
INDIVIDUAL INDIVIDUAL
SHUTDOWN RODS SHUTDOWN RODS

SHUTDOWN ROD SHUTDOWN ROD

CLUTCHES GROUP A CLUTCHES GROUP B

Figure 2 Shutdown System Ho. 1 - Block Diagram

assemblies. SDS2 employs a logic system having three independent channels which
sense the requirement for shutdown and release fast-acting valves which release high
pressure helium to inject the gadolinium poison into the moderator.

Figure 3 shows a simplified schematic diagram of the system. A vessel containing

high pressure helium supplies is the source of energy for rapid poison injection. The tank
is connected, through six quick-opening valves arranged in three successive pairs, to a
helium header which services the poison tanks. The quick-opening valves are
air-to-close, spring-to-open, so that they fail safe on loss of air supply or electrical power.
The cylindrical poison tanks are mounted on the outside of the reactor vault wall. Each
of these poison tanks contains gadolinium nitrate solution. The nominal solution
concentration is 8000 mg of gadolinium per kg heavy water and is verified by an on-line
recirculating sampling system. Each poison tank is connected by a stainless steel pipe
to a horizontal in-core injection tube nozzle which spans the calandria between rows of
fuel channels, and is immersed in the moderator. The Zircaloy-2 nozzles penetrate the
calandria horizontally and at right angles to the fuel channel tubes. Holes are drilled into
the nozzle along its length to form four rows of jets which facilitate complete dispersion
of the poison into the moderator. There is a liquid-to-liquid interface between the poison
solution and the moderator. Movement of the interface is caused by the poison very
slowly migrating by diffusion from an area of high concentration to an area of low
concentration. Also, physical motion of the liquid back and forth in the line causes a
small amount of mixing of the poison solution with the moderator. This motion is caused
by variations in the moderator level. The interface movement results in a periodic
requirement for back flushing (moving of poison back to design position) approximately
twice per year. This is because of the slow diffusion process and because the moderator
level is maintained constant during warmup and upgrading by bleed and feed respectively
from the D2O supply system. Also moderator temperature is maintained constant during
operation. Two conductivity probes are installed in each poison injection line downstream
of the poison tank. One is located close to the bottom of the poison tank to monitor the
poison concentration and alarm on low poison concentration. The second probe is
located close to the shield tank to detect when the poison solution reaches the
downstream top of the U-Section. Upon alarm from any of the latter probes, the
associated poison injection line must be backf lushed to pull the poison interface back to
the ball valve or drain line inside the vault. In the backflushing procedure, the affected
poison tank is partially drained to the mixing tank with ball valve in the poison injection
line closed. This valve is then opened and the interface moves towards the poison tank,
refilling it.

The design is based on triplicating the measurement of each variable

and initiating protective action when any two of the three trip channels are tripped,
regardless of the parameter (i.e., general coincidence logic). A single loop component
or power supply failure will not incapacitate or spuriously invoke the operation of the
safety system. There are nine measured parameters which can initiate a reactor
shutdown through SDS2, as shown in Table III. The selection of parameters is such that
there are redundant sensing parameters for all categories of process failures identified.
The system can also be manually tripped by the operator from the main control room or
the secondary control area.

There are three independent channels, G, H and J. A six valve configuration

ensures a very simple and reliable design. Figure 4 shows a simplified block diagram of
one channel of SDS2. One manual trip button and parameter test controls for each
channel are mounted on the SDS2 control console in the main control room. Interlocks

106
HELIUM VENT LINES TO REACTOR BUILDING ATMOSPHERE
PRESSURE BALANCE LINE REACTIVITY DECK

HELIUM COVER GAS

ISOLATION BALL VALVE

QUICK OPENING VALVES (NORMALLY OPEN)

SAMPLING RETURN
LINES TO POISON MODERATOR LEVEL
TANKS (VALVES
NORMALLY CLOSED)
HELIUM
SUPPLY
TANK

CONDUCTIVITY
PROBES

SAMPLE
CANISTER

POISON/
DRAIN AND FILL MODERATOR
LINES FROM INTERFACE
POISON TANKS
ISOLATION
(VALVES
BALL VALVE
NORMALLY (NORMALLY
CLOSED) OPEN)
I I 1 I I I 1

940180 Î92 6

Figure 3 Shutdown System No. 2 Liquid Poison Injection System

are provided so that a channel may not be tested if any other channel is in the tripped
state. There are three alternate helium paths, each with injection valves and an interspace
vent valve. Special logic prevents the testing of two different channels within ten minutes
of each other. This ensures that the interspace between the helium injection valves is
depressurized and it prevents spurious, partial injections.
Table III
Shutdown System No. 2 Trip Parameters and Detectors Used
Item Trip Parameter Detector Type
a. Neutron Power Horizontal In-Core Detectors
b. Rate Log Neutron Power Ion Chambers
c. Heat Transport System Flow Differential Pressure Transmitter
d. Heat Transport System Pressure Pressure Transmitter
e. Reactor Building Pressure Differential Pressure Transmitter
f. Pressurizer Level Differential Pressure Transmitter
9- Steam Generator Level Differential Pressure Transmitter on each
Steam Generator
h. Steam Generator Feedline Pressure Pressure Transmitter on Individual
Feedlines
i. Moderator Level Differential Pressure Transmitter

TO SAFETY
SYSTEM MONITOR

LEGEND:
N.O. NORMALCY OPEN
N.C. NORMALLY CLOSED
P.O. FAILS OPEN
F.C. FAILS CLOSED VENT VALVES

Figure 4 Shutdown System No. 2 - Block Diagram

108
 For each variable monitored, a test capability is provided by which a trip condition
is simulated establishing that the channel trip logic for that parameter functions as
designed. The complete system operation can be tested with a single input from the
sensor to the helium injection valves to mimic the condition of an actual injection.

In addition, trip parameter measurements are tested by a check for insulation

resistance for the in-core flux detectors and by a monitoring and channelized
cross-comparison process for process pressure measurements. Similar channelized
measurements of routine pressure fluctuations are cross-compared using the trip
monitoring computers to determine if any one of the transmitters is not responding
properly to variation in the measured variables. Testing frequencies are determined on
the basis of target unavailabilities for each parameter.

3.2 Instrumentation and Power Supplies

The approach to instrumentation and power supplies for SDS2 is the same as that
for SDS1, described in Section 2.2. The instrumentation and power supplies for SDS2
are, however, independent and separate from those for SDS1.

4. SUMMARY

CANDU incorporates two independent, passive and fully capable shutdown

systems that function based on passive principles, both in their basic mode of operation
and in their fail safe operation. The two shutdown systems, each functionally and
physically separate from each other assure that the probability of CANDU not tripping as
required is less than 1 in 106 demands. The passive operation of the shutdown systems
in combination with rigorous on-power testing assures this level of performance.

109
 APPENDIX I

The Watchdog as a Passive Safety Device

in CANDU Computerized Shutdown Systems

CANDU reactors use computers to carry out the trip decision logic portion of the
shutdown systems. That is, the computers (channelized and triplicated) initiate a reactor
shutdown based on the state of a number of trip parameters; such as pressurizer level,
heat transport system pressure, steam generator levels, etc. Many fail-safe features are
incorporated in these shutdown system computers. One such feature is the "watchdog".

The watchdogs are totally independent devices from the trip computers. There is
one watchdog per shutdown system channel. The output from each trip channel's
watchdog is a relay contact that sits in the hardwired channel trip voting logic in series
with the channel trip contact from the trip computer. That is, the channel will trip if either
the trip computer or watchdog contact opens.

The watchdog is a passive device that requires a specific signal from the trip
computer to supply power for its output relay. The signal typically is a constant square
wave that toggles between 24 or 48 Vdc and 0 Vdc. This device is powered by the signal
from the trip computer in such a manner that if the output from the trip computer gets
stuck (either high or low) the device becomes unpowered. This is achieved by the use
of a transformer.

Referring to Figure 5, the signal from the trip computer is a square wave coming
into the primary side of a transformer, shown on the left side of the figure. A transformer
requires a signal that is changing (toggling) in order to transfer power from the primary
coil (input) to the secondary coil (output). This is a fundamental principle of
electromagnetism. Should the input signal cease toggling, even if it remains in the high
state (24 or 48 volts) then there will be no output from the secondary side of the
transformer. This in turn means that there will be no power to the relay coil which will
cause the contact to open. Figure 5 shows the simplest form of such a watchdog. A
capacitor is typically added to provide a constant voltage to the relay coil.

Transformer To Trip
Square
Wave from
P DC
_TLTTJ~1

FIGURE 5 CANDU TRIP COMPUTER WATCHDOG

110
 Further refinements to this basic circuit (i.e. a frequency sensitive circuit) have
been added such that the watchdog will only accept certain update frequencies. In this
way, the watchdog not only detects stuck outputs from the trip computer but also incorrect
output frequencies from the trip computer, thereby increasing the types of trip computer
failure modes that will result in a fail-safe channel trip.

&EXT
left BLANK I 111
 ACIWE OR PASSIVE SYSTEMS? XA9743163
THE EPR APPROACH

N. BONHOMME
Nuclear Power International

J.P. PY
FRAMATOME

Cedex, France

Abstract

In attempting to review how EPR is contemplated to meet requirements applicable to future

nuclear power plants, the authors indicate where they see the markets and the corresponding unit
sizes for the EPR which is a generic key factor for competitiveness. There are no reason in
industrialized countries, other than USA (where the investment and amortizing practices under
control by Public Utility Commission are quite particular), not to build future plants in the 1000 to
1500 MWe range.

Standardization, which has been actively applied all along the French program and for the Konvoi
plants, does not prevent evolution and allows to concentrate large engineering effort in smooth
realization of plants and achieve actual construction and commissionning without significant
delays.

In order to contribute to public trust renewal, a next generation of power reactors should be
fundamentaly less likely to incur serious accidents To reach this goal the best of passive and
active systems must be considered without forgetting that the most important source of
knowledge is construction and operating experience.

Criteria to assess passive systems investigated for possible implementation in the EPR, such as
simplicity of design, impact on plant operation, safety and cost, are discussed.

Exemples of the principal passive systems investigated are described and reasons why they have
been dropped after screening through the criteria are given.

INTRODUCTION

Nuclear plant designers throughout the world are addressing the potential inclusion of passive
features to meet higher safety standards and reduced costs for future plants. The intent is to
simplify designs based upon the current operating knowledge and provide safer, simpler and less
expensive designs. These goals are chosen to allow future nuclear plants to remain economically
competitive with other power production alternatives.

The designers of future plants must make difficult decisions concerning system designs in order
to assure a high level of safety while also addressing public perception of nuclear power. In order
to improve public perceptions, the use of a greater number of passive systems in a plant design is
encouraged. However, the limited experience and testing of such systems can raise additional
questions about the economic operation of such nuclear plants in the future.

The following discussion addresses these issues for the EPR project. The discussion includes
expectations of market conditions (including base assumptions on plant size and potential
locations of customers) and the assessment of passive design features that have been
considered thus far in the EPR design. The discussion is directed at defining the factors which
affect future plant designs and then describes the EPR approach to the design choices.

113
Specific discussion is provided concerning the major passive features considered by EPR and the
logic used in assessing their inclusion in the EPR design As is noted throughout the discussion,
many of the assessments are qualitative in nature but address the need to find economic
alternatives in the future plant designs while maintaining the benefits of current plant operating
experience The results of the design process to date have indicated a need to maintain current
plant design features, in favor of newer and untested passive design concepts to avoid
unnecessary costs and system complications It is expected that as passive system designs
mature, many of the decisions made to date will be re-examined as the plant designs continue to
evolve

MARKET AND UNITS SIZES

Nearly 112 LWR's are operating in Europe (54 in France, 21 in Germany) and another 300 or so
have been operating worldwide for tens of thousand of reactor years with only one significant
accident That one, TMI-2, demonstrated remarkably how serious an accident could be without
affecting public safety The core and the entire plant were badly damaged, yet little radiation
escaped the containment

Not withstanding that record, further use of reactors as a base energy resource is moribund in
most countries but a very few such as France, Japan and South Korea which would otherwise be
extremely, if not totally, dependent on external sources to fulfil their primary energy needs

And yet most responsible officials of industrialized countries believe that considerations of
economic strength, environmental protection and security of procurement of energy resources
dictate that their countries should still rely on nuclear energy in the next few decades

In attempting to review how Framatome, Siemens and NPI contemplate meeting tomorrow's
requirements, it is first necessary to indicate where we see our markets and what will likely be the
corresponding unit sizes

1.1 FRENCH AND GERMAN PLANTS

The German utilities started operation of the last 3 PWR's (Konvoi plants) that were ordered in
the late 1980's

The French national utility EOF has a program for 1450 MWe plants (called N4) to be put in
operation, during the 1990's Four such plants have already been firmly decided Chooz B1 and
B2, Civaux 1 and 2 which will enter commercial operation respectively in winter 95/96, 97 and 98

Both the N4 and Konvoi plants introduce a number of new features which makes them so called
"evolutionary" reactors, compared to the previous generations of plants It may be that they fail to
satisfy some of the minor specifications of the EPRI requirements, but they have a major feature,
which consists in being effectively built and at known prices The experience that this gives us is
a part of our preparedness for the future

The French and German markets will then be dependent on the expected life of the plants built
earlier Extensive studies were made to determine how long their life could be extended , 40
years lifetime is often mentioned, but no formal decision of that sort has yet been accepted No
plant has yet reached such a life and a number of units have been deliberately shut down much
before

Because of this prudency, with regard to life extension it would not be reasonable to schedule the
replacement plants over a short period Therefore, NPI and its Parent Companies plan to be
ready for orders in the first decade of the next century, when the cost of fissile materials will likely
be much more of a concern than today

114
Hence, the design of these plants, which is now being initiated through our cooperation with
French and German utilities, will have to be made with economic assumptions somewhat different
from those now prevailing

The 54 French PWR plants and 12 German PWR plants which will be under operation when,
soon, a few old units will have been shut down, are all in the 900 to 1400 MWe range We see no
reason why the future plants should not be in that range too

1.2 NON-DOMESTIC PLANTS

As far as the industrialized countries are concerned, we consider that the same determining
factors will apply and that they will keep investing in plants of 900 MWe or more Within the frame
of our association with Siemens in the NPI Company, this policy obviously applies to the
development of the EPR

The export customers of Framatome and Siemens have been eager, in the past, to adopt the
technical solutions used in the French or German plants, taken as references The many practical
advantages of this, such as cost, construction schedule, hcensability, operation and maintenance,
will keep applying in the future , the technical choices for the EPR will consequently be made with
an eye towards their acceptability by this group of customers This may be achieved even if the
domestic and foreign plant sizes are different the important point is to have a unified technology
for components, for systems for answers to safety requirements and for maintenance practices

We recognize that certain local conditions tend to call for smaller unit sizes We do plan to try to
find acceptable solutions, but are concerned with the ability to remain competitive with fossil
energy sources, while there are many uncertainties, in the long term, on the pnce of fossil fuel
and on the intensity with which governments will protect the environment against emissions We
have also experienced that, by the time they become prepared to make a decision, potential
customers for 600 MWe plants will be ready to invest at the 900 MWe level because of evolving
needs

The above remarks on reactor size do not totally apply to the USA, where the situation is quite
different The investment amortizing practices and control by PUC's give an incentive to certain
utilities to invest in small plants Vendors are under intense pressure to develop concepts allowing
competitiveness and to claim that they will succeed Should this turn out to be true, the impact on
certain countries outside the USA should not be dismissed This is why Framatome and Siemens
evaluated carefully the feasibility of such concepts

COMPETITIVENESS AND STANDARDIZATION

Costs considerations are important when considering future nuclear plant purchases against
alternative energy sources The element of cost may override any publicly perceived gains in
safety and preclude the nuclear option in some cases It would be useless to expend large efforts
to improve the safety and public acceptance of nuclear technology, if the resulting designs are so
costly that no customer could financially justify the purchase of them A basic strategy of NPI,
strongly supported by its Parent Companies, is to contain costs of future PWR plants in order to
maintain their viability relative to alternative power sources

When talking of costs, it is again necessary to distinguish between generic problems and those
specific to certain countries For instance, in the USA, the high costs experienced in the past
result from a licensing environment generating unpredictible delays and requests for
modifications In many other countries, like France and Germany the licensing processes,
although using similarly severe safety criteria, are such that actual construction and
commissionning is achieved without significant delays We will be careful to do whatever is
necessary, on the vendor side, to preserve such processes , this will likely include the necessity
to design the plants in some detail before construction contracts can be obtained

115
The unit size is a key factor for competitiveness. Looking at the breakdown of costs for a plant
shows that a majority of items follow the iron-rule of increasing costs per kW for decreasing
power. Only a few items have a fixed cost per kW : for instance when decrease of power is
obtained through the use of smaller numbers of standardized components. In a very limited
number of instances may one expect to achieve a function in a cheaper way, by using solutions
which would not work for larger power units.

Claims have been made that a number of safety functions may fall in this category when 600
MWe unit sizes are considered. We consider that such claims should be taken with due caution
as long as extensive, detailed, designs of plants are not yet completed. It is the intent of NPI to
contribute to the clarification of this essential question.

Standardization has been actively applied all along the French program and for the Konvoi plants.
We think it should be pursued in the future. As there will be, proportionally, less domestic plants
and more export plants than in the past, the requirements of the latter should be taken into
consideration while designing the former ; but export customers should also refrain from
unecessary "nationalistic" requirements, if they wish to benefit from standardization ; consultants
and engineering organizations, when working on the preparation of customers specifications,
should remember that they bear specific responsibilities in this respect.

The maximum benefits of standardization will be obtained if it is extended to the whole plant ;
when not possible, one should at least apply it to the nuclear island. When differences must exist
between plants, for instance in terms of unit power, most of these benefits of standardization will
be preserved if one chooses to use existing designs for components, fluid systems,
instrumentation and control, and to apply already used lay-out and building principles.

The concept of standardization should in no way be considered as opposed to evolution.

Evolution in designs may be necessary for a number of reasons. Standardization is a way to take
care of these needs in_an organized manner ; in particular, designers will be wise to select
solutions which will remain licensable and commercially attractive for the longest possible time.
Standardization, then, allows concentration of large engineering efforts in R & D, design,
manufacturing practices, maintenance toolings and procedures ; this concentration is the key to
economics, smooth realization of plants and scrutiny of safety matters.

li SAFETY AND PUBLIC ACCEPTANCE |

Many people in the nuclear industry feel that our difficulty with respect to public acceptance is
primarily the fault of the public, or the media, or the schools, or the anti-nuclear groups.

But we must agree that in a broad sense the public's distrust has its foundations. We said we
were designing and building plants in which a core meltdown was essentially impossible ... and
then came TMI-2. We then argued that we could have meltdowns but not energetic reactivity
accidents, that we might contaminate a power plant but not its neighborhood ... and then came
Chernobyl. The public come away doubtful and with a feeling of having been mislead.

In that respect, our specific contribution should be to prepare the future nuclear technology in a
rigorous and responsible manner, without announcing objectives which cannot be reached in
earnest. Others may have to simplify and to discuss presently fashionable ideas, so as to explain
them in an easier way ; their work deserves respect. Ours is to contribute to public trust renewal
by demonstration of our professionalism.

If they are to be built, a next generation of power reactors should be reactors with designs that, in
both perception and reality, are fundamentally less likely to incur a serious accident.

The utilities would probably like to see in such next generation plants which will operate more
reliably, with higher capacity factors, capable to the greatest practicable degree of thwarting
maloperation by negligent or imprudent operators, and which in addition, when operating limits
are exceeded, have inherent tendencies to return to safe, stable, undamaged conditions without
operator intervention or external power sources.

116
The public and the professionals require that safety matters be reexamined, with an open mind
However, we should avoid over-simplification , safety matters are complex and, even if they have
to be simplified for public presentation, the professionals, among themselves, must keep a
rational, balanced and comprehensive approach It is not a war between passive and active
systems , both have virtues and the best of each must be considered The most important source
of knowledge is Construction and Operating Experience , this should be the foundation on which
to build the future , it has shown us that many other matters must be considered to provide the
best overall safety Let us remember the over-emphasis given to large LOCA twenty years ago,
preventing a sufficient analysis of Small Break accidents then TMI came

A balanced and comprehensive approach is needed with regard to the extent to which safety
functions should be achieved by passive systems There are reasons to think that they will
increase the probability that such functions will be achieved However, one should remember that
there are limitations to such increases passive systems do have failure modes , frequently,
passive systems need an active triggering , they work well only if they are correctly aligned while
dormant, etc The coexistence of active and passive systems is also an interesting issue, in
terms of cost and of safety balance if one does not want to decrease plant availability,
operators, concerned by plant availability, will likely wish to keep their hands on the plant during
perturbed situation, and this can be done only through active systems , the management of long-
term post-accident situations will probably also require active systems The gain in safety,
marginal or significant, can only be determined by extensive and detailed studies , they still have
to be done and we intend to provide our share of them

But, we consider that we should also expend significant efforts in drawing lessons from the past
The careful analysis of construction problems of operation and maintenance incidents, suggests
many precise improvements, the sum of which can bring a significant contribution to safety
enhancement, but, of course, only if our future plants design does not depart radically from
present ones An area where significant progress is at hand concerns maintenance it is now
possible to design a plant in a way which will facilitate its maintainability and hence reduce the
probability (which is not negligible today) that safety relevant problems will be induced by
maintenance operations or faults
Also, the concept of forgiveness to transients and to operator errors, which must be extended to
maintenance errors (in parallel with improved maintainability), is also an important guide in our
design efforts of the EPR

Among the other objectives we pursue, are the reduction (by design) of the personnel exposure,
the simplification of systems and the effort to design a no-release reactor containment

Safety improvements can be achieved through all these means and we are careful not to weaken
these by wild innovations which will induce "youth problems" for the future plants, with
devastating impacts on public acceptance We think the detailed and highly professional work is
what is expected from us in that respect, we view the vast engineering potential available to NPI
as a significant contributor to safety enhancement

POTENTIAL PURPOSE OF PASSIVE SYSTEMS

According to their proponents, the main reasons for considering passive features in system
design are to achieve simple designs and to improve safety or the confidence that adequate
safety is ensured, thus enhancing public acceptance For plant design, the "defense in depth"
approach will be maintained and reasons for introducing passive features will be examined at
each level of defense in depth

> First level : High quality in design, construction, operation

There is no direct impact due to adopting passive design The use of plant features and
designs that ensure increased margins is our prefered approach to achieve smoother plant
response and greater allowed time delays for safety system operation

117
 Second level : Limit operating disturbances through proper design of plant response

No major use of passive features is made or anticipated at this level. In certain cases,
however, passive features introduced at third or fourth level may also be relied upon at the
second level (e.g. decay heat removal).

Third level : Provide engineered safety features to mitigate accident consequences

Passive safety features can be used to replace or reinforce safety functions, introduce
diversity, simplify system design and/or reduce redundancy in active systems.

Fourth level : Severe accidents (beyond level 3}

Passive safety systems are introduced to reduce the risk of a major release by preventing
core melt, mitigation of core melt consequences or preventing basemat meltthrough.

The question for the design of the EPR is : can the use of passive features be applied
without losing the safety advantages of presently operated PWR's ?

INVESTIGATION OF PASSIVE FEATURES

5.1 DEFINITION OF "PASSIVE"

The IAEA definition of a passive component is :

"a component which does not need any external input to operate. It may experience a
change in pressure, temperature, radiation, fluid level and flow in performing its function.
The function is achieved by means of static or dormant unpowered or selfacting means".

The associated definition of a passive system is :

"a system which is composed of passive components and structures" < 1 ) .

The so-called "passive reactors" being developed are not strictly based on this definition, but
more on a definition proposed by EPRI (2) :

"passive system : systems which employ primarily passive means (i.e. natural circulation,
gravity, stored energy) for essential safety functions - contrasted with active systems. Use
of active components is limited to valves, controls and instrumentation"

Therefore passive features according to the EPRI definition were included in the review at the
beginning of the EPR conceptual phase.

5.2 CRITERIA TO ASSESS PASSIVE SYSTEMS

Passive features or systems should be subject to a systematic assessment with respect to the
criteria of simplicity of design, impact on plant operation, safety, cost. The first two assessment
criteria concern, in more general terms, simplicity.

) IAEA 622-I3-TC-633 "Dcscriplion of passive safety-related terms

' EPRI ALWR Requirements document

118
Firstly, the design should be simplified, or at least not complicated by the implementation of
passive features In this context, proven technology of the components employed is requested
Furthermore, the degree of passivity shall be investigated where does a proposed solution rely
on active equipment like valves or on active auxiliary systems like cooling or ventilation ? And the
overall system configuration shall also be simplified If possible, an active system should be
removed, or at least simplified by the implementation of a passive system In addition, the overall
system configuration should be simplified Indicators for that could be for instance the necessity
of system interconnections

Secondly, the operation of the plant and of the passive system should be simple Normal
operational modes like power operation startup, shutdown, refuelling, and maintenance should
not be affected by a passive system Spurious actuation of passive systems would have to be
investigated, as well as the possibility to detect it and to take straight-forward recovery actions to
avoid undue consequences on overall plant operation The operation of the passive system itself
should also be simple this includes initiation which should be based on plant status and not on a
perhaps difficult diagnosis of an accident scenario, as well as system operation (e g need for
adjustment of operational modes as a function of plant status or operating situation should be
avoided)

As a rule, passive features to be implemented should be mspectable and have in-service testing
capability with the testing mode as close as possible to the operational mode of the system

The last two assessment criteria concern safety and cost As already mentioned, the
implementation of a passive system should allow clear safety and economic advantages

New accident scenarios should not be introduced by passive systems This should fit with the
well-proven defense in-depth concept and allow for a gradual response to incidents or accidents
The incident consequences should not be aggravated by the system operation Furthermore, the
multi-barrier concept (strong reactor coolant pressure boundary, control of containment leakages
by double containment) presently existing in French and German PWR should not be weakened
by the introduction of passive systems

5.3 PASSIVE FEATURES INVESTIGATED FOR THE EPR

The idea of performing safety functions by passive means is not new All existing PWRs employ
successfully passive features like accumulators, gravity-driven control rod insertion or natural
circulation in the primary circuit Besides these, more passive features have been included in the
EPR such as

> larger SG and pressunzer volumes to slow plant response to upset conditions ,

> initial SIS line-up (suction from IRWST and discharge to hot and cold legs) fits long term
cooling needs without realignment,

> simultaneous hot and cold leg low pressure safety injection to limit fuel failure risk in case of
large break LOCA ,

> lower core elevation relative to the cold leg cross over piping which limits core uncovery
dunng small break LOCAs ,

> absence of lower head penetration on the RPV for in core instrumentation, thus eliminating
one potential failure mechanism and failure location ,

> passive pressunzer safety valves for both overpressure protection and prevention of spunous
opening (passive opening under pressure increase, passive closing under pressure
decrease),

> a large dedicated spreading area outside the reactor cavity to prevent the molten core-
concrete interaction by spreading and subsequent flooding of the corium

119
> a large water source in the IRWST located inside the reactor building, draining by gravity into
the reactor cavity and the corium spreading area ;

> a double wall containment with a reinforced concrete outer wall and a prestressed concrete
inner wall and an intermediate space maintained passively under small subatmospheric
pressure.

In addition to the above features, about twenty passive features were evaluated at the beginning
of the conceptual phase of the EPR. The depth of evaluation of specific features depended on
interest for their application. About half were briefly examined and dropped without further
evaluation, the others were assessed in more detail. The principal passive features which were
investigated for possible implementation in the EPR are given in Figure 1. They are briefly
described in the subsequent paragraphs.

5.3.1 Passive high pressure residual heat removal system (Figure 2)

The objective of this system is to remove the residual heat for events where existing designs take
into account secondary side cooling, so as to replace the emergency feedwater system (EFWS).
The primary water flows by natural circulation through the RHR heat exchanger located in an
elevated water filled pool. The RHR heat exchanger is cooled by the pool water which evaporates
into the containment. A containment cooling system becomes necessary or the pool must be
cooled by an active cooling system. Active measures are required such as opening of valves for
RHR system flow and start of heat removal from the pool or containment. The main results of the
assessment of this system were the following :
Flow rate through the RHR system depends (a) on the elevation between levels of the reactor
coolant system (RCS) loops and the RHR heat exchanger and (b) on diameter of RHR pipes.
This concept leads to a significant extension of class 1 equipment.

LIST OF PRINCIPAL PASSIVE SYSTEM

APPROACHES INVESTIGATED
D PRIMARY-SIDE RHR

1 (HIGH PRESSURE) HEAT EXCHANGER CONNECTED TO PRIMARY SIDE, PASSIVE COOLING

0 SECONDARY-SIDE RHR

2 CONDENSER CONNECTED TO SECONDARY SIDE, WATER COOLING ON TERTIARY SIDE

3 PASSIVE EMERGENCY FEEDWATER SYSTEM (EFWS)
4 SECONDARY DEPRESSURIZATION AND PASSIVE FEED

a PRIMARY-SIDE INJECTION OR MAKE-UP

5 MEDIUM-HEAD SAFETY INJECTION BY ACCUMULATORS

6 GRAVITY-DRIVEN LOW-HEAD SAFETY INJECTION FROM TANK/SUMP BY PRIMARY SYSTEM
DEPRESSURIZATION

O CONTAINMENT HEAT REMOVAL

7 METAL CONTAINMENT OUTSIDE COOLING (WATER/AIR)

8 SUMP COOLER WITH PASSIVE COOLING CHAIN
9 CONDENSER COOLERS (PASSIVE ON THE CONDENSING SIDE)

FIGURE 1

120
 PRINCIPLE SCHEME OF PASSIVE RHR-
SYSTÊM

PASSIVE HEAT
EXCHANGER

FIGURE 2

Installation of water pool including RHR heat exchanger at about the same level as the operating
floor and assuming that more than one train, including pool, would be necessary lead to a
complex arrangement of the reactor building.

An operational system would also be necessary to bring the plant to cold shutdown conditions for
refueling. Although the passive RHR system presents the potential advantage of easy operation,
it was not retained for the EPR because it failed to pass the criteria of design simplicity, safety
improvement and cost reduction among the selected criteria.

5.3.2 Safety condenser (Figure 3)

The objective of this concept is to constitute an autonomous, self fed secondary-side residual
heat removal system.
The main element of this system is the safety condenser itself, located outside the containment
and connected to the steam generator on the steam side and on the water side, and the
demineralized water pool, which is connected to the shell side of the safety condenser.

During normal plant operation the system is on standby and is separated from the SG by the
closed isolation valves in the condénsate line. The valve in the steam supply line is locked in the
open position, so that the condenser is full of cold condénsate on the tube side and is at main
steam pressure. On the shell side, the condenser is partially filled : the closed control/isolation
valve prevents the inflow of demineralized water from the demineralized water pool. To start up
the system at demand, the redundant, diverse condénsate drain valves and the isolation valve in

121
 SYSTEM CONFIGURATION SACO + SSS
=> "Break Preclusion" Pan o On - OFF Valve (Could be
Pneumatic or Eléctrica/!
>•< Normal Position - Closed
Control Valve (Could de
1X3 Normal Position « Open Pneumatic or Electricen

REACTOR BUILDING ANNULAR BUILDING WATER STATION

CONTAINMENT SAFEGUARD AREA CONVENTIONAL AREA

FIGURE 3

the demineralized water supply system are opened and the load controller activated Draining of
the secondary side of the condenser exposes heat transfer surface , heat exchange from the
steam generator to the condenser takes place when level on the tube side falls below that on the
shell side The cold condénsate flowing from the condenser into the SG absorbs energy, before
heat removal by the condenser actually begins After the system run-up time, which is governed
chiefly by the draining characteristic of the condenser, cooling begins This is achieved by the
admission, via the redundant, diverse control stations, of demineralized water from the
demineralized water pool, which is at a higher static head This results in evaporation to the
atmosphere acting as a heat sink

The power supply for the valves required in normal operation and to ensure operation even under
emergency conditions is provided by a battery-backed emergency supply bus Since only a small
electrical power is required a grace period of several hours is conceivable for restoring the
function of any a c generators which may have failed

Although the safety condenser concept presents potential reduction in activity release in the case
of a SGTR, this concept was not retained either for the EPR because it failed to pass all the
selected criteria Specifically, the system does not meet simplicity and cost criteria

5.3.3 Passive EFWS (Figure^

The objective of this system is the same as that of the safety condenser The heat exchanger and
the demineralized water pool are combined in a single component instead of two separated
components

122
 PASSIVE SAFETY CONDENSER

EMERGENCY
—NITROGEN OR FEEDWATER
COMPRESSED AIR TANK

FIGURE 4

In order to avoid elevated storage of large inventory of water an emergency feedwater tank under
nitrogen or compressed air located at ground level allows to replenish the passive condenser as
and when required, according to water evaporation. This system failed to meet the simplification,
operation and cost criteria.

5.3.4 Secondary side residual heat removal and passive feed (Figure 5}

The objective of this system is to remove the residual heat from the core for events such as
station blackout and complete loss of feedwater by providing a passive mean to supply water to
the steam generators (SG).

Elevated demineralized water pools, large enough to supply the SGs during several hours (station
blackout duration), provide flow by gravity once the associated control valves have been open
and after closure of the SG main steam isolation valves. The cooldown is performed by steam
release to the atmosphere through dedicated relief valves.

The main drawback of this concept is the elevated pools, which must be protected against
external events, particularly earthquakes. Movements of large inventories of water and the design
of their supporting structures are major safety and cost challenges.

This concept was also dropped because it did not pass any of the four categories of evaluation
criteria.

123
 RHR SECONDARY SIDE
SECONDARY DEPRESSURIZATION &
PASSIVE FEED

PROTECTED AGAINST
EXTERNAL EVENTS

; «
"-r Demineralized
water pool

MAIN STEAM &

FEEDWATER VALVE
COMPARTMENT

FIGURE 5

5.3.5 Medium-head safety injection by accumulator (Figure 6)

The objective of this system is to simplify the safety injection system (SIS) without reduction of
safety level with respect to existing plants. The idea was to delete the medium head safety
injection (MHSI) pumps so as to reduce the SIS cost, to require less maintenance and to simplify
operation of this system.

In order to fulfill the MHSt functions it is necessary to provide for an automatic depressurization
system and high pressure accumulators. Potential difficulties arose during the assessment of this
concept. A safety grade boration system appeared to be necessary for non-LOCA events and
steam generator tube rupture (SGTR). The management of this accident would have to be
reconsidered and questionable operating modes were discovered.
This concept was also dropped because it would finally lead to extra cost with respect to
conventional active safety injection systems, thus failing to meet the primary objective

124
 With MHSI-> 50m 3| 45 bar
MEDIUM-HEAD SAFETY INJECTION Without MHSI-> 25m " 25 bar
BY ACCUMULATOR

HL1

-@——fÄvv ND 250 / ND 200 NO 300 / ND 300

LHSI

• •«V* Deleted line

^••a Added line
Maintained line or
modified 0 (ND 250 w/o IRWST
MHSI - ND 200 with MHSI)

• ^-. ^ J •«— -li»i

MHSI

ND 400 / ND 500
IRWST

FIGURE 6

5.3.6 Gravity-driven low-head safety injection from tank/sump by primary system

depressurization (Figure 7)

The objective of this system is to provide an efficient ultimate back-up for injection of water at low
pressure in the long term. The RCS is flooded with water above the loop level and water flows by
gravity from sumps, through check valves, into the reactor vessel. The decay heat is removed to
the containment atmosphere by evaporation of the flooded water. The steam produced inside the
containment condenses on cooled surfaces of a containment cooling system and the
condensâtes flow back to the RCS.

Active measures are required, like other systems . opening of isolation valves, opening of RCS
discharge and feed line from the sumps, and start of heat removal system from the containment.
The principle results of the assessment of this system were the following :

A large amount of water is necessary to flood the RCS and depends on the reactor building lay
out. For the French 4 loops plants with cylindrical prestressed concrete containment, this volume
may vary between 4700 m3 and more than 10000 m3.

Large diameter of discharge line(s) and small flow resistance check valves are necessary to allow
gravity flow to the reactor vessel. Spurious opening of valves in the discharge line(s) would have
to be avoided. Additional connections to the RCS are required for discharge line(s) and feed line
(s). A full scale test to verify the concept would be extremely costly.

Although the passive low head safety injection system presents advantages, such as providing a
back-up to low head safety injection pump and avoiding long term recirculation outside the
containment, it was not retained for the EPR because it also failed to pass the criteria of design
simplicity, safety improvement and cost reduction among the selected criteria.

125
 BACK-UP OF LOW HEAD
SAFETY INJECTION SYSTEM

FIGURE 7

5.3.7 Metal containment outside cooling (Figure 8)

For metal containment structures, a concept in which heat removal is ensured by conduction
through the containment wall is in principle feasable. Inside containment, heat transfer is by
natural convection in the containment atmosphere and condensation on the containment wall
inner surface. Outside containment, several alternate cooling schemes can be envisaged. A
completely passive concept, using natural circulation air cooling, is only possible for small unit
sizes and in the long term, after decay heat is sufficiently reduced. Thus, additional means based
on water spray on the outside containment surface is required at least in the short term. For the
larger unit size of the EPR, such water-circulation assisted outside cooling is required also in the
long term. Use of water cooling outside, without evaporation and based on an active cooling
circuit with pump and heat exchanger, then also maintains a double containment barrier, which is
not possible in case of a natural air circulation cooling mode. However, in such a containment
heat removal concept the passive means of heat removal is provided only inside containment.
Furthermore, the heat transfer capacity by condensation on the inner containment surface in the
presence of noncondensable gases is limited and, for the larger EPR unit size, not capable of
avoiding relatively elevated containment pressure (several bar), for the medium term following an
accident.
It is for these reasons, as well as for the fact that the EPR uses a concrete rather than a steel
containment concept, that this option has not been retained for EPR.

126
 METAL CONTAINMENT
OUTSIDE COOUNG

SPRAY
WhOLT RECIRCULATION
(STEAM PRODUCTION)

FIGURE 8

5.3.8 Sump cooler with passive cooling chain (Figure 9)

The objective of this concept is to remove the decay heat following a LOCA by natural circulation
from the reactor building sump via submerged coolers and a secondary cooling system to the
atmosphere.
Like many other passive concepts, opening of valves is necessary to start operation of this
system.

Additional measures to transfer the heat from the containment sump were estimated to be
necessary during the evaluation of this concept. A large heat transfer suface for sump cooler (a
minimum of 1000 m2) was found to be required.

The passive sump cooling feature was dropped because the height difference between the
ultimate heat sink and the sump cooler to secure natural circulation (a minimum of 20 m) would
lead to unbearable costs.

5.3.9 Containment condenser coolers (Figure 10)

The objective of this system is to provide a passive mean, at least inside the reactor building, to
remove the decay heat in the long term after a severe accident, in order to avoid the internal
pressure exceeding the containment design pressure.

127
 SUMP COOLER
ARRANGEMENT EXAMPLE

FIGURE 9

Steam, driven by natural circulation, condenses on the outside surface of coolers. Cooling water
circulates inside the coolers surface. The cooling system is active and located outside the
containment.

The major drawbacks of this system, in comparison to existing spray systems, are the following :

Heat transfer and containment pressure reduction capability are strongly dependent on
the presence of non-condensable gas and on general convection movements inside the
containment.

Condensers must be located in the upper part of the containment where hydrogen is likely
to accumulate. They constitute hydrogen traps, thus reducing heat transfer capability and
increasing the risk of explosion

Large room for lay-out is required above operating floor which is a congested area during
maintenance and refueling

128
 CHRS SYSTEM

Nilrogen
Supply

FIGURE 10

The condensers are of no help in reducing source term outside containment because they
have no effect on aerosols and they decrease containment pressure slower than a spray
system

However, this system offers several advantages, the major one with respect to a containment
spray system being that it avoids recirculation of highly radioactive water outside the containment
after a severe accident

The Figure 11 summarizes the assessment done of the principal passive systems listed in Figure
1 All of them were dropped after screening through the criteria mentioned in paragraph 5 2 The
containment condenser coolers might be reconsidered to solve one of the severe accident
challenge how to remove heat from a building without circulating any fluid through its walls and
without impairing its leak tightness ?

Many engineers have come around to the idea that hybrid systems combining active and passive
features represent an attractive alternative to existing designs This is supported by the utilities
which contribute to the development of the EPR They consider that more important than passive
features are simplicity, reliability and less complicated control and automation

129
 CRITERIA FOR EVALUATIOM OF "PASSIVE SYSTEMS'

PRIMARY SECONDARY
enlejía Foí* EVALUATION SIDE RHR SibÉ RHR
H.P. Safety Passive Second. dep. &
' *•>••?. ¡'tfftív* föf.^w , *\ ...... .. ...,„„„--,„„„„„„, RHRS Condenser EFWS feed
DESIGN SIMPLICITY
System configurations simplified relative to actual solutions 7 No No No Yes
Number of "Active" components within "Passive system" Nihil 2 valves CU 1 valve H) Nihil
Passive components based on proven technology 9 small experience small experience Same except design No
base base against earthquakes
Triggering of system actuation by plant status or operator Operator Plant status Plant status Plant status
IMPACT ON PLANT OPERATION
Negative impact on normal plant operation, including No No No Yes
refueling and maintenance, avoided ?
Consequences of a spurious activation ? Plant trip Plant trip Plant trip No

Is a recovery possible ? Yes Yes Yes

SAFETY
Does the solution provide diversity ? Yes Yes, if EFWS is kept Yes, if EFWS is kept Yes
Reliability trend for the proposed solution "> Neutral Neutral Neutral Theoretically
positive
Is periodic testing possible ?
- Only during start-up shutdown Yes Yes Yes Partially
- During all operating modes No No No No
Are new accident paths avoided ? No Not completely Not completely Yes
COSTS
Development costs for design, verification, computer High Medium (design Medium (design Low/
codes test facilities against earthquakes! against earthquakes) medium
Overall cost estimate Increased Increased Increased Moderate
Cost benefits due to savings in systems replaced or EFWS savings EFWS eliminated EFWS savings EFWS savings
simplified by the proposed solution ?
(1) Control valves (2) 4 LHSI pumps + 2 boration pump s

FIGURE 11
 CRITERIA FOR EVALUATION OF "PASSIVE SYSTEMS'

PRIMARY SIDE CONTAINMENT HEAT

GRITERÍA FOR EVALUATION
•.v -. '-. " ¥• *> s
INF JECTION OR MAKE-UP - „.„. REMOVAL
%.

MHSI by Gravity Metal cont. Sump Cont. wall

accumulât. LHSI cooling coolers condensers
DESIGN SIMPLICITY
System configurations simplified relative to actual No Yes No No No
solutions ?
Number of "Active" components within "Passive system" 6 pumps (2) Nihil Nihil only for small Nihil only for at least 2 pumps
power units small power units
Passive components based on proven technology ? Yes No No Yes No
Triggering of system actuation by plant status or Plant status Plant status Plant status Operator Operator
operator
IMPACT ON PLANT OPERATION
Negative impact on normal plant operation, including No Yes Yes Yes No
refueling and maintenance, avoided ?
Consequences of a spurious activation ? Plant trip + SI No No No No
Is a recovery possible ? Yes No No Yes Yes
SAFETY
Does the solution provide diversity ? Yes Yes Yes Yes Yes
Reliability trend for the proposed solution ? <Active SIS Neutral Positive Positive <CSS
Is periodic testing possible ?
- Only during start-up shutdown Yes Partially Partially Partially Partially
- During all operating modes No • No No No No
Are new accident paths avoided ? No Yes Yes Yes No
COSTS
Development costs for design, verification, computer Small/ Low High Low Medium
codes test facilities medium
Overall cost estimate Increased High Not feasable for Not feasable for Increased
large power units large power units
Cost benefits due to savings in systems replaced or SIS savings Small No No R B coolers
simplified by the proposed solution ? eventual savings
(1) Control valves (2) 4 LHSI pumps + 2 boration pumps

FIGURE 11 (cont)
 CONCLUSION

The environment surrounding the nuclear power industry is changing, both due to economic
factors and greater impact of public perception on nuclear plant designs throughout the world, it
has become imperative to address both the technical and public perception issues now more than
ever before.

The design process begins by defining the intended plant size for future plants. Current
experience in France, Germany, and the rest of the world indicate that the new plant sizes, at
least for the foreseeable future, will be large, in the 900 MWe and above range. This favoring of
larger plants sizes is based on proven operating experience and the economic advantages of
size, using available proven technology.

The EPR is being developed to address all issues of safety, public perceptions and economics.
The experience to date in both France and Germany on standardization of the plant design is a
large factor in the overall EPR design.

Although the current standard designs have performed well, evolution of the design, using better
active and passive features add to the overall plant safety and economics. Additionally, the
development of a standard plant that is nearly fully designed prior to obtaining a construction
contract, allows for the concentration of large engineering efforts in R&D, design, manufacturing
practices, maintenance tooling and procedures to meet the market demands for safety,
availability and economy.

In general, the majority of passive features considered thus far are still unproven through test or
operation. As such, the features remain economically unjustified or actually lead to plant
complications that may degrade rather than enhance safety. For these reasons, NPI has not yet
embraced a large number of new passive features for use in the EPR. As technology and
experience evolves, NPI will continue to pursue both active and passive features that improve
plant safety as well as ensure that nuclear power remains cost competitive with alternative power
production sources.

132
 DIMENSIONING OF EMERGENCY CONDENSERS IN XA9743164
ACCORDANCE WITH SAFETY REQUIREMENTS

C PALA VECINO
SIEMENS, Energieerzeugung,
Offenbach, Germany

Abstract

The emergency condensers are heat exchangers consisting of a parallel arrangement

of horizontal U-tubes between two common heads. The top header is connected via piping
to the reactor vessel steam space, while the lower header is connected to the reactor vessel
below the reactor vessel water level. The heat exchangers are located in a pool filled with
cold water. The emergency condensers and the reactor vessel thus form a system of
communicating pipes. At normal reactor water level, the emergency condensers are flooded
with cold, non-flowing water. No heat transfer takes place in this condition. If there is a
drop in the reactor water level, the heat exchanging surfaces are gradually uncovered and the
incoming steam condenses on the cold surfaces. The cold condénsate in returned to the
reactor vessel.

In this way, heat is removed from the reactor vessel and water simultaneously
supplied to the reactor vessel. This means that the emergency condensers function as a heat
removal system while at the same time serving as HP and LP coolant injection systems. The
emergency condensers operate with the highest possible degree of passivity imaginable,
namely through a drop in the reactor vessel water level alone, requiring neither control
systems nor power supply. The design of the emergency condensers must meet the
requirements dictated by the thermal and the hydraulic conditions.
r
Taking into consideration a redundancy degree of N + 2, a specific thermal rating
of 63 MW per emergency condenser results for a reactor with an output of 2778 MW. the
total performance of the emergency condenser system in thus 252 MW, or 9.1 % of reactor
output.

The probability of failure of the emergency condenser of Siemens SWR 1000 is

approximately 10"4 per demand, while that of older emergency condenser designs is
approximately 2 to 3 x 10~3 per demand.

1 Introduction

The Power Generation Group (KWU) of Siemens AG and the German electrical pow-
er utilities - particularly those operating boiling water reactor plants - are together
developing a new reactor type which is characterized in particular by its passive safe-
ty systems.

These passive safety systems, which have been described in a separate paper on this
subject, are the fol lowing:

- 4 emergency condensers
- 4 containment cooling condensers

133
- 8 passive pressure pulse transmitters
- 6 gravity-driven core flooding lines
- 8 rupture disks arranged in parallel to the relief valves
- 2 scram systems

There are a variety of reasons for introducing passive safety systems, the most impor-
tant of which are the following :

a) Increasing the safety of future nuclear power plants is a prerequisite to increas-

ing public acceptance of nuclear power.

b) Reactor safety systems must be simplified in order to reduce capital costs.

2 Emergency Condensers (figure 1)

Whether accident conditions involve loss of coolant or not, the emergency condens-
ers play a central role in accident control.

Conditions during Conditions after Transients Involving

Power Operation Drop in RPV Level

Figure 1
SWR 1000 - Isolation Condenser

134
The emergency condensers are heat exchangers consisting of a parallel arrangement
of horizontal U-tubes between two common heads. The top header is connected via
piping to the reactor vessel steam space, while the lower header is connected to the
reactor vessel below the reactor vessel water level. The heat exchangers are located
in a pool filled with cold water. The emergency condensers and the reactor vessel
thus form a system of communicating pipes. At normal reactor water level, the
emergency condensers are flooded with cold, non-flowing water. No heat transfer
takes place in this condition. If there is a drop in the reactor water level, the heat ex-
changing surfaces are gradually uncovered and the incoming steam condenses on
the cold surfaces. The cold condénsate is returned to the reactor vessel.

In this way, heat is removed from the reactor vessel and water simultaneously sup-
plied to the reactor vessel. This means that the emergency condensers function as a
heat removal system while at the same time serving as HP and LP coolant injection
systems. The emergency condensers operate with the highest possible degree of pas-
sivity imaginable, namely through a drop in the reactor vessel water level alone, re-
quiring neither control systems nor power supply.

3 Previous Know-How and Experience with Emergency Condensers

The first generation of boiling water reactors built by General Electric and under li-
censes from GE were equipped with similar emergency condensers (figure 2).

In Germany, the Gundremmingen A nuclear power plant unit, which began opera-
tion in 1966, is provided with a system of this type.

The emergency condenser in this design is a tank filled with water containing two
tube bundles, to which the connecting piping from the main steam line is connected.
The inlet valves in the supply lines to the tube bundle are always open; the outlet
valves are normally closed such that the tube bundles are filled with condénsate. In
the event that emergency condenser operation is initiated as a result of excessive
pressure in the reactor, the outlet valves open automatically and natural circulation
is established. The primary steam enters the tube bundles, condenses and is returned
by gravity force to the reactor vessel. During the condensation process, the water in
the condenser is heated and starts to boil; the resulting steam is discharged from the
condenser to the atmosphere. The water inventory is sufficient to last for a period of
up to approximately four hours subsequent to reactor scram without makeup supply
to the emergency condenser.

The emergency condenser installed at Gundremmingen A has a thermal duty of ap-

proximately 48 MW at a reactor pressure of 70 bar and a water temperature in the

135
 Containmentwall

Emergency or Isolation Condenser

sz

Figure 2
KRB - A Emergency condenser diagram

emergency condenser of 120 °C (corresponding to about 2 bar and saturated condi-

tions).

The elevation differential between the emergency condenser and the steam lines is
approximately 12m.

The functional capability of Gundremmingen A's emergency condenser system was

tested and measured several times in the course of the units service life. The atta-
ched figure 3 shows the results of testing conducted on May 10, 1975. Here, emer-

136
gency condenser performance is presented as a function of reactor pressure. Two
curves are indicated, one for the cold water (approximately 30 °C) and the second for
the boiling water condition (approximately 116 °C) in the emergency condenser. The
measuring points are identified with numbers which indicate the measuring sequen-
ce. At the beginning (measuring point 1), cold water is in the emergency condenser;
the water heats up in the course of time until the boiling temperature is finally rea-
ched. The design point is also given for the purpose of comparison.

The heat exchangers employed in our new emergency condensers are identical to
those used at Gundremmingen A, i.e. a well known component with proven opera-
ting experience.

4 Design of Emergency Condensers for SWR1000

The design of the emergency condensers must meet the requirements dictated by
the following two conditions:

- Thermal conditions, and

- Hydraulic conditions.

70

t 60
cold water (30 °C)

50
JD
(0
Q. l Design
TO capability
O
O) 40
c \ i
I
O
boiling water (116°C)

30

20

O Measuring point

10

10 20 30 40 50 60 70
Pressure [ bar ]

Figure 3
KRB-A
Cooling capability of the emergency condenser
Measurement on May 10,1975

137
The effects of the thermal condition parameters are relatively well known to us from
the evaluation of emergency condenser testing conducted at Gundremmingen. As
we have altered the elevation conditions in the radial direction in comparison to
Gundremmingen A, new sizing calculations have been performed. An emergency
condenser test rig was constructed at the Julien nuclear research center in order to
provide experimental verification of our calculations. We will visit Julich for the pur-
pose of viewing the test rig. The elevation conditions for the BWR 1000 are shown in
Figure 4.

In contrast to the emergency condenser at Gundremmingen, the performance of our

emergency condenser is dependent not only on the primary system pressure, but al-
so on the reactor vessel water level.

Drywell 22.258

Flow - Limiter
DN 365 N.

17430-

Water level during normal

operation

RPV

Water level at full cooling

capability ol the condenser
9000-

BORDA - Nozzle
anticirculation
7 194
barrier
Wetwell

4394-

-350-
1 50

Figure 4
SWR 1000 - Isolation condenser (schematic)
(Height in m above ± 0.0 elevation in RPV)

138
 100

90

S
g. 80
ra
O
en
Í 70
o
O

60

50

40

30

20

10

10 20 30 40 50 60 70

Pressure [ bar ]

Figure 5
SWR 1000 - Emergency condenser.
Cooling capability as a function of the pressure in
the RPV

2o
100 ****'

QH = Cooling capability at lower HPV water level

^
90
GO = Maximum cooling capability ^
80 *r

70 _^^

S
/
60
> /
50

40
/
30
/
20
/
10 J

0
C) 1 2 3 4 5 6 7 8
AM F m 1 ............m~te»~

Figure 6
SWR 1000 - Emergency condenser.
Cooling capability as a function of loss of water level
in the RPV. (AH in m)

139
The interdependencies between emergency condenser performance and the pres-
sure and water level in the reactor vessel are illustrated in Figure 5 and 6. An initial
estimation shows that the interconnection of these two parameters is a multiplica-
tive. The principal data for the emergency condenser system are shown in Table 1.

The emergency condensers are mainly employed for accidents involving transients
(loss of main heat sink), whereas in the case of loss-of-coolant accidents (LOCA) only
a limited accident control scope can be assumed by these components. The most im-
portant passive systems in the case of a LOCA are the pressure pulse transmitters and
the gravity-driven core flooding system. These means that - from the point of view
of safety - the emergency condenser system must only accommodate the decay heat.
Taking into consideration a redundancy degree of N 4- 2, a specific thermal rating of

Table 1 : Principal Data of Emergency Condenser System

Number of emergency condensers 4

Design 1 tube bundle comprising a

four-pass U-tube configuration,
with connection to two com-
mon headers

Performance of each emergency condenser 63 MW given a primary system

pressure of 70 bar, a core flood-
ing pool temperature of 40 °C,
and a reactor vessel water level
drop of 8.20m

Heat transfer area per condenser 138 m2, comprising 104 tubes;
tube diameter: 44.5;
wall thickness: 2.9 mm

Design conditions:
Primary side 88 bar, saturated water
Secondary side 0-10 bar

Temperature:
Primary side 300 °C
Secondary side 40-180°C

Size (diameter) of connected piping - Supply steam line: 400 mm

- Condénsate discharge line:
200mm
- Headers
o steam side: 500mm
o condénsate side: 300 mm

140
63 MW per emergency condenser results for a reactor with an output of 2778 MW.
The total performance of the emergency condenser system is thus 252 MW, or 9.1 %
of reactor output.

Given this emergency condenser rating, accident control of some transients

becomes very interesting:

The heat removal capacity in the lower pressure range corresponds to that of
2 to 3 relief valves (see figure 7).

400

300

JO
to
Q.
CO
Ü
O)
c
"5
o
Ü
200

100

20 40 60 80
pressure in RPV [ bar]

Figure 7
SWR 1000 - Comparison between the cooling capability
of the isolation condenser and those of the safety relief
valves

141
 In the event of a stuck-open relief valve with simultaneous failure of all reac-
tor vessel injection possibilities, the core will not become uncovered until
some 24 hours after the onset of accident conditions.

Dimensioning of the emergency condenser

thermal condition

Q = ka . A. (tRVp - tc) = m (hv + c (tRVp - tout))

nomenclature

Q = Rate of heat transfer

ka = Average overall heat-transfer coefficient
A = Heat-exchanger surface area
m = mass f lowrate, tube inside
hv — Heat of vaporization
c ™ specific heat of condénsate
tRVP = Temperature of steam in the RPV
tour = Temperature of condénsate of the EC outlet
tc = Temperature of water in the EC (tube outside)

hydraulic condition

DP = (P0. hc - PRPV - hRpv) g = 1 /2 . m2 (S Z¡/PiA¡2)

momenlature

DP = Difference of pressure
PRPV = Density of wate r in RPV
PO = Density of condénsate at the EC Outlet
he = Elevation differential between water level inside of the EC and Inlet in
RPV
hRpv = Elevation differential between water level inside of the RPV and Inlet
of condénsate in the RPV
g = Gravity acceleration
m = Mass flow, tube inside
zj — Resistence coefficiente in section i
P¡ = Density in section i
A¡ = Cross-section area of piping in section i

142
5 Reliability of Passive Emergency Condenser System

As little data are available on the reliability of passive components, I would just like
to make a comparison with some systems which are either similar or which are in-
tended to perform approximately the same tasks, such as:

The emergency condenser system at Gundremmingen A, and

The residual heat removal systems at Gundremmingen Units B and C (initial
startup in 1984), which constitute the Siemens KWU Group's ABWR series.

I know that these three systems are not completely comparable, because they do not
perform identical functions. Nevertheless, I would like to point out the failure prob-
abilities of functions - according to groups - for the purpose of orientation. These
failure frequencies are shown in Table 2.

6 Conclusion

With this information, I hope I have adequately introduced a very interesting com-
ponent for passive heat removal from the reactor vessel. Of this component, the fol-
lowing can be said:

a) It is more reliable that components designed for comparable functions.

Table 2: Comparison of Magnitude of Failure

Probabilities perdemond of Various Residual Heat
Removal Systems

Failure Probability BWR 1000 Gundremmingen A Siemens-KWU

Emergency Type Emergency Series ABWR
Condenser Condenser Active RHRS
System

Signal acquisition
and processing - 1 E-3 1 E-4
Startup failure
(valves, pumps, etc.) - 1E-3 1-3E-2
Failure during
accident (7 days) - 1E-4 1 E-2
Failure of piping and
heat exchanger tubing 1 E-4 1 E-4 1 E-3
Failure of power supply
(from this, failure of 2E-5
emergency power - 1E-5 (2 E -2)
supply)

143
b) It is considerably less expensive than the residual heat removal systems imple-
mented to date, which comprise a primary circuit, a component cooling sys-
tem and a final cooling system, each equipped with pumps, valves and heat
exchangers, etc. These latter systems are provided with a diesel generator as a
redundant power supply system. The cost of one train (without considering
infrastructure elements such as the building, etc.) can be assumed to amount
to some DM 100 million. In contrast to this, the cost for an emergency con-
denser system (comprising four emergency condensers) is estimated to cost
between somewhere between DM 10 and 20 million.

144
 PASSIVE HEAT REMOVAL IN CANDU XA9743165

R.S. HART, V.G. SNELL

AECL CANDU
Sheridan Park Research Community,
Mississauga, Ontario

L.A. SIMPSON, D.B. SANDERSON

AECL Research - Whiteshell,
Pinawa, Manitoba

Canada

Abstract

The Three Mile Island accident spurred a world-wide interest in severe accidents.
The initial reaction was to increase the preventative measures in existing designs,
followed by development of predictive capabilities to improve the management of severe
accidents111. Recently, emphasis has been placed in new designs on mitigative
measures which slow down or contain the progression of a severe accident. U.S.
requirements for Advanced Light Water Reactor designs must now:

provide reactor cavity floor space to enhance debris spreading

provide a means to flood the reactor cavity to assist in the cooling
process121

This paper describes how CANDU Pressurized Heavy Water Reactors (PHWRs)
have severe accident prevention and mitigation131 inherent in the design; in particular, the
U.S. severe accident requirements can be met without significant change to the design
of current CANDUs.

2. AVAILABLE WATER NEAR THE FUEL

CANDU is a horizontal pressure-tube reactor, with the fuel bundles located inside
several hundred 10.5-cm diameter, 0.48-cm thick pressure tubes1. Twelve 0.5 m-long
fuel bundles reside within each pressure-tube. The 37-element fuel bundle is in close
proximity to the pressure tube, separated from it by means of 1.1-mm high bearing pads
on the outer fuel elements. The heavy-water coolant flows over and through the fuel
bundles and is contained by the pressure tubes within the core.
Since the pressure-tube operates at approximately the coolant temperature
(300°C), it is thermally insulated during normal operation from the heavy water moderator
(65°C) by the carbon dioxide filled annulus formed between the concentric pressure tubes
and calandria tubes. The calandria tube forms the outer boundary between the gas and
the moderator (Figure 1). The assembly of fuel, pressure-tube, gas annulus and
calandria tube is collectively called the fuel channel. The total radial distance between
the fuel and the moderator is 1.5 cm.

Unless otherwise specified, specific numerical values refer to the CANDU 9 reactor. However
the relationships between the values and the conclusions are generic to all CANDUs.

145
 CALANDRIA TUBE ZIRCALOY SHEATH

GAS GAP
Z
Z
\
\
A
COOLANT PRESSURE TUBE U02 PELLET FUEL BUNDLE
(HEAVY WATER)

FIGURE I Separation of coolant and moderator

The moderator is contained within a low-pressure tank, called the calandria.

During normal operation, about 4.4 % of the thermal output of the core is deposited in the
moderator, a small amount by conduction from the channels, but mostly by direct
deposition of fission gamma rays. This heat is removed via dedicated external moderator
heat exchangers; external pumps circulate the moderator through the heat exchangers
and provide momentum to mix the moderator within the calandria. They are powered by
normal Class IV electrical power, backed up by Class III emergency diesel power when
required.

The moderator role as an emergency heat sink for the fuel in a severe accident
is discussed below. In this role, its active heat removal capability is enough to
continuously remove all fue! decay heat following 15 seconds after reactor shutdown.
The moderator specific volume is typically 8 litres/kW(th) at 1 % decay power, or enough
to absorb (through heat-up and boil-off) over 5 hours of decay heat from the fuel,
assuming no heat removal from the moderator fluid.

The calandria vessel is in turn contained within a shield tank, which provides
biological shielding during normal operation and maintenance (Figure 2). It is a large
steel or concrete tank filled with ordinary water. During normal operation, about 0.4 %
of the thermal output of the core is deposited in the shield tank and end shields, through
conduction from the calandria structure and fission heating. This heat is removed via the
end shield cooling system, consisting of pumps and heat exchangers.

The shield tank's role as an emergency heat sink for the fuel in a severe core
damage accident is discussed below. In this role, its active heat removal capability is
enough to continuously remove all fuel decay heat a few days after reactor shutdown.
The shield tank specific volume is typically 16 litres/kW(th) at 1 % decay power, or enough
to absorb (through heat-up and boil-off) more then ten hours of decay heat from the fuel,
assuming no heat removal from the shield tank water.

146
 Concrete
Structure

FIGURE 2: Shield tank as core catcher

TABLE I
CAPABILITIES OF MODERATOR AND SHIELD TANK
IN SEVERE ACCIDENTS

System Continuous Heat Specific Fluid Volume Time to Heat Up

Removal at Decay Power and Boil off All
Capability Fluid By Fuel
(% full thermal Decay Power, No
reactor power) Heat Removal

Moderator 4.4 % 8 litres/kW @1% > 5 hours

Shield tank 0.4 % 16litres/kW @ 1% >10 hours

32 litres/kW @ 0.5% > 20 hours

3. MODERATOR AS HEAT SINK FOR THE CHANNEL

All large pipes in the CANDU Reactor Coolant System (PCS) are above the core.
They consist of headers, or collectors, to which each channel is connected via a 6-cm to
8-cm diameter inlet and outlet feeder pipe; plus pump suction and discharge piping and
steam generator inlet and outlet piping. A large break in one of these pipes would cause
rapid voiding of the pressure tubes. As with other water-reactor designs, the emergency
core cooling system (ECC) provides high-pressure injection of water to refill the core. In
CANDU ECC water is supplied to all the reactor headers.

147
 A failure of ECC in light-water reactors, will, if uncorrected, lead to a meltdown of
the core. In CANDU, a loss of coolant with a failure of ECC will be arrested by the
moderator short of UO2 melting. The mechanism is as follows141:

The fuel will heat up due to decay power, since no heat is being removed by the
RCS. Since the pressure-tube is close by, it will also heat up, by conduction and
radiation from the fuel, and convection by the steam remaining in the channel. At about
800°C, the pressure tube will start to plastically deform under the loads from the weight
of the fuel and any residual coolant pressure. If the coolant pressure is high (for
example, for medium-sized breaks with failure of ECC), typically above 1 MPa, the
pressure tube will strain radially outward until it contacts the cool calandria tube
(Figure 3). If the pressure is below 1 MPa, the pressure tube will preferentially sag, until
again it contacts the cool calandria tube. As long as the calandria tube remains cool, it

a) Pressure Tube Sag

Sagged pressure tube

Calandria Cube

Garter spring

gap

b) Pressure Tube Ballooning

Increased flow
area

FIGURE 3: Pressure Tube Deformation Modes During a Postulated Loss-of-coolant

Accident: a) Sagging, b) Ballooning

148
is strong enough to arrest the deformation of the pressure tube. Heat can then be
removed from the fuel, by conduction and radiation to the pressure tube and calandria
tube, and then by convection to the bulk moderator. From there it is removed by the
moderator cooling system. The pressure-tube thus acts as a passive fuse, deforming
only when it overheats in an accident, and so creating a low-resistance heat transfer path
to the moderator. Tbis path can remove decay heat from the fuel without the UO2 melting
even with no coolant in the pressure-tube. This is due to the short physical distance from
the fuel to the pressure-tube, the relatively thin walls of the pressure-tube and calandria
tube, and the enhanced heat transfer through the two tubes when they touch.

The calandria tube can be kept cold by preventing dryout on the outside surface
at the time of pressure-tube contact. The surface heat flux at contact is determined by
the pressure-tube temperature, the interface heat transfer coefficient and the moderator
subcooling. The former cannot practically be controlled, but the latter two can. For
existing CANDU reactors, a moderator temperature of about 70°C is sufficient to prevent
calandria tube dryout.

The pressure-tube "fuse" is sensitive to moderator temperature, but NOT to active

moderator heat removal - it is truly passive. However the moderator pumps and heat
exchangers are used to bring the severe accident to a controlled steady-state.

Measures are taken to assure that the pressure tube does not fail before it reaches
the calandria tube. Although such failure would not prevent the moderator from
performing its emergency role, the sequence is less complex if the pressure tube remains
intact. Pressure tube integrity depends on the pressure at which the pressure-tube
strains - the higher the pressure, the more sensitive is the strain to non-uniformities in
pressure tube temperature, and the higher the chance of failure before contact with the
calandria tube. The pressure parameter varies slightly with the design of the RCS.

Another severe accident results from assuming all heat sinks for the RCS are lost.
This is an unlikely sequence because the following systems are each capable of removing
decay heat from an intact RCS:

the main feedwater system

the auxiliary feedwater system
the shutdown cooling system (which can be brought in at full RCS
temperature and pressure)
the Group II emergency feedwater system (this is a separate means of
adding water to the steam generators, taking its supplies from a separate
seismically qualified source and using independent seismically-qualified
power)
A gravity supply of water to the steam generator from the high level dousing
or reserve water tanks

If however they are all lost, the RCS will pressurize and the fluid will gradually be lost
through the relief valves, and the fuel will overheat. Since this sequence occurs at or
above operating pressure, typically 10 MPa, the overheated pressure tubes will start to
fail before they contact their respective calandria tubes. The higher powered channels
will fail first, and the pressure tubes will relieve the rest of the RCS fluid. This will reduce
the RCS pressure and allow the moderator to act as an emergency heat sink as
described above.

149
 Section 6 describe the Research programme which develops and verifies the
models for these sequences'51.

4. SHIELD TANK AS HEAT SINK FOR THE CALANDRIA

Use of the moderator as an emergency heat sink for severe accidents has been
extensively studied in Canada both theoretically and experimentally. The driving force
has been the AECB requirement that certain severe accidents be considered within the
Design Basis. This set includes all combinations of a reactor system failure and the
unavailability of a safety system - for example, the previous example of a large LOCA and
failure of ECC injection. Severe accidents within this set, i.e., those for which the fuel
heat is not removed by the RCS, result in damaged fuel, but do not lead to loss of
pressure-tube geometry. Accidents which combine yet further failures are generally
outside the design basis. They may result in loss of core geometry, in which case they
are called severe core damage accidents. The two types of accidents are usually
synonymous in other reactor types, but because the moderator can arrest severe
accidents before the core geometry is lost, in CANDU they are distinct.

Severe core damage accidents in CANDU include sequences such as:

loss of all feedwater and loss of cooling to all alternate heat sinks including
the moderator
loss of coolant, loss of ECC injection, and loss of moderator cooling.

The frequencies of such combinations161 are of the order of 10'7/year, and are thus not
within the scope of licensing analysis. They are, however, examined in the context of
Probabilistic Risk Assessment171. Because of the low frequency, the emphasis has been
on scoping calculations'81 rather than extensive experimental verification of detailed
codes.

For such sequences, the moderator water will heat up and boil off. This will take
some hours, during which time the pressure tubes will start to fail and the debris will
collect in the bottom of the calandria. As long as there is water in the shield tank, the
calandria shell will remain intact; the heat generated by the debris is less than the critical
heat flux on the outer surface of the calandria191. However as is apparent from Table I,
the shield tank heat removal rate is insufficient to keep up with the decay power until a
few days have passed, so the shield tank water will boil off and the calandria shell will be
penetrated. Nonetheless, the heat-up and boil-off of the moderator and shield tank buys
valuable time, up to 24 hours, so that accident management can be put into effect before
the debris even reaches the concrete floor of the containment.

5. DESIGN ENHANCEMENTS TO IMPROVE PASSIVE HEAT SINKS1101

Based on the previous description, it is obvious how to extend the passive heat
sinks provided by the moderator and the shield tank - simply add water. The advanced
evolutionary CANDU 9 family1111 (single unit plants in the power range from 900 -1300
MWe) has done just that. An elevated reserve water storage tank in containment
provides emergency makeup water to the moderator and permits passive heat removal
by thermosyphoning from the shield tank (Figure 4). The amount of water is sufficient for
more than 40 hours of decay heat removal. During or after that time, a recovery pump
collects water from the building sumps and returns it to the reserve water tank. The heat
is removed from containment through a combination of passive conduction through the

150
 1 CONTAINMENT
T ATMOSPHERE

—— '———I

RESERVE WATER (RW) TANK

(PART OF THE RESERVE WATER SYSTEM]

FIGURE 4: Shield cooling system flow diagram

building walls and actively by containment air coolers. A severe accident can thus be
arrested either by the moderator or by the shield tank, contained therein, and stabilized.
The same approach is being considered for the smaller CANDU 3 (a single-unit 450
MWe plant)1121.

To ensure that steam is adequately relieved from the shield tank without
overpressurizing the vessel, engineered relief paths have been provided on the newer
designs, sized to take the steam flow generated by decay heat removal.

Finally the pressure-tube/calandria-tube heat transfer has been fine-tuned. First,

to reduce the sensitivity to initial moderator subcooling: When the two tubes contact in
an accident, the stored heat in the pressure tube is transferred in a "pulse" through the
calandria tube. To reduce the magnitude of this pulse, which sets the margin to CHF of
the calandria tube, the inner surface of the latter has been roughened slightly (50 micron
ridges). This "smears out" the heat transfer over a longer period of time and reduces the
peak inter-tube heat flux. Second, to enhance the heat transfer after sag contact, and
so to reduce the quasi-steady-state fuel temperatures, the inside of the calandria tube has
been blackened.

151
 In short, the provision of emergency water to the moderator and shield tanks gives
an effective, and cost-effective, way of arresting severe accidents. Moreover the U.S.
requirements for severe accidents, described in Section 1, are met inherently by existing
CANDU structures -the calandria shell (backed up by the shield tank) provides both the
"floor" area for spreading of debris and passive debris cooling through the shield tank
water.

6. R&D IN SUPPORT OF PASSIVE HEAT REMOVAL

6.1 General Methodology

The operation of the moderator as a heat sink when normal and emergency
cooling is lost to the fuel has been described above. The verification of such behaviour
under a wide range of accident scenarios has been provided by an extensive and on-
going research programme. This research programme covers fuel channel behaviour
throughout the LOCA transient. Phenomena such as coolant boiloff in the channel,
thermal-chemical behaviour of the fuel channel at elevated temperatures and pressure-
tube deformation have all been extensively studied. The general methodology used in
the research programme has been to perform small scale separate-effects experiments
to develop and validate mathematical models to describe the phenomena. These
validated models are then integrated into a code linking the various phenomena to
characterize the fuel channel response to a loss of coolant accident.

For example, small scale experiments have been performed to study pressure-tube
deformation at elevated temperatures. These high-temperature creep experiments
characterized the plastic deformation mechanisms which control the ballooning and sag
behaviour of the pressure tubes when they heat up. The end product was. a set of
constitutive equations describing transverse and longitudinal pressure-tube
deformation1131141.

The small scale experiments permitted the development of pressure-tube

deformation models to describe the ballooning behaviour of a full size fuel channel.
These models were validated through experiments on full size sections of pressure tubes
in a simulated fuel channel mock-up including a calandria tube and a surrounding water
tank to simulate the moderator1151 |161 I17]. Experiments covered both sag and
ballooning of the pressure tubes (Figure 3).

6.2 Moderator as a Heat Sink

When an overheated pressure tube deforms and contacts its surrounding

moderator-cooled calandria tube, the thermal and mechanical responses of both tubes
change rapidly. Prior to contact, the pressure tube is at a much higher temperature than
the calandria tube. Upon contact, stored heat in the pressure tube is transferred across
the interface of the contacting tubes, through the calandria tube and then to the
surrounding moderator. This process results in a large increase in the heat flux to the
outside surface of the calandria tube. The magnitude of this heat flux is determined by
the internal pressure, pressure-tube contact temperature and the interface thermal contact
conductance. The magnitude of the peak heat flux relative to the critical heat flux
governs the type of boiling which would occur at a given location on the calandria tube
surface.

152
 If the sudden rise in surface heat flux does not initiate film boiling on the outside
surface of the calandria tube, the stored heat in the pressure tube is transferred to the
moderator. If the critical heat flux on the surface of the calandria tube is exceeded in a
particular area, the surface will dry out and film boiling will occur. Since film boiling is
less efficient at heat removal than nucleate boiling, the stored heat in the pressure tube
is only partially removed, and the calandria tube heats up. If the incident heat flux to the
pressure tube is high, the tubes could overheat sufficiently to jeopardize fuel channel
integrity.

The relationship between subcooling and critical heat flux on the outside surface
of the calandria tube has been investigated over the years through small scale pool-
boiling experiments with horizontal banks of tubes. Information from these small-scale
experiments fed into full-scale contact boiling experiments using reactor-typical pressure
and calandria tubes. These contact boiling experiments covered a wide range of
moderator subcooling, pressure-tube internal pressures and pressure-tube heatup
rates'181. The current moderator subcooling requirements are specified for CANDU
reactors to avoid the calandria tube being forced into film boiling upon contact with its
deforming pressure tube. Figure 5 schematically represents a collection of experimental
data from several contact boiling experiments. The broad hatched line marks the
boundary separating the film and nucleate boiling regimes. From this, it is apparent that
a moderator local subcooling of 26 to 28°C is sufficient to prevent extensive dryout on the
calandria tube external surface during ballooning.

This moderator subcooling requirement may be reduced significantly by reducing

the pressure-tube to calandria-tube thermal contact conductance as demonstrated by
Sanderson et. al.(19] In this experiment, the tube to tube contact conductance was

• entire surface in film boiling

U O patches of film boiling

S kW/(m'«K)
O immediate quench

O
S, 10

20 kW/(ms«K)
20
U«
o
o
z
Ü3 30
O
o
u
PQ
§ 40

600 700 800 900 1000 1100

PRESSURE-TUBE CONTACT TEMPERATURE (°C)

FIGURE 5: Moderator Subcooling Requirements as a Function of Pressure-tube Contact

Temperature. The hashed line marks the boundary between film and nucleate
boiling regimes.

153
reduced from its nominal value of 11 kW/(m2K) upon ballooning contact to less than 1
kW/(m2K) through contact limiters placed between the two tubes. This reduction in
contact conduction has the potential to significantly reduced the moderator subcooling
requirements.

Having demonstrated the sufficient conditions for good heat transfer following
ballooning contact, the R&D programme focussed on determining if there were any
mechanisms by which the pressure tube would fail prior to coming into contact with the
calandria tube or cause the ballooned fuel channel itself to fail after contact in spite of
general nucleate boiling.

The likelihood of pressure-tube failure prior to ballooning-contact involves both

thermal and mechanical considerations. Since Zr-2.5 Nb pressure tube material is ductile
at high temperatures, failure only occurs as a result of severe necking or thinning of the
material at a given location. Given the geometric configuration of a pressure tube and
its surrounding calandria tube, this is possible only if the pressure tube experiences a
highly localized strain before it contacts its calandria tube. Such conditions could arise
from either stratified coolant conditions in which the top half of the pressure tube is
exposed to steam while the bottom is kept relatively cool by the presence of liquid, or by
contact with the fuel element. The latter case can result from conduction through the
bearing pad or by contact with bowed, sagged or melted cladding.

6.3 Fuel Channel Behaviour Subjected to Stratified Flow

Water in the horizontal fuel channels of a CANDU reactor may boil off slowly in
some postulated LOCA scenarios. This would expose the upper portion of the fuel
bundle and pressure tube to superheated steam as the water level drops (Figure 6). The
pressure tube would become hot at the top because of thermal radiation and steam
convection while it remained near the saturation temperature below the liquid level. The
resulting pressure-tube circumferential temperature gradient would induce localized
thermal stresses and plastic deformation at the top of the tube. Such conditions may
cause nonuniform pressure-tube ballooning and the pressure tube could possibly rupture
before coming into contact with the surrounding moderator cooled calandria tube.

A series of experiments have been performed to investigate the circumferential

temperature distribution and resultant deformation that may develop around the pressure

CO2-Filled Annulus

Declining Water Level

FIGURE 6: Schematic Showing Pressure-tube Behaviour Under Coolant Boiloff Conditions

154
tube of a CANDU fuel channel under such conditions'201121]. These experiments have
shown the benefit of steam flow in the uncovered portion of the fuel channel. The steam
helps distribute heat circumferentially across the top of the pressure tube, reducing
thermal gradients and the likelihood of localized hot spots. The reduction of localized hot
spots limits localized strain and the likelihood of a pressure tube failure. These full-scale
experiments have provided a substantial data base of experimental results for use in the
validation of fuel channel codes used in the analysis of fuel channel behaviour during a
LOCA.

6.4 Fuel Channel Behaviour Subjected to Localized Hot Spots

In some postulated LOCAs, the interior of the pressure tube can become
completely dry in a matter of seconds after flow stagnation occurs. As the RCS
depressurizes, the surface temperature of the fuel bundle can exceed 1000°C. Most of
the pressure tube circumference will be heated by thermal radiation, except at locations
where the bearing pads are in contact with the pressure tube. Here, conduction and
thermal radiation are the dominant modes of heat transfer. Therefore, local hot spots can
develop on the pressure tube under the bearing pads. Whether the pressure tube would
fail at these hot spots before contacting the calandria tube depends on the temperature
and pressure transients it experiences.

An extensive series of small1221 and full1231 I241 scale experiments have been
performed to investigate this phenomenon. These experiments demonstrated that the
interaction between adjacent bearing pads in contact with the pressure tube tended to
smooth out the circumferential temperature gradients. During heatup, the pressure-tube
temperature increased more rapidly opposite the ring of bearing pads. This resulted in
greater axial temperature gradients than circumferential gradients. The thermal contact
conductance between the bearing pad and the pressure tube increases during heatup
then decreases during ballooning. This decrease in conductance during ballooning helps
minimize the magnitude of the bearing-pad induced hotspot, minimizing the risk of
pressure tube failure under the bearing pad.

Another recent series of experiments'251 looked at the effect of molten zirconium

that might be created by an overheated fuel bundle end plate if it were to fall onto the
surface of a ballooned pressure tube and create a hot spot. The experiments and
subsequent analysis demonstrated the resilience of the fuel channel to intense localized
hot spots, as might occur in a severe accident. The ballooned fuel channel was resilient
if the outside surface of the calandria tube was well cooled (i.e. it was in nucleate boiling)
prior to molten Zr-4 (up to 90 g) making contact with the ballooned pressure tube. This
in turn required sufficient moderator subcooling to prevent the critical heat flux from being
exceeded, on the outside of the calandria tube during the ballooning transient. Fuel
channel integrity was maintained in all experiments where the subcooling was adequate
to prevent film boiling upon ballooning contact. Figure 7 shows typical calandria tube
temperature transients from one of these experiments.

6.5 High Temperature Thermal-Chemical Behaviour of the Fuel Channel

Several small and large scale experiments have been performed over the years
to investigate the high-temperature thermal-chemical behaviour of a CANDU fuel channel.
These experiments have provided data on the high-temperature thermal properties
(emissivity, thermal conductivity and solid to solid heat transfer)1261 Í27] , material
interactions1281 and oxidation characteristics1291 |30] of various fuel channel

155
 a) ./Calandria tube
1200 h
Zr-4 melt / pressure tube contact

1000 -

O 800 -
a
600 -

400 -

200 -

630 640 660 690

Time (s)

b)

FIGURE 7 a) Calandria-Tube Temperatures Recorded Beneath the Zr-4 Melt, During Test
13 of the Molten Zr-4/Fuel Channel Interaction Program [25]. b) A Three-
Dimensional Representation of Maximum Calandria-Tube Temperatures
Beneath the Molten Zr-4.

components. Data from the single-effect tests were used to develop mathematical
models describing the underlying phenomena. These models are then coupled into an
integrated code to predict fuel channel behaviour under accident conditions. Data for
validation of the integrated codes come from various full-scale experiments involving the
complex interaction of pressure, temperature, material properties, heat transfer and
oxidation kinetics on fuel channel components subjected to severe temperature transients.

156
 In one such validation exercise1311, data from a high-temperature (>1600°C)
thermal-chemical experiment was used to validate the multi-purpose code CATHENA.
The validation exercise demonstrated the capability of CATHENA to model the thermal-
chemical behaviour of a 28-element fuel channel when high-temperature steam was the
only coolant available within the channel.

6.6 Core Melt Retention

A number of severe accident sequences involving loss of core geometry and core
melting have been analyzed by Rogers1321. They involve sequences where along with
loss of normal and emergency cooling the moderator heat sink becomes unavailable.
The level in the calandria will drop as the moderator boils and the fuel channels will heat
up and collapse onto channels below that are still submerged. As the moderator level
continues to drop, more channels will collapse, resulting in a pile of debris at the bottom
of the vessel. Roger's analysis shows that at this stage, molten debris may exist but the
shield tank water which surrounds the calandria vessel will be able to cool the debris
sufficiently that the melt will be contained in the vessel. The peak heat flux into the shield
tank for the sequences studied was 50 W/cm2, well below the estimated critical heat flux
of 280 W/cm2.

The light water reactor community is now showing interest in this concept and are
considering the merits of containing a core melt in a severe accident by external flooding
of the pressure vessel. A research programme at the Kurchatov institute in Russia has
been initiated to develop data and codes to verify this concept for pressure vessel
reactors. It is cost shared 50% by Russia and 50% by fourteen OECD countries including
Canada. Canada is participating since the technology derived from this study will be
useful in improving our capability to analyze the shield tank capability to contain a melt.

7. SUMMARY

CANDU reactors possess two supplies of water surrounding the core - the
moderator which surrounds the fuel channels and the shielding water which surrounds the
calandria, that can function in emergencies to prevent or contain severe core damage.
The moderator capability has been verified by small-scale and full-scale channel tests;
the shield tank capability has been assessed analytically, and will be supported by
international tests in which Canada is participating. The capability to stop severe
accidents can be enhanced by the provision of emergency water to the moderator and
shield tanks. This capability exceeds developing internationaj requirements on the
mitigation of severe accidents.

REFERENCES
[1] D.A. Meneley and V.G. Snell, "Safety Considerations in International Growth of
Nuclear Energy", invited paper for the ANS/ENS 1992 International Conference,
Chicago, November 15-20, 1992.

[2] U.S. Nuclear Regulatory Commission, "Policy, Technical and Licensing Issues
Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs",
SECY-93-087, April 1993.

157
[3] G.L Brooks, V.G. Snell, P.J. Alien, Ü.M. Hopwood, J.Q. Howieson and R.A.
Olmstead, "The Approach to Enhancing CANDU Safety", invited paper for the 8th.
Pacific Basin Nuclear Conference, Taipei, April 1992.

[4] V.G. Snell, S. Alikhan, G.M. Frescura, J.Q. Howieson, F. King, J.T. Rogers, and
H. Tamm, "CANDU Safety Under Severe Accidents", invited paper for the
IAEA/OECD International Symposium on Severe Accidents in Nuclear Power
Plants, Sorrento, Italy, March 1988; also Nuclear Safety, Vol 31, No. 1, p.20.

[5] L. A. Simpson and R. A. Brown, "CANDU Safety Research; Status and Future
Development", presented at the 8th Pacific Basin Nuclear Conference, Taipei,
1992 April.

[6] P.J. Alien, J.Q. Howieson, H.S. Shapiro, J.T. Rogers, P. Mostert and R. W. van
Otterloo, "Summary of CANDU 6 Probabilistic Safety Assessment Study Results",
Nuclear Safety, Vol. 31, p. 202, April 1990.

[7] P.J. Alien, "The Use of PSA in the Design, Safety Assessment, and Licensing of
the Advanced CANDU Design", PSA 89 - International Topical Meeting on
Probability, Reliability, and Safety Assessment, Pittsburgh, April 1989

[8] J.T. Rogers, "A Study of the Failure of the Moderator Cooling System in a Severe
Accident Sequence in a CANDU Reactor", Proc. 5th International Meeting on
Nuclear Reactor Safety, Karlsruhe, Germany, September 1984; Vol. 1, p. 397, KfK
3880/1 December 1984.

[9] J.T. Rogers, "Thermal and Hydraulic Behaviour of CANDU Cores Under Severe
Accident Conditions - Final Report", AECB Report INFO-0136, June 1984.

[10] V.G. Snell and P.J. Alien, "CANDU Safety - Status and Direction", Invited paper
presented at the American Nuclear Society Meeting, San Diego, California, June
1993.

[11] R.S. Hart, A. Dastur, R.A. Olmstead, E.G. Price, V.G. Snell, and S.K.W. Yu,
"CANDU 9 - Overview", IAEA Technical Committee Meeting on 'Advances in
Heavy Water Reactors', Toronto, Canada, June 1993.

[12] K.R. Hedges and E.M. Hinchley, "CANDU 3 aims to provide a smaller, cheaper,
more reliable alternative", Nuclear Engineering International, May 1990, p.22.

[13] Shewfelt, R.S.W., Lyall, L.W. and Godin, O.P., "A High-Temperature Creep Model
of Zr-2.5% Nb Pressure Tubes", Journal of Nuclear Materials, vol. 125,
pp. 228-235, 1984.

158
[14] Shewfelt, R.S.W, and Lyall, L.W., "A High-Temperature Longitudinal Strain Rate
Equation for Zr-2.5% Nb Pressure Tubes", Journal of Nuclear Materials, Vol. 132,
pp. 41-46, 1985.

[15] Shewfelt, R.S. W., Godin, D.P. and Lyall, L.W., "Verification Tests of the High-
Temperature Transverse Creep Mode! for Zr-2.5 Nb Pressure Tubes", AECL
Report No. AECL-7813, 1994 February.

[16] Gillespie, G.E., Moyer, R.G., Hadaller, G.I. and Hilderbrandt, J.G., "An
Experimental Investigation into the Development of Pressure Tube/Calandria Tube
Contact and Associated Heat Transfer Under LOCA Conditions", Proceedings of
the 6 Annual Canadian Nuclear Society Conference, Ottawa, ON, pp. 2.24-2.30,
1985 June.

[17] Gillespie, G.E., Moyer, R.G. and Hadaller, G.I., "An Experimental Investigation of
the Creep Sag of Pressure Tubes Under LOCA Conditions", Proceedings of the
5 Annual Canadian Nuclear Society Conference, Saskatoon, SK, 1984.

[18] Gillespie, G.E., Mover, R.G. and Thompson, P.D., "Moderator Boiling on the
External Surface of a Calandria Tube in a CANDU Reactor during a Loss-of-
Coolant Accident", Proceedings of the International Meeting on Thermal Nuclear
Reactor Safety, Chicago, IL, pp. 1523-1533, 1982 August.

[19] Sanderson, D.B., Moyer, R.G., Litke, D.G., Rosinger, H.E. and Girgis, S.,
"Reducticn of Pressure-Tube to Calandria-Tube Contact Conductance to Enhance
the Passive Safety of a CANDU-PHW Reactor", Proceedings of an IAEA Technical
Committee Meeting on Advances in Heavy Water Reactors (IAEA-TECDOC-738),
Toronto, ON, pp.-T36-140, March 1994.

[20] Rosinger, H.E., So, C.B. and Yuen, P.S., "The Determination and Verification of
Circumferential Temperature Distributions in CANDU-PHW Reactor Fuel Channel
Assemblies Under Coolant Flow Stagnation", Proceedings - International
Conference on Thermal Reactor Safety, Avignon, France, pp. 2215-2228, 1988
October.

[21] Lei, Q.M., Sanderson, D.B., Swanson, M.L, Walters, G.A. and Rosinger, H.E.,
"Experimental and Theoretical Investigation of Pressure Tube Circumferential
Temperature Gradients during Coolant Boil-Off", Presented at the 13th Annual
Canadian Nuclear Society Conference, Saint John, NB, 1992.

[22] Krause, M., Mathew, P.M. and Kroeger, V.D., "Thermal Analysis of Bearing-Pad
to Pressure-Tube Contact Heat Transfer Using ABAQUS", Presented at the Fourth
International conference on Simulation Methods in Nuclear Engineering, Montreal,
PQ, 1993 June.

[23] Moyer, R.G., Sanderson, D.B., Tiede, R.W. and Rosinger, H.E., "Bearing-
Pad/Pressure-Tube Rupture Experiment", Presented at the T3 Annual Canadian
Nuclear Society Conference, Saint John, NB, 1992 June.

[24] Nitheanandan, T., Lei, Q.M. and Moyer, R.G., "Analysis of Bearing-Pad to
Pressure-Tube Contact Heat Transfer", Presented at the 18' Annual Canadian
Nuclear Society Nuclear Simulation Symposium, Pembroke, ON, 1994 October.

[25] Brown, M.J., Litke, D.G., Lei, Q.M. and Sanderson, D.B., "Molten
Zircaloy-4/Ballooned Pressure Tube Interaction Experiments", Presented at the 12
Annual Canadian Nuclear Society Conference, Saskatoon, SK, 1991 June.

159
[26] Mathew, P.M., Krause, M., Déon, M. and Schankula, M.H., "Emittance of
Zircaloy-4 Sheath at High Temperatures in Argon and Steam Atmospheres",
Proceedings of the 10th Annual Canadian Nuclear Society Conference, Ottawa,
ON, pp. 9.12-9.17, 1989 June.

[27] Schankula. M.H., DeVaal, J.W. and Kroeger, V.D., "A Gap Conductance Model for
Wavy Surface Contact in Concentric Tubes", Proceedings of the ASME-JSME
Thermal Engineering Joint Conference, pp. 661-665, 1987

[28] Hayward, P.J., George, I.M. and Ameson, M.C., "Dissolution of UO2 Fuel by
Molten Zircaloy-4", Presented at the 13 Annual Canadian Nuclear Society
Conference, Saint John, NB, 1992 June.

[29] Urbanic, V.F. and Heidrick, T.R., "High-Temperature Oxidation of Zircaloy-2 and
Zircaloy-4 in Steam", Journal of Nuclear Materials, Vol. 75, pp. 251-261, 1978.

[30] Sawatzky, A.S., Ledoux, G.A. and Jones, S., "Oxidation of Zirconium during a
High-Temperature Transient", In Zirconium in the Nuclear Industry, ASTM-STP-
633, Lowe, A.L., Jr. and Parry, G.W., (eds.), American Society for Testing and
Materials, pp. 134-149, 1977.

[31] Lei, Q.M. and Sanderson, D.B., "High-Temperature Validation of CATHENA

Against a 28-Element Thermal-Chemical Experiment", Presented at the 15 Annual
Canadian Nuclear Society Conference, Montreal, PQ, 1994 June.

[32] J. T. Rogers, Thermal and Hydraulic Behaviour of CAN DU Cores Under Severe
Accident Conditions - Executive Summary. Report No. INFO-0136-4, Atomic
Energy Control Board, Ottawa, Canada.

160
 DIVERSIFIED EMERGENCY CORE COOLING IN CANDU
WITH A PASSIVE MODERATOR HEAT REJECTION SYSTEM

N. SPINKS XAQ7^1fiR
AECL Research, XA9743166
Chalk River Laboratories,
Chalk River, Ontario,
Canada

Abstract

A passive moderator heat rejection system is being developed for CANDU

reactors which, combined with a conventional emergency-coolant injection
system, provides the diversity to reduce core-melt frequency to order 10'7
per unit-year. This is similar to the approach used in the design of
contemporary CANDU shutdown systems which leads to a frequency of
order 1O8 per unit-year for events leading to loss of shutdown.
Testing of a full height 1/60power-and-volume-scaled loop has
demonstrated the feasibility of the passive system for removal of
moderator heat during normal operation and during accidents.
With the frequency of core-melt reduced, by these measures, to order 10-7
per unit year, no need should exist for further mitigation.

1. Introduction
This paper concerns the employment of diversity in redundant safety
systems so as to eliminate common-mode failures. Common-mode failures
are single failures that dissable multiple systems.
Contemporary CANDU reactor designs employ redundancy and a
considerable level of diversity in the safety systems. Thus redundancy and
diversity exist in the two shutdown systems and in the reactor regulating
system. Both shutdown systems make use of the low-pressure moderator
environment (the calandria) but shutoff rods enter the calandria from
above whereas the poison injection system enters the calandria from the
side, as shown in figure 1. Each system has its own initiating signals. Note
that the two shutdown systems are passive in that no operator action and no
external power are needed for shutdown action to occur.
Redundancy also exists in the emergency-core-cooling systems. In the event
of a loss-of-coolant accident, the Emergency Coolant Injection (ECI)
system uses pressurized gas (or pumps in some plants) to inject light water
into the heat transport system. The water is eventually recovered from a
sump in the reactor building, cooled in a heat exchanger and pumped back
into the heat transport system.

161
 TYMCAL ARRANGEMENT K>«
REACTIVITY MECHANISM DECK
KM SMUTOf f. AB JUSTS* ZOME CONTROL ANO VERTICAL
ANO CONTROL ABSORBER UNITS FLUX OETCCTOR UNITS
RUPTURE DISC
ASSEMBLY —

NOfttZONTAL
KUt
MTICTOA
UMtT O O O O OO
> OO O OOOO O C
3 OO O OOOO O C
Ï OO O OOOO O C
3 OO O OOOO O C
JOOOOOOOOf

o oo > o o o o o o o o c
O O OO 00 C » O O O O O O O O G
ooo oot » o o o o o o o o c

»OOOOOOOOO
»ooooooooc
JOOOOOOOOC
2OOOOOOOOO
oooooo

Figure 1: CANDU Reactor Core

The low-pressure low-temperature moderator serves as a redundant

emergency-core-cooling system. Its availability during normal operation is
apparent and it acts passively to accept heat from the fuel channels in an
accident involving loss of coolant with loss of ECI. However moderator
heat, which eventually has to be rejected, is done with pumps which

162
detracts from the potential independence between the moderator and ECI
systems.
Core melt in CANDU can occur only with a loss of coolant with loss of
ECI plus loss of the moderator heat sink. Common failures in these
systems, e.g. loss of service water to both the moderator and the ECI heat
exchangers, are the main contributors limiting the core-melt frequency to
about 4x10-6 per year (réf. 1). Elimination of common failures would
reduce the core-melt frequency to order 10~7 per year, a level at which
further core-melt mitigation should be unnecessary. The basis for the 10-7
figure is given below and compared to the figure for loss of shutdown.
A conceptual CANDU design is under study which employs a conventional
ECI system with a passive moderator heat rejection system. Thus passive
design techniques are used to advantage in enhancing the diversity in the
two emergency-core-cooling systems. Progress on the passive moderator
system development is described.

2. Passive Moderator Heat Rejection

Progress on the passive moderator system development was last given in
reference 2. Figure 2 illustrates the concept. A heavy-water natural-
circulation loop transfers heat to heat exchangers cooled by light water.
During normal operation, the light water can be feedwater en route to the
steam generators. During accidents the light water can be supplied by
natural circulation from a large elevated tank.

The idea is to run the heavy water in the calandria at a temperature near
the boiling point but to allow the water to flash to steam as it rises in a pipe
from the calandria to an elevated heat exchanger. Subcooled heavy water
would be returned to the calandria. The difference in density between the
two-phase flow in the riser and the liquid in the downcomer would provide
the buoyancy force to drive the flow.
Reference 2 gives results of simulations using the CATHENA transient
thermalhydraulics code which demonstrate that the normal heat load to the
moderator can be transferred in a stable manner with such a design. Note
that the peak heat load to the moderator during a loss of coolant accident,
with the reactor at decay power, is only 30% of normal full power.
More recently, further CATHENA simulations have been done at reduced
powers. They show a flow oscillation at low power but stable flow at full
power. Also tests have been done in a full elevation loop having a scale of
about 1/60 in power, volume and flow area. They confirm the CATHENA
predictions. The tests will be reported in more detail in reference 3.

163
 Pressure
Control

Cooling
Reflux
Water
Outlet
Condensation
ofD2O

Flashing-Driven
Flow of D20
Cooling
Water
Inlet

Calandria
(Near
Saturation)

Subcooled
D2O

Figure 2: The Heavy-Water

Natural-Circulation Loop

As power is increased, flashing is first observed in the transparent glass

riser at upper elevations. The flow is oscillatory with the riser being liquid
filled after the high-flow part of a cycle. No untoward effect of the
oscillations is evident. As the power is increased, the oscillation amplitude
decreases and the flow becomes stable. During a rapid increase of power,
only one or two oscillations are seen as the flow overshoots before
returning to the steady-state value. Thus the feasibility of the flashing-
driven design is considered to be established both for the normal operating
condition and for accidents.

164
3. Loss of Shutdown
The careful attention given to diversity in the design of CANDU and its
two safety shutdown systems makes common-mode failures very unlikely.
This enables a simple product of the failure frequency of events leading to
overpower1 and the unavailabilities of the two shutdown systems to
properly reflect the order of magnitude of frequency for loss of shutdown
events.
From the operating record of about 200 unit years, from improvements
made to earlier control systems and from the more recent operating
experience, the frequency of challenges to the shutdown systems is now
about 10-2 per unit-year. Also the two shutdown systems are each required
to have an unavailability of 10~3 and continued operation requires testing to
ensure that this figure is met. Thus the frequency of loss of shutdown is of
order
10-2 x 10-3 x 10-3 = IQ-8 per unit-year.

See also the figure of 2.5 x 10*8 per unit-year calculated in more detail in
reference 1.

4. Core Melt
Core melt can occur in CANDU only with a loss of heat transport system
inventory (whether caused by pipe failure, valve failure or loss of the
steam-generator heat sink), a loss of ECI and a loss of the moderator as a
heat sink. Reference 1 gives a detailed account of the accident sequences
leading to core-melt for CANDU 6. The sequences are dominated by
common cause events such as loss of service water and loss of electrical
power. These contribute most of the core-melt frequency of 4.4xlO~6 per
unit-year. The triple failure events involving LOCA with loss of ECI and
loss of the moderator heat sink contribute only 0.6x10-6 per unit year and
even this figure is dominated by the continuing need to keep moderator
pumps running in the longer term.
With diversity in the heat transport system, the ECI system and the
moderator system, the core melt frequency reduces to a simple product of
the failure frequency of the heat transport system and the unavailabilities of
the ECI and the moderator systems. From the 200 unit-year operating
record for CANDUs and the single event (Pickering unit 2, 1994) which
required actuation of ECI, the failure frequency is order 10'2 per unit
year. As with each safety shutdown system, the ECI system is required to

L
beyond the capability of the reactor control system

165
have an unavailability on demand of 10'3. However the ECI pumps have to
keep running for an extended period and an unavailability of 10-2 has been
assigned (reference 1) over the mission period.
The moderator heat rejection system will be designed to operate
continuously so that its availability on demand is assured. Also a passive
moderator heat rejection system, which does not rely on continued
operation of pumps, should be more reliable than the ECI system. An
unavailability target of 1O3 is thought to be achievable.
The frequency of core melt becomes simply
10-2 x 10-2 x 10-3 = 10'7 per unit-year.

5. Conclusion

A passive moderator heat rejection system is being developed for CANDU

which, combined with a conventional emergency-coolant-injection system,
will provide the diversity to reduce core-melt frequency to order 10~7 per
unit-year. This is similar to the approach used in contemporary CANDU
designs of redundancy and diversity in the shutdown systems which results
in a frequency of loss of shutdown as low as 1O8 per unit-year.

Testing of a full height 1/60 power-and-volume-scaled passive-moderator-

heat-rejection system has demonstrated its feasibility for removal of heat
during normal operation and during accidents.

With the frequency of severe accidents reduced, by these measures, to

order 10~7 per unit year, no need should exist for further measures to
mitigate core melt.

REFERENCES

1. Report AECL-9607,"CANDU 6 Probabilistic Safety Study

Summary", 1988 July.
2. W.P. Back and N.J. Spinks, "CANDU Passive Heat Rejection using
the Moderator", International Conference on New Trends in Nuclear
System Thermohydrauh'cs, Pisa, 1994 May.
3. H.F.Khartabil and N.J. Spinks, "An Experimental Study of a
Rashing-Driven CANDU Moderator Cooling System", for CNS
Conference, Saskatoon, 1995 June.

166
 SURVEY OF THE PASSIVE SAFETY SYSTEMS OF THE XA9743167
BWR 1000 CONCEPT FROM SIEMENS

J. MATTERN, W. BRETTSCHUH, C. PALA VECINO

SIEMENS, Energieerzeugung,
Offenbach, Germany

Abstract

The Power Generation Group (KWU) of Siemens AG and the German nucle-
ar utilities are currently working together to develop a boiling wa-
ter reactor of the next generation which is to feature a signifi-
cantly improved safety concept and possess an electrical generating
capacity of about 1000 MW.

Through the use of passive safety systems and components for acci-
dent control in addition to the active systems required for plant
operation, a higher degree of safety against core-endangering
conditions is achieved which is no longer ruled by complex system
engineering dependent on power supply and activation by I&C systems.
A low core power density and large water inventories stored inside
the reactor pressure vessel (RPV) as well as inside and outside the
containment ensure good plant behavior in the event of transients or
accidents. These passive safety systems - which require neither
electric power to function nor I&C systems for actuation, being
activated solely on the basis of changes in process variables such
as water level, pressure and temperature - provide a grace period of
more than 5 days after the onset of accident conditions before
manual intervention becomes necessary. The concept features the
following passive safety systems:

- Four 50% capacity emergency condensers for removal of decay heat

from the RPV to a large water inventory (core flooding pool) stor-
ed inside the containment. These condensers commence functioning
without valve actuation, solely on the basis of the drop in the
RPV water level.

- A gravity-driven core flooding system (four flooding lines exiting

the flooding pool) which becomes effective when check valves, one
located in each line, self-actuate by deadweight after depressuri-
zation of the RPV.

- Four 25% capacity containment cooling condensers for removal of

heat from the containment to a water inventory stored outside the

167
 containment. These condensers require no valve actuation, rather
commence functioning solely on the basis of temperature increase,
e.g. due to steam formation in the containment, and thereby limit
pressure rise.

- Rupture disks arranged in the bypass to safety-relief valves.

- Passive pressure pulse transmitters for actuation of the following

functions :

• Reactor scram
• Isolation of main steam line penetrations
• Fast RPV depressurization.

These components generate pressure in a heat-exchanger secondary

circuit as reactor water level drops which is used directly to
actuate pilot or main valves.

1 Introduction

Siemens, in cooperation with Germany's electric utilities, is devel-

oping a design concept for an innovative boiling water reactor plant
with a net capacity of approximately 1000 MWe.

In this design concept, the primarily "active", highly redundant

safety equipment of today's operating plants are replaced by
"passive" safety equipment. These function according to basic laws
of physics such as gravity, natural convection and evaporation. For
this reason these systems require neither "active" energy sources
such as a permanent power supply nor associated I&C equipment.

The main goal of this development work is an enhanced safety concept

in which functional capability and reliability are ensured by simple
and less sensitive safety equipment. In this way the effects of hu-
man error are to be diminished, reactor safety is to be improved
even further, and capital cost as well as maintenance reduced.

The development goals specified for designing this innovative boil-

ing water reactor - such as passive or inherent system characteris-
tics, good operating and accident control behavior, and ease of op-
eration both under normal operating conditions and during accidents

168
 have resulted in a concept characterized by the following key fea-
tures :

- Cooling of the reactor core when the plant is in the shutdown con-
dition following the occurrence of abnormal events is reliably
assured by making use of the natural force of gravity. Provision
of a large water inventory inside the reactor pressure vessel as
well as of a large source of water inside the containment makes
active, fast-response safety equipment, pumps and electric power
unnecessary in the event of disturbances in the reactor coolant
system.

- The safety systems all operate by passive means. The provision of

diverse valve designs as well as the actuation of such valves us-
ing system fluid or stored mechanical or hydraulic energy serve to
supplement their effectiveness in strategic areas.

- A drop in the water level inside the reactor pressure vessel ini-
tiates automatic depressurization, allowing core flooding systems
that operate according to the principle of gravity flow to be ac-
tivated and preventing core melt scenarios from occurring at high
reactor pressure levels. Furthermore, facilities are provided for
retaining and cooling a molten core.

- Although the occurrence of a core melt accident is not to be real-

istically expected, the containment is nevertheless protected
against such an event by being designed with sufficient capacity
to accommodate any hydrogen generated by a zirconium-water reac-
tion as well as by being inerted during plant operation.

- All systems and components employed for plant operation are based
on the extensive operating experience gained from the boiling
water reactor plants currently in service in Germany as well as on
the proven system and component designs implemented in these
plants.

In the case of a nuclear reactor designed according to this concept,

the residual risk associated with melting of the reactor core is
much lower than in the nuclear power plants which have gone on line
most recently. Even if such a hypothetical core melt accident were
to occur, the consequences of this accident would remain restricted
to the plant itself; i.e. no emergency response actions outside the
plant such as evacuation or relocation would become necessary.

169
Even for capacity ratings of around 1000 MWe, power generating costs
are equal to those of large-capacity plants currently on line.

The high degree of safety achieved by using passive safety equipment

should have a positive effect on political and public opinions con-
cerning this nuclear plant design concept.

2 Nuclear Steam Supply System (Fig. 1)

2.1 Reactor Pressure Vessel and Internals

The reactor pressure vessel, which is relatively large in relation

to the thermal output of the nuclear steam supply system (NSSS),
contains a large water inventory above the core which allows
depressurization of the RPV without simultaneous makeup of water
inventory and thereby reliably prevents core uncovery.

The RPV internals differ from those of existing BWR plants with re-
spect to the following aspects.

The active core height is 2.8 m with a core power density of 48 kW

per liter. Above the core, a high, narrow chimney is situated which
supports the moisture separators. The control rod drives mechanisms
can be removed upwards into the RPV for servicing, which allows the
RPV to be arranged lower within the containment. Among other result-
ant advantages, this design facilitates flooding of the RPV
environs.

2.2 Containment with Pressure Suppression System, Passive Safety

Equipment and Active Non-Safety-Related Systems

The RPV and the piping systems belonging to the pressure retaining
boundary (PRB) are surrounded by a cylindrical concrete containment
with steel liner. The containment contains a pressure suppression
system comprising a pressure suppression chamber and dedicated vent
pipes. Situated above the pressure suppression chamber is a large
core flooding pool which serves on the one hand to provide gravity-
driven flooding of the core under accident conditions subsequent to
depressurization of the RPV, and on the other as a heat sink for the
emergency condensers. Located above the core flooding pool are the

170
28,7m Pressure
suppression
pool

Reactor water Residual heat

clean-up system removal system

031 Om

Cold water Steam

Hot water

FIG. 1. BWR 1000 Containment

containment cooling condensers which condense any steam released in-

side the containment and return the condénsate to the core flooding
pool while transferring the heat to the water of the dryer-separator
storage pool situated outside the containment.

171
Compartments are located below the pressure suppression pool which
house the two-train shutdown cooling system, the reactor water
cleanup system, the valves of the reactor scram system, as well as
pressure and level transmitters, etc. This arrangement is therefore
such that all systems carrying reactor water are located inside the
containment. The main steam and feedwater lines penetrating the
containment are each equipped with three isolation valves, one of
which is of diverse design. The depressurization system, equipped
with system-fluid-actuated main valves and diverse pilot valves, is
also located inside the containment. The main valve blowdown lines
end in nozzles arranged inside the pressure suppression pool. Lines
carrying steam (condensation pipes and blowdown lines of the safety-
relief valves) are routed outside the pressure suppression chamber
air space.

3 Safety Systems

3.1 Overview

The primary objective followed in developing the BWR 1000 is to en-

hance the quality of safety by introducing additional passive sys-
tems for performing safety-related functions in the event of tran-
sients or accidents. Compared to the reactors of today, the technol-
ogy employed in these systems is much simpler, operation of the
equipment being independent of a power supply and activation by
I & C systems.

Passive systems are characterized by the fact that they utilize the
laws of nature (e.g. gravity) to perform their safety functions and
dispense with active components (e.g. pumps and drives). The supply
of coolant to the depressurized reactor by gravity flow from an ele-
vated water pool is a classic example of a passive system.

The most frequent events requiring control of reactor coolant inven-

tory and residual heat removal comprise anomalies in plant opera-
tion, so-called transients. In the event of a LOCA, heat from the
reactor is discharged as steam to the containment atmosphere via a
postulated primary system pipe break. In order to prevent core un-
covery, passive systems for supplying reactor water makeup must op-
erate.

172
The following safety functions must be assured in the case of most
transients as well as in the event of accidents:

- Reactor scram
- Containment isolation
- RPV pressure relief and depressurization
- Heat removal from the RPV
- Reactor water makeup and control of core coolant inventory
- Heat removal from the containment.

A short description now follows of the passive systems planned for

these tasks.

3.2 Passive Safety Systems (Fig. 2)

Reactor Scram. Containment Isolation___and_Reactor Depressurization

The tank opening valves of the scram system/ the main steam
isolation valves and the relief valves of the depressurization
system are all actuated by dedicated diaphragm pilot valves.

The switching operations required for these safety functions are

carried out by passive and diverse means without electric power, ac-
tuating fluids or I & C signals as follows.

- Passive Pressure Pulse Transmitter (Fig_.__3)

The RPV is connected via a non-isolatable line to a heat exchanger

which acts as a passive pressure pulse transmitter. When the water
level in the RPV is normal, the tubes inside the heat exchanger are
filled with water and do not transfer any heat. If the water level
in the RPV starts to drop, the water drains from the heat exchanger
tubes and is replaced by steam that is continuously condensed. The
heat transferred during this process causes a buildup of pressure on
the shell side of the heat exchanger. This rise in pressure automa-
tically and passively actuates pilot valves, which in turn initiate
the safety functions of reactor scram, containment isolation and RPV
depressurization.

173
Pos. Number
1 Emergency condenser 4
2 Safety-relief valve
3 Spring-loaded
pilot valve
4 Diaphragm pilot vaive
5 Passive pressure pulse 2x4
transmitter
6 Rupture disk
7 Flooding line
8 Containment cooling
condenser
9 Core flooding poo!
10 Pressure suppression
pool
11 Vent pipes 15
12 Scram system 2

FIG. 2. Passive systems

 Passive
pressure
pulse
transmitter

Condition during Condition after

power operation drop in RPV level

FIG. 3. BWR 600/1000

Passive pressure pulse transmitter

Reactor and Containment Heat Removal and Makeup of Reactor Coolant

Inventory

- Emergency Condenser (Fig. 4}

A passive safety feature of particular importance, especially for

controlling transients, are the four emergency condensers (each rat-
ed for 63 MW at a pressure of 70 bar) which are located in the core
flooding pool and are connected to the RPV by non-isolatable steam
discharge and return lines. The circuit of each emergency condenser
contains an anti-circulation loop so that practically no circulation
of condénsate takes place through the open lines to the reactor dur-
ing normal plant operation. Only when there has been a drop in the
RPV water level does steam enter the condenser, with the resulting
condénsate being returned to the RPV.

The heat removed by the emergency condensers is transferred to the

water of the core flooding pool and slowly raises its temperature.
It takes over 12 hours for the water in the pool to reach a tempera-
ture at which it starts to evaporate. The resulting steam then
causes a buildup of pressure inside the containment.

175
 Core flooding
pool i

1
y=* Isolation
Anti-circulation condenser
loop 4x53 MW

Condition during Condition after

power operation transients involving
drop in RPV level

FIG. 4. BWR 600/1000

Isolation Condenser

- Gravity Core Flooding (Fig. 5)

In the event of a LOCA, steam or flashing water is discharged into

the containment atmosphere. To prevent core uncovery in such a situ-
ation, passive systems are activated for supplying reactor water
makeup. For this, the RPV must first be depressurized. The large wa-

Core flooding
pool

FIG. 5. BWR 600/1000

Core flooding line

176
ter inventory inside the RPV enables this to be done without the
core becoming uncovered. Water from the elevated core flooding pool
can then discharge to the RPV by gravity flow via four supply lines
and self-actuated check valves. The core flooding pool contains a
water inventory of approximately 5000 m . This volume of water is
sufficient after the occurrence of a LOCA to fill both the RPV and
the drywell of the containment up to a level which is then equal to
that in the core flooding pool, this level being situated above the
feedwater nozzles on the RPV. This not only provides a water cover
over potential pipe breaks but also ensures effective cooling of the
RPV exterior.

- Containment Cooling Condenser (Fig. 6^

At later stages in the accident sequences following both transients

and LOCAs, the generation of steam can lead to a rise in temperature
and pressure inside the drywell. In order to condense this steam and
thus limit containment temperature and pressure, containment cooling
condensers are provided. These discharge their condénsate to the
core flooding pool while the heat that they remove is rejected to
the water in the dryer-separator storage pool situated above the
containment. A closed, passive cooling circuit for residual heat
removal is thus available inside the drywell.

Finned-tube
cooler

Downcomersfor
noncondensables

FIG. 6. BWR 600/1000

Containment cooling condenser

111
The containment cooling condensers provide the plant with a grace
period of up to five days before there is any need for external in-
tervention. After this period it will be necessary to make up the
water inventory of the dryer-separator storage pool outside the con-
tainment, something which can be effected by simple actions.

The characteristics of these various safety features enable the re-

actor to stabilize itself in the event of a transient or LOCA with-
out the need for open- or closed-loop control equipment or external
actuation (e.g. by emergency power or compressed air). Existing ac-
tive systems required for normal plant operation supplement the pas-
sive features provided for accident control.

4 Accident Sequences

The BWR 1000 design concept provides for accident control by both
active systems usually required for normal plant operation and acti-
vated by I & C equipment, and by passive safety features which are
not controlled by I & C systems. Since the accident control func-
tions executed by active equipment (coolant makeup and heat removal)
are traditional functions that are generally well known, the follow-
ing descriptions will concentrate on the passive safety features.

4.1 Transients (Fig. 7)

Undesirable plant transients can be caused by, for example, the fol-
lowing :

- Loss of the main heat sink

- Loss of the normal feedwater supply
- Closure of the main steam isolation valves
- Stuck-open safety-relief valve.

Upon occurrence of a transient, first the reactor is scrammed either

by signals from I & C systems or by passive means when the water
level in the RPV starts to drop.

The spring-loaded pilot valves of the safety-relief valves operate,

enabling the safety-relief valves to discharge the steam still being
generated after reactor scram to the pressure suppression pool if it
should not be possible to dump the steam to the main heat sink. In

178
 76-
74-
70-
I
16.8

\CD
Pressure in RPV
Î
_Q
14.3
Constant
water level 1

13.2

1000s 250000s

FIG. 7. BWR 1000 Time Histories of RPV Pressure, RPV Water Level and Containment
Pressure During "Loss of Main Heat Sink" Transient

doing so, the valves maintain the pressure inside the reactor at its
normal operating level. For higher reactor pressure levels, rupture
disks are provided as a diverse means of pressure relief.

The discharge of steam to the pressure suppression pool causes the

reactor water level to drop until the point is reached at which the
emergency condensers can intervene to remove the decay heat gener-
ated in the reactor core to the water of the core flooding pool. The
safety-relief valves then remain closed and the water level inside
the RPV stops decreasing.

Medium- and long-term residual heat removal is normally performed by

the active RHR trains which cool the water inventories in the pres-
sure suppression chamber and the core flooding pool. If these active
systems should fail, the containment cooling condensers start to re-
move heat from the core flooding pool to the atmospheric dryer-
separator storage pool above the containment after approximately 12
hours, as soon as the water of the core flooding pool starts to
evaporate.

This process can continue for five days without any external inter-
vention. After this period, makeup water must be supplied to the

179
dryer-separator storage pool, something which can be effected by
means of simple temporary provisions.

If a plant transient should involve inadvertent depressurization of

the reactor down to the pressure level of the pressure suppression
chamber, the core flooding pool can be used to prevent core uncovery
in the manner described below.

4.2 LosB-of-Coolant Accidents (Fig. 8)

Loss of coolant can be caused by pipe breaks of various sizes postu-

lated to occur in lines carrying reactor coolant inside the contain-
ment. Provisions must additionally be made to control the effects of
a 15 cm2 leak from the bottom head of the RPV.

The good accident control characteristics of the BWR 600 described

earlier in connection with plant transients likewise apply in the
case of LOCAs. Occurrence of a LOCA immediately initiates reactor
scram and containment isolation. This can be effected either by sig-
nals from the I & C systems or by passive means when the water level
in the RPV starts to drop. This drop in the reactor water level then
leads to automatic depressurization being initiated, either actively
or passively. The buildup of pressure inside the drywell is reduced
through discharge to the pressure suppression pool via the horizon-
tal vents.

The loss of water via the break as well as the safety-relief valves
causes the pressure and water level inside the reactor to drop until
a point is reached at which passive coolant makeup by gravity dis-
charge from the core flooding pool starts automatically. This supply
of makeup water requires no I & C signals or switching operations
and prevents core uncovery solely on account of the elevation dif-
ferential existing between the elevated pool and the reactor.

In the event of a LOCA the coolant is retained inside the contain-

ment, the water lost through the break finally leading to equalized
water levels in the core flooding pool, drywell and RPV.

In the postulated event of failure of the active RHR systems, the

coolant inside the containment eventually starts to boil, leading to
a further buildup of pressure. Once the containment cooling con-
densers start to remove heat from the containment and the resulting

180
 18
RPV water level
Start of End of break
break discharge discharge RPV water
16 level const« rrt
Start of scram Scram
initiation

Emerg. cond. tubing drained

14

Start of init. of Pressure

SRV opening -SRVs open drops ¥
12
Start of pass.
a
core flooding — — —/— — — £

10 Cont. cooling cond.

fully in action

Containment pressure
Ik_
0)
•»—'
ra

I
rr
0 40 80 130150 300 3000 12000 36000 220000
Time [s]—

FIG. 8. BWR 1000 LOCA Due to Main Steam Line Break

oo Time histories of RPV water level and containment pressure
condénsate begins to flow to the core flooding pool, a closed cool-
ing circuit is established which limits any further rise in contain-
ment pressure.

As already mentioned, the containment cooling condensers discharge

the heat to the external, atmospheric dryer-separator storage pool.
The water contained in this pool takes at least five days to evapo-
rate. Makeup of the storage pool water inventory using very simple
provisions (e.g. fire hose connections) can extend passive control
of this accident for an indefinite period of time.

5 Conclusion

As a result of the characteristics of the BWR 1000 already

described, it is capable after a transient or LOCA to stabilize
itself by passive means over a period of many days without
intervention by active control equipment or operating personnel.

Existing coolant supply and residual heat removal systems provided

for normal plant operation serve as a diverse means of accident
control.

182
 TECHNICAL FEASIBILITY AND RELIABILITY OF XA9743168
PASSIVE SAFETY SYSTEMS OF AC600

W. NIU, X. ZENG
Nuclear Power Institute of China,
Chendu, China

Abstract

The first step conceptual design of the 600 MWe advanced PWR (AC-600) has been
finished by the Nuclear Power Institute of China. Experiments on the passive system of AC-
600 are being carried out, and are expected to be completed next year.

The main research emphases of AC-600 conceptual design include the advanced core,
the passive safety system and simplification. The design objective of AC-600 is that the
safety, reliability, maintainability, operation cost and construction period are all improved
upon compared to those of PWR plant. One of important means to achieve the objective is
using a passive system, which has the following functions whenever its operation is required.

providing the reactor core with enough coolant when others fail to make up the lost
coolant,
reactor residual heat removal,
cooling and reducing pressure in the containment and preventing radioactive
substances from being released into the environment after occurrence of accident (e.g
LOCA).

The system should meet the single failure criterion, and keep operating when a single
active component or passive component breaks down during the first 72 hour period after
occurrence of accident, or in the long period following the 72 hour period.

The passive safety system of AC-600 is composed of the primary safety injection
system, the secondary emergency core residual heat removal system and the containment
cooling system. The design of the system follows some relevant rules and criteria used by
current PWR plant. The system has the ability to bear single failure, two complete separate
subsystems are considered, each designed for 100% working capacity. Normal operation is
separate from safety operation and avoids cross coupling and interference between systems,
improves the reliability of components, and makes it easy to maintain, inspect and test the
system.

The paper discusses the technical feasibility and reliability of the passive safety system
of AC-600, and some issues and test plans are also involved.

1. DESCRIPTION OF THE PASSIVE SAFETY SYSTEMS OF AC-600

The AC-600 design is based on the Qinshan phase II standard PWR nuclear power
plant (2X600 MWe). Successful experience derived from QS-II is incorporated in the AC-
600 design as far as possible, but the AC-600 plant will be an improvement on QS-II. AC-
600 will become a major type of reactor for the next generation 600 MWe nuclear power
plants in China. It has a large safety margin of operation because of the small power density
of the reactor core. The high natural circulation cooling ability due to the small flow
resistance of the primary system loop is very useful for reactor core decay heat removal

183
during accidents. The major design goals of AC-600 are (1) to enhance reactor safety and
reliability, (2) to improve economics, (3) to increase nuclear plant availability, and (4) to
shorten the construction schedule and lengthen plant life time.

The AC-600 advanced PWR thermal power is 1930 MW with an electrical power of
600 MW. The total reactor height is 19.1 m with a maximum out side diameter of 5.04 m.
The total coolant flow rate is 32100 t/ h. The reactor coolant system consists of two loops
with an operation pressure of 15.6 MPa.

Three key approaches, i.e, advanced core, passive safety systems and simplified
systems, have been adopted in AC-600 design. The design features are as follows:

(1) Advanced Core

Addition of grey control rod and utilization of Gadolinium burnable poison,

Arrangement of stainless steel reflector,
Reduction of core power density.

(2) Passive Safety Systems

In AC-600, the safety systems, except for the low pressure safety injection pump
which is active to carry on the long-term recirculation during LOCAs, are all passive safety
systems, including:

Emergency Core Residual Heat Removal System(ECRHRS)

The passive emergency core residual heat removal system on the secondary circuit
side is mainly used in the event of station blackout, main steam line rupture or loss of
feedwater. An independent emergency core residual heat removal tram consists of one
emergency feedwater tank and one emergency air cooler as well as associated piping, valves
and instruments. Each reactor coolant loop has one train. Two trains constitute the AC-600
ECRHRS. When station blackout occurs, the decay heat generated hi the reactor core can
be removed through use of natural circulation flow in the primary coolant system, the
secondary coolant and the atmosphere.

Safety Injection System

The AC-600 safety injection system, similar to that of the existing PWR plant, is
divided into a HP injection subsystem, a MP injection subsystem and a LP injection
subsystem as well as the corresponding recirculation systems. The HP injection subsystem
mainly consists of two core makeup tanks hi which water pressure is the same as the reactor
coolant pressure. The MP injection subsystem mainly consists of two accumulators with an
operating pressure of 5.2 MPa. The HP and MP injection subsystems are all passive.
Containment Cooling System

This system, utilizing completely passive equipment, consists of the containment

cooling water storage tank located on the top of the containment and cooling water sprayers.
It eliminates the need for the containment spray system in the current PWR plant as well as
the need for an intermediate circulation cooling medium such as the component cooling
water, resulting in a saving in investment and in an improvement in system operational

184
reliability. The system is used to remove the heat from the inside to the outside of the
containment during LOCA or main steam line rupture located inside the containment. First,
the water in the tank on the top of the containment will be sprayed onto the surface of the
steel shell of the containment by gravity, cooling the shell so as to decrease the pressure and
the temperature. After emptying the tank, the natural circulation flow of air through the
annulus between the steel shell and the concrete shell can remove the heat continuously. At
the same time, the low head safety injection/recirculation pumps which are installed in the
containment sumps can withdraw the borated water from the sumps into the reactor coolant
system. The water absorbs the core decay heat and flows out through the break point (in
LOCA conditions).

These passive systems guarantee the completion of the safety functions - residual heat
removal, RCS inventory control, short-term LOCA safety injection, long-term LOCA
recirculation, containment spraying and cooling following a transient and/or accident.

(3) Simplified System

The SG and pumps are connected into a single structure, eliminating the U-shape
cross-over leg of the coolant pipes, improving the post-LOCA safety, decreasing the
resistance in the primary circuit and enhancing the natural circulation capability of the
primary circuit;
The use of the passive safety systems and the decrease of boron concentration in the
RCS eliminate and/or simplify such system as the auxiliary feedwater system, and the
boron recycle system as well as the HP safety injection pump.
Most of safety grade components are arranged within the containment, resulting in
the reduction in the safety graded buildings volume and capital cost.

Except the three major features mentioned above, the advanced I&C technology and
modular construction approach are also employed to improve the AC-600 performance and
reduce the construction schedule and cost.

The schematic diagrams and drawing of the passive system of AC-600 are shown hi
Fig.l, Fig.2, and Fig.3. Nomenclature, list and quantity of the main components included
hi the system are given in Table. 1.

2. Feasibility and reliability

The reliability of the passive safety system refers to the ability of the system to carry
out function under the prevailing condition when required. The feasibility shows the
reliability, maintainability, availability and the economic advantages of the system. The
feasibility includes technical realization, economics, public acceptance and political support
by the government, etc.

Feasibility and reliability are closely related to each other and should be considered
comprehensively in the system design. The reliability is not the best as it is set the highest.
In China, the development of nuclear power plant is restricted by its economies and
technology level in the country. The economic estimation of the system is one important part
of its feasibility research.

Based on the specialized safety systems of the standard nuclear power plant, the
passive safety system design is feasible for a developing country. So this design can absorb

185
 1 Reactor
2 Stean generotor
3 Pi »nary punp
4 Core nakeup tank
5 Accumulator
6 Cortuinnent suno
7 LP injection punp
8 Pressur.zer

FIG. 1. Safety Injection System.

| mam steam
-ÍX3- -Och-—,

-A-
- — -H/l- — — - f e e d w a t e r

containment

1 steam generator
2 emergency f e e d w a t e r tank
3 emergency air cooler

FIG. 2. Emergency Core Residual Heat Removal System.

186
 concrete containner-t
steel containment
annuluE
cooling w a t e r sprayer
air outlet
cooling w a t e r storage Tank
air inlet

FIG. 3. Containment Cooling System.

Table 1

No: Name Quantity

1 core makeup tank 2
2 accumulator 2
3 emergency water tank 2
4 special sump 2
5 low pressure safety injection pump 4
6 emergency air cooler 2
7 water storage tank 1

successful experiences derived from the standard NPP and lessens the large research
investment. In the system design, in order to improve the reliability of the system, the
following subjects must be considered:

(1) Under the precondition of ensuring the function, the system should be designed
simplified and standardized as much as possible. The simplification of the system is
involved not only in its components but also in its operation.
(2) To meet the single failure criterion, it is necessary to avoid the cross and intersection
between systems and to make the systems independent.
(3) The system is designed to a high level of safety which is obtained by an adequate
level of redundancy in key components. All of these improve the reliability of the
key components as well as the system. The key components include:

The active components in the passive safety systems, such as the LP injection
pump;
The equipment with mechanical action when it is operating, such as the fail
open valves of the ECRHRS;
Instruments for inspecting and monitoring.

187
(4) The monitoring and control system provides an automated diagnosis of the state and
operating conditions of the NPP. Monitoring and presentation of the information on
the reactor coolant system, on all the safety-related systems, on the containment, on
all operating conditions of the NPP and remote control of these systems are carried
out. A post-accident monitoring system is provided to estimate the state of the NPP
facilities and to present information important to safety.

(5) Integrity of the passive safety systems is provided by appropriate design and
provisions, such as in-service inspection, monitoring, test and quality control. All
components of the passive safety systems are subject to strength calculation under
design conditions, and to stress, strain and seismic analyses under design basis
accidents. The detection of leak before break is also used in the operation of system.

All the above mentioned are not the only subject for improving the system reliability,
there are still other items such as power source, inspecting signal, etc. whose failure may
lead to decreasing the system reliability. To improve the reliability of individual components
within a system is to improve the system reliability as a whole.

3. FEASIBILITY AND RELIABILITY OF AC-600

3.1. Features of the system design of AC-600

(1) The design of the system follows some relevant rules and criteria used by current
PWR plants. The system has the ability to withstand single failures. Two complete
subsystems have been designed, each designed for 100% working capacity.

(2) The separation between normal and safety operation makes the systems dedicated to
their function and avoids the use of common components in different systems,
improves the reliability of components and makes it easy to maintain, inspect and test
the system.

(3) The passive core makeup tank (CMT) takes the place of the HP injection system used
in current standard PWR nuclear plants, so the HP injection pump and its
mechanical/electric system are all eliminated. The CMT can operate at full pressure
of the reactor core coolant, injecting rapidly and efficiently plenty of cold water into
the core by gravity, avoiding the failure caused by electric power or other active
component failure and the difficulty of water injection into the core due to the high
coolant system pressure.

(4) The passive emergency core residual heat removal system replaces the secondary side
residual heat removal system which consists of an emergency feedwater system and
emergency steam release system. This replacement avoids failure due to a secondary
system accident. Because the system is designed to operate with closed natural
circulation by natural laws, such as evaporating, convection and gravity, its reliability
is improved and its operation is not restricted by volume of a water source or by
time.

(5) The passive containment cooling system replaces the containment spray system, and
eliminates the boron injection subsystem used in standard NPP. The containment
sump takes the place of the refueling water tank and the recirculation sump which
serve both as the water sources of LP injection and recirculation, and this replacement

188
 eliminates the exchange between two operation models mentioned above, simplifies
the specialized safety facilities, makes the operation convenient and reliable and
improves the inherent safety of the system.

(6) The components of the passive safety system, located on the primary coolant system
side, are arranged in the steel shell of the containment; such a measure reduces the
possibility of radioactive medium leakage from the system and/or component, and
improves the inherent safety of the NPP.

(7) In order to improve the feasibility of the safety injection systems, AC-600 design is
based on the principle of a combination of passive and active features. There are two
full pressure CMTs, two accumulators and four low head safety injection
/recirculation pumps which are installed in the containment sumps. In a large LOCA,
the flow rate into the RCS from a CMT is larger than that from a high head safety
injection pump in the conventional design. It is necessary for AC-600 to use an
active pump which can perform the functions of the low head safety
injection/recirculation system.

(8) The measures of increasing the vertical distance between the steam generators and the
reactor core and reducing the primary flow resistance are used in the AC-600 design
to increase the natural circulation cooling flow rate of the primary coolant system.
If the reactor operates at 25 % of the rated power, the natural circulation flow rate is
about 4852 t/h (15.12% of the rated flow rate) after the reactor coolant pumps shut
down. The natural circulation flow rate increase is a very important part of AC-600
passive safety.

(9) For operation of the safety injection system, except the subsystems of low pressure
active safety injection and recirculation, sources of alternating current are not
required. The air-operated valves needed for the function of emergency heat removal
are air driven by compressed air from compressed air storage tanks. The power
supply of the subsystems for low pressure active safety injection and recirculation are
provided by diesel-generators or by offsite power source (during the recirculation
stage after LOCA). In the passive emergency core residual heat removal system, the
fail open valves on the piping are driven also by compressed air.

(10) The passive safety systems of the AC-600 design are based on the specialized safety
systems of current NPP. The design and manufacture of the components of the
passive safety systems such as tanks, valves, are all mature. The operating conditions
of the components are good and based on previous experience and the economy is
also good due to reduced need for research and development investment. All the
above mentioned prove that the feasibility of the system is improved as measured by
its reliability.

3.2. Failures of AC-600

The following accidents will be analyzed for the AC-600 design in order to provide
some important parameters for AC-600 engineered safety system design and safety
assessment.

Increase of heat removal by the secondary system;

Decrease of heat removal by the secondary system;

189
 Decrease of reactor coolant system flowrate;
Reactivity and power distribution anomalies;
Increase in reactor coolant inventory;
Decrease in reactor coolant inventory;
Radioactive release from a system or component;
Anticipated transients without scram.

List of beyond design basis accidents (severe accidents):

Total loss of ultimate heat sink;

Loss of main and auxiliary feedwater;
Station blackout;
Loss of safety injection pumps.

4. MAJOR RESEARCH SUBJECTS OF AC-600

As it is a new concept and replaces the specialized safety systems used by the
standard NPP by passive safety systems, there are still many problems about the feasibility
and reliability of the systems to be researched.

During the 8th five-year plan (1991-1996), NPIC undertook the AC-600 overall
design and research and AC-600 key technology test and research development subjects
assigned by the State Scientific and Technological Commission and CNNC. Some of these
subjects relating to the passive safety systems are as follows:

1) Integrated design and research on AC-600 main equipment, passive safety systems
and simplified systems;
2) Full-pressure core makeup tank test and research;
3) Passive containment cooling system wind tunnel test and research;
4) Secondary side passive emergency core residual heat removal system test and
research;
5) Passive LP safety injection/recirculation system test and research;
6) Research on the system redundant principle;
7) Test and research on instruments for inspection and control;
8) The system failure model and reliability research.

During the 9th five-year plan (1996-2000), NPIC will place the emphasis on the key
technology peculiar to AC-600 and engage in design and test on the design technology,
advanced nuclear power techniques and key equipment encompassing 33 subjects. By the
year 2000, NPIC will have completed the AC-600 nuclear plant preliminary design, key
technology research and key tests with a good knowledge of the complete design technology
to the extent that a utility order for an AC-600 plant can be accepted and AC-600 engineering
conditions will be essentially prepared. The major design and test subjects on the passive
safety systems are as follows:

(1) Tests and research on the passive containment cooling system entirely;
(2) Mock-up test and research on the passive safety systems;
(3) Typical nuclear grade valve development;
(4) Tests and research on pumps immersed in water.

190
 The research on the above subject is proceeding well. By the end of the 8th five-year
plan, NPIC will have completed not only the research on some subjects but also the AC-600
PWR plant overall design.

In the design and research subjects, many up-to-date techniques are used for core
design optimization, the passive safety system design and the simplified system design. The
computer codes and data base will start to be established for AC-600 accidents analysis.

In the test subjects, emphasis is placed on the emergency core residual heat removal
system, passive containment cooling system, etc, together with corresponding tests, and
research reports to provide a test data base for use in the safety review.

NEXT
!eft

191
 A FEASIBILITY ASSESSMENT FOR INCORPORATION OF XA9743169
PASSIVE RHRS INTO LARGE SCALE ACTIVE PWR

S.-O. KIM, S.Y. SUB, Y.-S. KIM, M.-H. CHANG, J.-K. PARK
Korea Atomic Energy Research Institute,
Taejeon, Republic of Korea

Abstract
A feasibility study was carried out for the possible incorporation of passive
RHRS (Residual Heat Removal System) into a large-scale of active PWR plant.
Four kinds of system configurations were considered. For each case its
performance and impacts on plant safety, cost, licensing, operation and
maintenance were evaluated. The evaluation came up with a finding of PRHRS with
a gravity feed tank as most probable design concept. However, considering
rearrangement of structure and pipe routing inside and outside containment, it
is concluded that implementation of the PRHRS concept into well developed
active plants is not desirable at present.

1. Introduction

The efforts of worldwide nuclear industries toward improving the safety of

nuclear reactors can be categorized into two basic but quite different
approaches; namely, evolutionary improvements to the current large LWRs and
revolutionary path with passive safety concepts. The key objectives of these
two approaches, however, lies in the same target; that is, achieving the
increased general public acceptance in nuclear power plants by enhancing the
safety itself of those reactors compared with the currently existing reactors.
In active plants decay heat is removed by the active Residual Heat Removal
Systems (RHRS) in case of design basis events, but for beyond design basis
events such as loss of active RHRS, total loss of feed water and station
blackout, alternative path of decay heat removal would be necessary. At the
case of beyond design basis events in advanced evolutionary plant designed in
accordance with the EPRI-URD(USA), core decay heat removal is accomplished by a
one-through cooling process in a way that water is injected directly into the
reactor vessel downcomer via normal safety injection system and is bleeded
through vent valves of SDS( Safety Depressurization System) to the
IRWSTdncontainment Refueling Water Storage Tank). IRWST cooling is provided by
the safety grade component cooling water system through RHRS heat exchanger or
containment spray system heat exchanger[1]. Once feed and bleed operation
starts, the contaminated reactor coolant would be relieved to the containment.
The contamination of inside containment from feed and bleed operation may have
plant operator be reluctant to actuate the safety depressurization valves even
when required. On the other hand, PRHRS does not discharge reactor coolant
inside containment. Thus to reduce operators' burden of SDS operation and to

193
reduce the impacts of SDS operation by operator mistakes, PRHRS needs to be
considered as a supporting system to the existing active one. PRHRS design
concept has been widely used in small passive plants such as AP600, SIR and
MS300/600. The PRHRS in AP600 is designed as safety-related system and removes
residual and/or decay heat from the primary coolant system to the containment
through PRHR heat exchanger s (HXs) submerged in the IRWSTC2]. In the SIR and
MS300/600 design , the decay heat removal system is not the same as the system
in AP600, but the design concept of the decay heat removal system is based on
passive functions.
The purpose of this study is to look for the possible incorporation of the
PRHRS into the large-scale active plant to back up the existing active system
by assessment its performance, safety benefits, and impacts on cost and
licensing.

2. System design and performance analysis

The existing safety-related systems of active plants(advanced evolutionary

PWR) satisfy all the acceptance criteria of licensing regulations for the
licensing design basis events and even for the beyond design basis events, e.g.
total-loss-of-feedwater, etc. In active plants, PRHRS can be designed as a
safety-related or non-safety-related system. Considering the satisfactory level
of the active plant safety and the cost for development of PRHRS, the PRHRS
need not to be a safety-related system. PRHRS designed as non-safety-related
system can provide an additional capability for the removal of residual or
decay heat from RCS in the case of beyond design basis events before actuation
of the SDS isolation valve for core cooling.
To implement PRHRS into the large-scale active plant, System80+ design is
selected as a reference plant. The basic concept of the PRHRS considered for
the study is to transfer the primary heat load by natural circulation through
PRHRS heat exchanger to secondary system. When the normal decay heat removal
system including steam generator is no more available, the reactor coolant
flows from hot leg to PRHRS and return to steam generator outlet chamber by
density difference and gravity force. The PRHRS then transfers the primary
decay heat to the secondary system via PRHRS heat exchangers. However for the
heat removal from primary loop to the ultimate heat sinks through PRHRS heat
exchanger, there may be various design concept to be considered. For comparison
with system performance and cost impacts of each approach, all the case of
PRHRS heat exchanger in the primary system design concept is located at the
elevation of 146' and the the specification of heat exchanger is similar to
APSOO's, that is, 0.75" in tube outside diameter, 0.11" in tube thickness and
1.5" pitch of each tube. Furthermore Westinghouse test results of AP600 PRHRS
HX are used as for the boiling heat transfer coefficients. The primary pipe is
selected 14" nominal diameter with schedule 160 which is the same as the

194
System80+ design safety injection pipe. The system performances were analyzed
by RELAP5 MODS computer code by modelling the reactor vessel, one-loop of RCS
and connected PRHRS.
For heat removal of primary system to the ultimate heat sink, the most
easily applicable approach is to remove the containment heat via containment
spray system. Since the containment heat removal performance by the containment
spray system already has been verified in operating active plants, the system
performance would be very effective. However, if the containment spray system
actuates, the sprayed water with a high boron concentration may significantly
contaminate the equipments inside containment. Thus this concept has little
advantage compared with SDS.
To prevent the equipments inside containment from exposure to highly
concentrated boron, CCW(Component Cooling Water) can be supplied directly to
the PRHRS heat exchanger which is a very similar approach to the active normal
RHRS except using RHRS pump. Since the mechanical pump seal is very weak
against the high RCS temperature for a long time, the primary heat is removed
by natural circulation without RHRS pump(Fig-1). The PRHRS heat exchanger is
located elevation 146' in horizontal direction. The CCWS is supplied at 8000
gpm with 120°F which is the same condition for the active RHRS operation. For
three cases of heat exchanger with 4m in tube length but different number of
tubes(1000,1500,2000), the performance was evaluated. As shown in Fig-4, The
primary temperature reaches the normal RHRS operating condition within 14 hrs.
Considering the active RHRS performance of System80+ which takes 6 hrs for cold
shutdown after RHRS actuation with single train, this approach accomplishes the
safe shutdown requirements even for the beyond design basis events. The
secondary temperature always lies below 100C. This means that CCWS design
pressure and temperature of reference plant are not affected by this concept.
However, CCWS heat load is almost twice the normal operation condition so that
the heat removal capacity of CCWS should be resized for this design concept.
Removing decay heat from PRHRS to the ultimate heat sink without using the
existing active system, the gravity feed concept from an external tank to the
PRHRS heat exchanger would be applicable(Fig-2). When PRHRS actuated, hot
reactor coolant comes into PRHR HX primary side and the heat transfer at
outside heat exchanger will then be made by boiling mechanism. The steam
generated in the heat exchanger goes out to external tank upperside to make
dynamic pressure balance. Five cases were evaluated for heat exchanger sizing.
As shown in Fig-5, the hot leg temperature of all the cases reaches normal RHRS
operating condition within 14 hrs. The preliminary sizing of components
necessary for this concept estimates 4m in minimum heat exchanger tube length
and about 2.5m2 in cross section area of heat exchanger. The required external
tank size is dependent on PRHRS operation time as shown in Fig-7.
Another concept considered is to adopt a secondary circuit which has external
heat exchanger and external water tank located highly elevated level outside

195
 Containment

Fig-1 PRHRS supported by CG WS

oo

Fig-3 PRHRS with, Secondary Circuit

 Containment

Fig-2 PRHRS witii Extenal Gravity Feed System

 350
300 Tube Length : 4m
g 250
3 200H
8, 150H
E
H 100
50
0
0 4 6 8 10 12 14 16 18 20
Time after PRHRS actuation

Tube Number: 1000 H— Tube number: 1500 ->K- Tube number :2000
CCWS Temperature —— Reference (400F)

Fig-4 PRHRS Performance Curve

(PRHRS with CCWS)
8
340
320
S 300
CD
I
CD
280
8. 260
E
£ 240
220

200

180
4 6 8 10 12 14
Time after PRHRS acîuation(Hrs)

Length:3m, No.:2000 —h- Length:4m, No.:2000 Length:6m, No.:2000

-Q- Length:6m, No.:3000 -X- Length:6m, No.:4000 Reference(400F)

Fig-5 PRHRS performance curve

(PRHRS with Gravity Feed System)
containment(elevation 170') (Fig-3). The transferred heat to the PRHRS heat
exchanger inside containment is rejected to the ultimate heat sink through
secondary loop by natural circulation. Inside PRHRS heat exchanger single phase
heat transfer occurs between primary and secondary coolant but boiling heat
transfer will occur in the external water tank where an external heat exchanger
is submerged. The preliminary sizes of primary and secondary circuit heat
exchangers for this concept were assessed. The external heat exchanger consists
of 4000 tubes with 6m in length whose bottom is located at 170' elevation.
Three cases for the number of heat exchanger tubes such as 2000,3000 and 4000
were evaluated. All the case can meet safe shutdown requirements for the
passive plant specified EPRI ALWR-URD but the performance is not better than
the gravity feed system concept(Fig-6). During the PRHRS operation of this
concept, the high temperature and pressure of secondary system should be
maintained to achieve effective heat transfer in the secondary circuit. The
required volume of the external water storage tank with respect to operation
period is shown in Fig-7.
Comparing the performance analysis results of all the design concepts with
the same heat transfer area. The PRHRS supported by gravity feed tank and PRHRS
supported by CCWS shows tbe better performance for cooling of the primary
system. However, in system design point of view, PRHRS supported by CCWS may
has impacts on the CCWS heat removal capacity and PRHRS with secondary circuit
needs more components than the system with gravity feed system.

3. Assessment of lapact

The implementation of PRHRS into the well designed active plants may cause
some impacts on safety, economy, licensing and etc., either in a positive or
negative direction. The assessment of impacts was thus carried out focussing
mainly on the safety and cost aspects.

3.1 safety benefit

PRHRS will provide as positive effects on the beyond design basis events
such as,
0 Loss of active residual heat removal system including steam generator like
total loss of feed water,
0 Station blackout events.

In the case of total loss of feedwater event, the actuation of safety

depressurization valves can be avoided by PRHRS actuation. PRHRS also removes
the residual heat from RCS at the event of station blackout so that the
possibility of RCP seal failure can be reduced, accordingly the above two
events, PRHRS will improve the plant safety.

201
180
O 8 12 16 20 24 28 36
Time after PRHRS Acîuation(Hrs)

Length:6m No.:2000 Length:6m No.:3000 H- Length:6m No.:4000 —— Ref Temp(400F,204C)

Fig-6 PRHRS Performance Curve

(PRHRS with Secondary Loop)
 lOUU

1600-
^
1400-
^
c*r
<
1200-
/^
//
^m • ^"»** *^

> 1000- s

-S£
c
.to
\— Qnn-
ouu J>
//
P
i- 600-
/
<o
ce. /
/
400- /

200-

n- / 10 15 20 25 30 35 40
Time after PRHRS actuation (Mrs)

Fig-7 Required External Water Supply wrt PRHRS Operation

However, in the plant performance aspects, there would be two types of events
which are affected by implementing the PRHRS. One is the main steam line break
event and the other the inadvertent operation of PRHRS. The main steam line
break (MSLB) with simultaneous operation of PRHRS may overcool the RCS and thus
result in the return to power of the core. But this event can be excluded by
proper design consideration such a way that during normal operation the PRHRS
isolation valves are at closed state with proper interlock. When the system
required, the PRHRS can be actuated by manual action in accordance with the
administrative procedure. The above design and operational provisions make the
probability of inadvertent PRHRS operation extremely low, and thus the MSLB
with simultaneous operation of PRHRS can be excluded from a licensing basis
event. In the case of an inadvertent operation of PRHRS during normal operation
the nuclear power increases quickly, but the plant is expected to respond
safely by proper actuation of the plant protection system.

The Core Damage Frequency (CDF) reduction effect by implementing PRHRS in a

large-scale active plant based on System 80+ Probabilistic safety
assessment (PSA) was evaluated with the assumptions that, in transients, PRHRS
makes reactor safe for 24 hours and PRHRS is normally isolated from RCS by
closed valves. From this evaluation, the CDF reduction effect turns out to be

203
about 20% in CDF of the reference design[l,6]. The PSA results are summarized
in Table-1. The CDF reduction effect by implementing PRHRS is, however,
evaluated to be small because CDF of the reference design is very low even to
ALWR design requirements. For a reference, USNRC mentioned that the goal of CDF
is l.OE-4 per reactor year[3,4] and EPRI ALWR URD requires l.OE-5 per reactor
year as CDF goal[5].
While PRHRS has a reduction effect for CDF, there is also adversary effect on
CDF. The introduction of large number of heat exchanger tubes which would
result in the reactor coolant pressure boundary expansion, yields additional
LOCA paths. The primary circuit of PRHRS consists of suction and discharge pipe
lines and heat exchanger with huge number of small tubes. This configuration
results in increasing the probability of LOCA occurrence. The possible LOCA
types will be medium and very small LOCA's such as PRHRS loop pipe break and
the PRHRS heat tube break. This effects will also increase the CDF probability.

Table-1. Comparison of CDF reduction effect with/without PRHRS

in Sys80+ design
Event System 80+ CDF CDF Reduction CDF Expectation
Internal 1.7E-6 2.0 - 4.0E-7 1.3 - 1.5E-6
External 3. 3E-7 1.0 - 2.0E-7 1.3 - 2.3E-7
Shutdown 8. 3E-7 1.7 - 3.4E-7 4.9 - 6.6E-7
Total 2. 9E-6 4.7 - 9.4E-7 2.0 - 2.4E-6

3.2 Cost impacts

The implementation of PRHRS into the well developed existing plants would
have impacts on the containment configuration rearrangement to accomodate a
PRHRS heat exchanger inside containment at the elevated level to maintain
natural circulation of primary fluid. PRHRS also requires extra containment
penetration paths to remove primary residual heat to outside containment.

PRHRS supported by CCWS say have impact on the CCWS heat removal capacity and
requires long run of CCWS pipe line with large size. Redesign of CCWS and
system piping extension will require additional capital costs.

For the PRHRS with passive support system, there needs also large size of
external water storage tank and/or heat exchanger outside containment building.
It is also requisite to test PRHR HX performance. The tests need to be made for
performance of PRHR heat exchanger and operability. The whole activity for test
is to be estimated nearly one year. Approximately 10M$ of capital costs
including system development, containment configuration change and tests is
expected.[6]

204
 For maintenance and operation, not great effects are anticipated due to PRHRS
because PRHRS is composed of passive components such as tanks and heat
exchanger, etc. It is generally estimated about 2x of capital cost

3.3 Licensing iipacts

The other impacts due to PRHRS implementation may related to the licensing.
In licensing aspects, there may be some discussions on the adversary effects of
PRHRS on safety. However, if the PRHRS designed as non-safety related system
serves as a back-up system to support the active one, there would be no arguing
problems because the system does not have any safety functions.

4.0 Conclusion

The overall assessment based on the more or less quantitative analysis came
up with that a PRHRS concept with a gravity feed tank outside containment is a
most preferable design as a back-up system to support the existing active
system. This concept can be implemented by adding a PRHRS heat exchanger inside
containment or by exploiting steam generator with gravity feed tank outside
containment. However, to implement PRHRS into well developed active plant such
as System80+, large amount of development and capital cost could be expected.
Thus it is concluded that the incorporation of the PRHRS concept into large
scale active plants, is not desirable at present. However if nuclear
environment changes such as safety policy and public acceptance of SDS
operation, PRHRS concept will be one of strong candidates for decay heat
removal means at the case of beyond design basis events for active pressurized
water reactor.

REFERENCES

1. ABB-CE, System 80+ Standard Design CESSAR-DC, Amendment o. May 1993

2. WH, AP600 Standard Safety Analysis Report, Revision 0, June 1992
3. USNRC SECY-90-016, ALWR Certification Issues and their Relationship to
Current Regulatory Requirements, Jan. 1990
4. USNRC SRM on SECY-90-016, July 1990
5. EPRI ALWR URD Volume 1 : ALWR Policy and summary of Top-Tier Requirements,
Mar. 1990
6. M.H. Chang,et al, "A Feasibility study for incorporation of passive design
features into advanced pressurized water reactor". Proceedings of the 16th
Kaif-Jaif Seminar on Nuclear Industry Oct. 25-26,1995, Tokyo Japan

205
 PASSIVE SAFETY SYSTEMS FOR DECAY HEAT XA9743170
REMOVAL OF MRX

M. OCHIAI, H. JJDA, T. HOSffl

Nuclear Ship System Laboratory,
Japan Atomic Energy Research Institute,
Ibaraki, Japan

Abstract

The MRX (marine Reactor X) is an advanced marine reactor, its design

has been studied in Japan Atomic Energy Research Institute. It is
characterized by four features, integral type PWR, in-vessel type control
rod drive mechanisms, w a t e r - f i l l e d containment vessel and passive decay
heat removal system.
A w a t e r - f i l l e d containment vessel is of great advantage since it
ensures compactness of a reactor plant by realizing compact radiation
shielding. The containment vessel also yields passive safety of MRX in the
event of a LOCA by passively maintaining core flooding without any
emergency water injection. Natural circulation of water in the vessels (
reactor and containment vessels) is one of key factors of passive decay heat
removal system of MRX, since decay heat is transferred from fuel rods to
atmosphere by natural circulation of the primary water, water in the
containment vessel and thermal medium in heat pipe system for the
containment vessel water cooling in case of long term cooling after a LOCA
as well as after reactor scram.
Thus, the idea of water-filled containment vessel is considered to be
very profitable and significant in safety and economical point of view. This
idea is, however, not so familiar for a conventional nuclear system, so
experimental and analytical efforts are carried out for evaluation of hydro-
thermal behaviors in the reactor pressure vessel and in the containment
vessel in the event of a LOCA. The results show the effectiveness of the new
design concept. Additional work w i l l also be conducted to investigate the
practical maintenance of instruments in the containment vessel.

Introduction

Design of an advanced marine reactor, MRX(1)-(3), which has been

studied in Japan Atomic Energy Research Institute (JAERI), is characterized
by four features, integral type PWR, in-vessel type control rod drive
mechanisms, a water-filled containment vessel and passive decay heat
removal system. The standard type of MRX is designed with an output of 100
MWt, but the concept can be applied to reactors with wide range of output
from 50 to 300 MWt. A conceptual view and major parameters ofthe 100
MWt MRX are show in Fig. 1 and Table 1, respectively.

207
 Containment vessel
x CV water cooling system
CV water x

Pressurerizer
Emergency decay heat
removal system (x3) \ Main coolant
pump (x2)

Watertight sheli Steam generator

•—-»
Reactor pressure ves

Core

Fig.1 A View of an Advanced Marine Reactor MRX.

A marine reactor should have smaller weight than that of a land based
reactor from the economic viewpoint of commercial ships. Most part of the
weight of the preceding marine reactors is contributed by the radiation
shielding. For instance, the total shield weight of the Nuclear Ship MUTSU
(N.S. MUTSU) is more than 70% of that of the reactor plant. In the design of
MRX, no bulk shield outside the containment vessel is required due to the
adoption of the integral PWR and the water-filled containment vessel. As a
result, MRX is considerably lighter in weight, more compact in size and
hence more economical than the reactors equipped in previously constructed
nuclear merchant ships(4). For instance, the plant weight and volume of the
containment vessel of MRX are 50% and 70% of those of the N.S. MUTSU's
reactor, in spite of the fact that the power of MRX is 2.8 times greater than
that of N.S. MUTSU's reactor.
A marine reactor should be able to be operated and also managed even
in case of accidents by limited number of crew. Therefore, passive safety
system is very profitable for amarine reactor. MRX has two kinds of passive
safety functions. The f i r s t kind is passively maintaining core flooding

208
 TABLE 1 MAJOR PARAMETERS OF THE MRX

Reactor Power 100MWt

Reactor Type Integral type PWR

Operation Pressure 12MPa

Core Inlet/Outlet Temperature 282.5/297.5 "C

Number of Main Coolant Pump 2

Core Equivalent Diameter 1.45m

Core Effective Height 1.4m

Control Rod Drive System In-Vessel Type

Number of CRDMS 13

Type of Steam Generator One-through Helical Coil Type

Inner/Outer diameter of SG tube 19/14.8 mm

Steam Flow Rate 160t/h

RPV Inner Diameter/ Height 3.7 m / 9.3 m

Type of the CV a water-filled type

Inner Diameter/Height of the CV 6.8 m ' 13.0 m

Design Pressure of the CV 4MPa

function in the event of a LOCA, and the other is passive decay heat removal
function after reactor shut-down. The w a t e r - f i l l e d containment vessel
satisfies both functions, therefore it is clearly profitable and significant
for MRX Since the idea of the water-filled containment vessel is not so
familiar for conventional nuclear systems, the feasibility of the idea is
being examined experimentally and analytically.
This paper describes the present status of experimental and analytical
works for evaluation of hydro-thermal behaviors in the reactor vessel and
in the containment vessel in the event of a LOCA.

Passive Emergency Core Cooling System of MRX

Emergency core cooling system (ECCS) of MRX consists of emergency

decay heat removal system (EDRS), containment water cooling system
(CWCS) and the water-filled containment vessel (CV). The EDRS is a closed
system which conveys decay heat from the core to the containment water by
the natural circulation of primary water. It includes three trains, each of
which has a full capacity to remove the core decay heat. Each train consists
of a hydrogen reservoir tank, a cooler, two valves and piping. If reactor trip
signal is generated, the battery operated valves of each train are opened.
The CWCS is a heat pipe system which transfers the heat of the containment
water to the atmosphere. It includes four trains, each of which has 1/3
capacity. A basic idea of the ECCS of MRX is shown in Fig. 2.

209
 A large-scale LOCA cannot occur in MRX, since only small size pipes (^
50 mm) exist in the primary system. In the case of a small-scale LOCA,
primary water blows down into the CV or a watertight shell (WS). In the
case of blow down into the CV, primary water vaporizes immediately and
then condenses rapidly. In the case of blow-down into the WS, primary
water evaporates within WS to cause WS inner pressure rise. After relief
valves are opened, vapor within WS f l o w s into the CV. In both cases, RPV
pressure drops, CV pressure rises by compression of N2, cover gas in the CV,
and temperature rises in the CV. Accordingly, CV pressure is equalized w i t h
RPV pressure to stop primary water discharge in around a half hour. By the
appropriate setting of the initial cover gas volume in the CV, it is possible
to maintain passively core flooding in MRXwithout any water injection. The
decay heat is transferred passively by the natural convection of primary
water in EDRS, CV water and CWCS working fluid after the blow down
termination. Therefore, no active operation except an active signal to open
valves in EDRS, is required to maintain reactor in cold shut down state even
in the event of a LOCA.
In the event of any other accident in MRX, including loss of electric
power, the reactor is automatically tripped and the EDRS valves are opened
w i t h active signals and passive power. Thus the reactor attains cold shut
down state passively without any other operations.

LOCA Analysis
The peak pressure in the CV is desired to be less than 2.0 MPato
assure enough safety margin, although the maximum design pressure of the

Containment Water Cooling System

DWCS) ( x 4 )

Emergency Decay_heat Removal System

(EDRS) (x3)

Hydrogen Reservoir Tank

Cooler

Isolation Valve

Steam Generatoi—•

Containment Vessel

Watertight Shell

Reactor Pressure Vessel

Fig.2 A Basic Idea of the ECCS of MRX

210
 CV in the MRX is 4.0 MPa. The minimum water level in the RPV must be 50
cm above the top of the core to maintain adequate core flooding even when
the ship inclines by 30 degrees (IMO Code of Safety for Nuclear Merchant
Ships). If initial cover gas volume in the CV is too large, the core may not be
covered with water before reaching pressure equilibrium in the event of a
LOCA. On the other hand, if too small, CV pressure might exceed design
pressure. Therefore, LOCA analysis has been conducted with RELAP5/Mod2
assuming 50 mm dia. pipe break, changing the initial CV cover gas volume.
The LOCA analysis model is shown in Fig. 3. The initial temperature
and pressure in the CV are 60 °C and 0.1 MPa, respectively. The volume of
the gap region between the RPV and the WS is 3 nf. The atmospheric
Vapour Phase in CV

Watertight Shell
Reactor Pressure Vessel

Line for Volume ^ontrol System <J> 50 mm

Pressurerizer

•fe*

Relief Valve

Containment Vessel

•I Heat Sturcture

—*• Junction
K Valve

Fig. 3. The LOCA analysis model.

temperature is 35 °C. Operating pressure and effective diameter of relief

valves on the WS wall are 0.2 MPa and 300 mm, respectively. A pipe break is
assumed to occur in the CV (case A) to evaluate the maximum CV pressure,
and in the WS (case B) to evaluate the minimum water level in the RPV. In
case A analysis the WS are assumed to be intact to evaluate CV pressure
conservatively.
The transient CV pressure obtained in case A analysis as a parameter
of the initial CV cover gas volume is shown in Fig.4(a), while the transient
RPV water level in case B analysis is shown in Fig.4(b). In the case of the

211
 V:The initial CV cover gas volume

2,000 4,000 6,000 8,000 10,000

Elapsed Time (sec)

Fig.4(a) Transient CV Pressure Obtained in Case A Analysis.

30

•=• 25
o
U
2.0 t
o.
P
1.5 f

1 O

0.5 f
G.
ET

00
2,000 4,000 6,000 8,000 10,000

Elapsed Time (sec)

Fig. 4(b) Transient RPV Water Level in Case B Analysis.

smaller CV cover gas volume, CV pressure goes past the equilibrium value
due to the higher compression rate of Na, as shown in Fig. 4(a). Figure 4(b)
shows that the RPV water level, when the initial CV cover gas volume
exceeds 30 m3, continues to decrease even after considerably long time,
because additional discharge is caused by cooling of CV water after CV
pressure reaches the same level as RPV pressure.
The maximum CV pressure obtained in case A analysis as a function of
the initial CV cover gas volume, and the minimum RPV water level in case B
analysis are shown in Fig. 5(a) and (b), respectively. According to these
figures it can be concluded that the initial CV cover gas volume of 27 m3
yields allowable CV pressure and RPV water level with enough margin of
safety.

212
Experiment on Condensation in highly Subcooled Water
The present analytical results show that the maximum CV pressure is
low enough to assure the integrity of the CV while still guaranteeing core
flooding during a LOCA. It can be also expected that no serious dynamic load
on the CV structures is induced by condensation in subcooled water in the
MRX, since CV structures are designed to endure high design pressures.
However, it might be possible for vapor injected out of the RPV not to be
sufficiently condensed in the CV water and to flow up into the cover gas
region, thus causing CV pressure to increase severely. Therefore, we are
conducting a small size experiment of the pipe rupture in highly subcooled
water to study the condensation rate and the CV pressure behavior.
Experimental apparatus consists of a primary vessel, a simulated CV,
a quick operating valve, a connecting pipe and a replaceable orifice which
allows various rupture sizes to be employed, as shown in Fig.6. Volume of
the primary vessel is scaled to 1 /300 of a 100 MWt MRX RPV. The maximum
operating pressure is 5 MPa, and the center line of the connecting pipe
locates at 1,200 mm from the bottom of the primary vessel. The primary
vessel is filled with saturated water at the initial pressure, while the
simulated CV contains water and nitrogen at room temperature. By opening a

0)
^
3

3 1

20 25 30 35 40
The initial CV cover gas volume (m^

(a) Effects on the maximum CV pressure in case A analysis.

25 30 35 40
The initial CV cover gas volume (m^

(b) Effects on the minimum RPV water level in case B analysis.

Fig. 5 Effects of the Initial CV Cover Gas Volume.

213
quick operating valve hot water and/or steam are discharged from the
primary vessel to the simulated CV through the orifice.
Main experimental parameters are direction of discharge, initial
primary vessel pressure and water level, initial water level in the
simulated CV and orifice diameter, as shown in Table 2. The major measured
parameters are the temperatures at five points, the pressure at one point in
the primary vessel, the temperatures at nineteen points, the pressure at
four points in the simulated CV and the water level of each vessel.
The measured transient behaviors of the pressure and the cover gas
temperature in the simulated CV are shown in Figs. 7(a) and (b). Figure 7(a)

*— "N E ä
SftTURflTED UflTER N2
•^-, __ (tD SflTURfiTED STEflfl

~^ ' QUICK OPERATING FIBER SCOPE

>
VflLVE
3=
2*5
§ 3
m

-JEOSL
=|¿Ihl=3^
60Qmt s
~-^ HEñTER ^ SUBCOOL UflTER "
^

^ 1 "j ' bllULPILU

r~| CONTñÍNNENT VESSEL
SItlULfiTED
PRIUftRY .'ESSEL

Fig. 6. Experimental apparatus.

TABLE 2. EXPERIMENTAL PARAMETERS

Direction of Discharge vertical or horizontal

The Initial Pressure in the Primary Vessel 2.0, 3.0,4.0 MPa

The Initial Water Level in the Primary Vessel 900 or 2,850 mm

Initial Water Level in the Simulated CV 0 ~ 3,000 mm

Diameter of the Orifices 3, 12.5, 20, 24, 35 mm

shows the experimental results in the case of initial water level in the
simulated CV of 30 mm height from the position of the orifice and Fig. 7(b)
of 600 mm height. The other conditions in both experiments are the same;
vertical discharge, initial primary vessel pressure of 2.0 MPa, initial
primary vessel water level 200 mm from the bottom, that is vapor blow
down, and orifice diameter of 35 mm. The lower water level produces larger
overshooting of the pressure, that is, a considerable amount of uncondensed
vapor exist transiently in the cover gas region.

214
 (MPa)

0.15

3
tn
CO
0)
a.
O
0.05

(sec)

(b) H=600 mm
(MPa) CO
02 200

015 150 f"

I CO
CO CO
S 01 100 C3
O_
O
Ü U
0.05 Temperature 50 >
O

10 15 20
(sec)
Time

Fig. 7. Transient behaviours of the pressure and

cover gas temperature in the CV.

A simple calculation has also been conducted to obtain the amount of

uncondensed vapor using measured values of the primary vessel pressure and
water level, the liquid and gas temperature m the simulated CV, and
neglecting the vapor in subcooled water in the simulated CV, that is,
assuming that all vapor m the simulated CV is saturated vapor at the
measured gas phase temperature. The calculation also yields the simulated
CV pressure. Figures 8(a) and (b) show the comparison of the calculated and
the measured pressures m the simulated CV; very good agreement is
obtained. These figures also show the amount of calculated vapor m the
simulated CV.
The uncondensation rate( n) as a function of the CV water level(H)
from the orifice position is shown in Fig. 9. The uncondensation rate n is
defined as the maximum vapor amount in the cover gas region divided by the
total amount of injected water until the amount of vapor in the cover gas

215
 (MPa)

(sec)

(b) H=600 mm
(MPa)
(kg)
01

0.15 0.075 O
CV Pressure
Sí /tit
3
in 3
S 0.1 005 g
o. Measured
o Calculated
0.05 Vapor Amount 0025

10 15 20
Time <sec>

Fig. 8. The calculated and the measured CV pressure

with the calculated vapor amount in in CV.

region reaches the maximum value. For both experiments (vapor blow-down
and liquid blowdown) it was found that a single correlation, as given by
Eq.(1), can be used to represent the uncondensation rate. This correlation
was obtained using curve f i t t i n g techniques.

n = 8.4 exp(-5.74H) (1)

Although more experiments are scheduled, test results to date do not

show the possibility of severe CV pressure rise in the MRX. Additional
correlations describing the uncondensation rate as a function of the orifice
diameter, RPV pressure etc., w i l l be obtained from the scheduled
experiments. These w i l l then be introduced into the TRAC code.

216
 O : vapor blow-down
• : Liquid blow-down

0.2 0.4 0.6 0.8

[m]
HEIGHT FROM THE ORIFICE (H)

Fig. 9. Correlation of the uncondensation rate.

Conclusions
An advanced marine reactor, MRX, which has been studied in JAERI is
considerably lighter in weight, more compact in size and hence more
economical than the reactors equipped in previously constructed nuclear
merchant ships. The passive safety system adopted in the MRX design is very
profitable for a marine reactor since it must be operated by limited number
of crew. The new idea of a w a t e r - f i l l e d containment vessel gives rise to
better economy and passive safety to the MRX. This new concept requires
analytical and experimental evaluation to assure the feasibility of the
w a t e r - f i l l e d CV. The following tentative conclusions are drawn f r o m the
present work;

(1) According to the LOCA analysis, the initial cover gas volume in a w a t e r -
filled containment vessel of 27 nf yields allowable CV pressure while
maintaining core flooding without any water injection with enough
safety margin.

(2) According to the condensation experiment, possibility of severe pressure

rise in a w a t e r - f i l l e d containment in the event of a LOCA was not
observed.

(3) A relationship describing the uncondensation rate was obtained from the
experiments. This is helpful to analyze in detail hydraulic phenomena in
the w a t e r - f i l l e d containment vessel in the event of a LOCA or MSLB(main
steam line break).

217
 Further work w i l l be conducted on safety analysis and condensation. In
addition to these, we w i l l study practical maintenance method of
instruments installed in a w a t e r - f i l l e d containment vessel.

REFERENCES

(1) Sako, K., et al. : Advanced Marine Reactors, MRXand DRX, Trans.
11 th Int. Conf. on Structural Mechanics in Reactor Technology,
Aug. 1991, Tokyo, p.357.
(2) K. Sako, et al. : Advanced Marine Reactor MRX, Int. Conf. on
Design and Safety of Advanced Nuclear Power Plants, Oct. 1992,
Tokyo, Japan, p.6.5-1.
(3) T. Hoshi, et al. : R& D Status of an Integral Type Small Reactor
in JAERI, ICONE-3, Apr. 1995, Kyoto, Japan.
(4) A. Yamaji and K. Sako : Shielding Design to Obtain Compact Marine
Reactor, J. Nucí. Sei. Technol., Vol. 31, No. 6, pp.510-520, 1994.

218
 GRAVITY DRIVEN EMERGENCY CORE COOLING XA9743171
EXPERIMENTS WITH THE PACTEL FACILITY

R. MUNTHER, H. KALLI
University of Technology

J. KOUfflA
Technical Research Centre of Finland

Lappeenranta, Finland

Abstract

The gravity driven emergency core cooling (ECC) systems are utilized as important components
of passive safety coolant systems of advanced reactors. Most of the published investigations
have been primarily concerned with the presentation of new concepts, a few of their computa-
tional analysis and even fewer studies have been addressed to the experimental investigation of
these systems.

PACTEL (Parallel Channel Test Loop) is an experimental out-of-pile facility designed to

simulate the major components and system behavior of a commercial Pressurized Water Reactor
(PWR) during different postulated LOCAs and transients /!/. The reference reactor to the
PACTEL facility is Loviisa type VVER-440. The recently made modifications enable experi-
ments to be conducted also on the passive core cooling. In these experiments the passive core
cooling system consisted of one core makeup tank (CMT) and pressure balancing lines from the
pressurizer and from a cold leg connected to the top of the CMT in order to maintain the tank
in pressure equilibrium with the primary system during ECC injection. The line from the
pressurizer to the core makeup tank was normally open. The ECC flow was provided from the
CMT located at a higher elevation than the main part of the primary system. A total number of
nine experiments have been performed by now.

A preliminary series of experiments with gravity driven core cooling was conducted with
PACTEL facility in November 1992 /2/. The simulated transient was a small break loss-of-
coolant accident (SBLOCA) with a break in a hot leg. In these tests a rapid condensation of
vapor interrupted the emergency core cooling flow several times. This behavior was found very
difficult to model in the RELAPS analysis of the experiments of the first phase. In order to
investigate this behavior more precisely, a second series of experiments with an improved
instrumentation of the facility was performed in November 1993 with a small break in a cold
leg. The tests indicated the that steam condensation in the CMT can prevent continuous ECC
and even lead to partial core uncovery. However, it should be underlined that these tests
presented here are not directly applicable to the safety analyses of any suggested design, because
of the major differences in the geometry between these concepts and PACTEL. Our objective
has been only to simulate the gravity driven ECC and thus to enhance the understanding of the
physical phenomena important in passive safety systems working with low differential pressures.

1. INTRODUCTION

Along with the normal evolution in LWR reactor designs several new interesting concepts have
been presented. These ALWR designs aim at plant simplifications and safety and operability
improvements. The principal tool being used to achieve a safer and simpler reactor is the use of

219
passive system designs. Unfortunately, it is not easy to confirm that passive safety systems
operate as intended under all the relevant conditions. More work is needed to evaluate the extent
of improvements in safety which can be realized.

Experiments conducted with thermal hydraulic test facilities are of fundamental importance in
nuclear power plant safety research. At the Lappeenranta University of Technology (LUT) work
has been carried out in this field in co-operation with the Technical Research Centre of Finland
(VTT), for over fifteen years. This paper provides the presentation of gravity driven emergency
core cooling experiments with PACTEL, their analysis and discussion of the phenomena related
to the experiments. The recently made modifications enable experiments to be conducted also
on the passive core cooling.

2. PACTEL FACILITY

The PACTEL facility simulates the major PWR components and systems during small- and
medium-size break LOCAs. The facility consists of a primary system, the secondary side of the
steam generators, and emergency core cooling systems (ECCS). The reactor vessel is simulated
by a U-tube construction including downcomer, lower plenum, core and upper plenum.

The facility is a volumetricaUy scaled model of the 6-loop VVER-440 PWR (The Finnish
Loviisa plant being the reference) with three separate loops and 144 full-length, electrically-
heated fuel rod simulators arranged in three parallel channels. The fuel rod simulators are heated
indirectly.

The reference reactor has certain unique features differing from other PWR designs. The VVER-
440 has six primary loops with horizontal steam generators. Due to the construction of the steam
generators the driving head for the natural circulation in small break LOCAs is relatively small.
The primary loops have loop seals in both the hot and cold legs. The loop seal is a U-shaped
bend in the leg piping connecting the steam generator to the pressure vessel. It is interesting to
note in the current context that the basic design of the VVER-440 reactor exhibits certain
inherent safety features that are again found by the new designs. The reactor core has low power
density and the primary circuit water inventory is large relative to the power. These
characteristics ensure smooth behaviour in transient conditions.

Volumetric scaling (1:305) preserving the elevations has been applied in the PACTEL design.
Maintaining system component heights and elevations is important for realistic simulation of
small break and natural circulation transients. The main characteristics of the facility are
presented in Table I.

3. PACTEL MODIFICATIONS AND TEST MATRICES FOR PASSIVE CORE COOLING

EXPERIMENTS

The passive core cooling system used in the experiments consists of one core makeup tank and
pressure balancing lines from the pressurizer and from a cold leg connected to the top of the
core makeup tank in order to maintain the tank in pressure equilibrium with the primary system
during injection. The line from the pressurizer to the core makeup tank is normally open. The
core makeup tank is located above the reactor coolant loops and steam generators, so the motive

220
TABLE I. MAIN CHARACTERISTICS OF PACTEL FACILITY
Reference power plant VVER-440
Volumetric scaling factor 1:305
Scaling factor for elevations 1:1
Number of primary loops 3
Maximum heating power 1 MW
Number of fuel rod simulators 144
Outer diameter of fuel rods 9.1 mm
Heated length of fuel rods 2420 mm
Axial power distribution chopped cosine
Axial peaking factor 1.4
Maximum temperature of fuel rods 800 °C
Maximum primary pressure 8.0 MPa
Maximum operating temperature 295 °C
Maximum secondary pressure 4.65 MPa

force for injection is the gravity head, Figure 1. The makeup tank used limits the primary
pressure to 5 MPa in the experiments. Since the PACTEL facility is not a model of any of the
proposed passive ALWR designs, the modifications in the facility are intended only to simulate
the gravity driven flow to the primary system. Neither automatic depressurization system (ADS)
nor special valves are simulated. The primary system is depressurized from the pressurizer relief
valve.

3.1 First series of experiments

The first stage of each experiment involved heating the facility to the proper temperature. Before
the tests the core power was set to 80 kW corresponding to 1.8% of the 1375 MW thermal
power of the Loviisa reactor. The fluid temperature and pressure reached a quasi steady state
near 220 °C and 40 bars and at this point the pressurizer heater power was reduced to 2 - 4 kW.
These conditions were maintained for about half an hour permitting the fluid to attain a more
uniform temperature and allowing the heat losses through flanges and support structures to
approach an equilibrium. The SG feedwater injection was adjusted manually to keep the water
level in the SGs constant. Because of the large water inventory on the secondary side no fast
automatic control was needed. Before each experiment, the CMT was filled to the top with
water at a temperature and pressure of about 40 °C and 38 bar, respectively.

The experiments were started by opening the break simulation valve in hot leg number 1 at time
t = Os. Three different break sizes (0 2, 4 and 6mm) were used. Simultaneously with the break
valve opening, the ECC line valve and the cold leg PBL valve were opened. The power of the
pressurizer heaters was turned off. The first two tests, GDE01 and GDE02, were terminated
when a rapid condensation of vapor in the CMT vapor space depressurized the CMT. Check
valves prevented the collapsed vapor space in the CMT to be filled with liquid drawn from the
ECC line. In order to investigate the flow restrictions in the ECC line the armature of the line
was varied during the three first tests. Neither the primary system nor the secondary system
were depressurized by the operator in the GDE01 and GDE02 tests.

In tests GDE03, GDE04, and GDE05 the secondary side valve was also opened. The primary
system was depressurized in stages through the pressurizer relief valve before the anticipated

221
CMT flow interruption in the GDE03 and GDE04 tests. For the large 6 mm (in dia.) break in
the GDE05 test no extra depressurization was needed. These three tests were terminated when
a thermal hydraulic status quo and a low pressure level was reached.The first series consisted
of five experiments, Table II.

Figure 1. Component elevations in the passive ECC system of the PACTEL.

3.2 Second series of experiments

The gravity-driven emergency core cooling system (ECCs) behaviour was investigated more in
the second phase of the tests with particular emphasis on break location, pressure reductions,
reproducibility of the condensation manouvered experiments and system operation for the case
of a small break LOCA. The major parameters and phenomena of concern during experiments
are the break mass flow rate and the associated total primary coolant mass inventory, coolant
distribution, different types and alternate paths of natural circulation in the loops, condensation
and related heat transfer characteristics. For the second set of experiments the instrumentation

222
TABLE H. TEST MATRIX/PHASE 1

DESCRIPTION FORESEEN PHENOMENA/AIMS NOTES

GDE01/ Investigation of the btowdown For all of PCC-tests initial primary

tow power process at tow pressure.Gravity pressure = 40 bars. Steady-state
(< 80 kW) 2.0% (4 driven ECC effectiveness. Ftow initial conditions.
mm) hot leg break regimes. Phase separation and
with gravity driven stratification. Condensation. Break
ECC. flow. Coolant distribution.
GDE02/ As above. Initial conditions as above.
2.0% (4 mm) hot leg Minimized flow restrictions in the
break with gravity ECC line.
driven ECC.

GDE03/ Effect of primary side As above. Primary and secondary

2.0% (4 mm) hot leg depressurization. side depressurization. Optimized
break. Gravity driven flow restrictions in the ECC line.
ECC with sudden
depressurization of
primary system.

GDE04/ Effect of break area. As above.

2.0 % (2 mm) hot leg
break. Gravity driven
ECC with sudden
depressurization of
primary system.
GDE05/ As above. As above. No depressurizations.
4.4% (6 mm) hot leg
break. Gravity driven
ECC.

of the facility was improved. In order to investigate the temperature stratification in the CMT
ten thermocouples were installed to the upper part of the CMT, Fig 2. The water level in the
CMT was measured with a pressure difference transducer. One loop of the three loop facility
was isolated. When compared to the first series of experiments, the main differences are that the
second series was carried out with two active loops, insulated PBLs and an improved instru-
mentation in the CMT.

The experiments were started by opening the break simulation valve in cold leg number 1 at
time t = Os. Two different break sizes (0 4 and 2mm) were used. Simultaneously with the break
valve opening, the ECC line valve and the cold leg PBL valve were opened. The power of the
pressurizer heaters was turned off. The first two tests, GDE11 and GDE12, were terminated by
operator at t= 3000s. Neither the primary system nor the secondary system were depressurized
by the operator in the GDE11 and GDE12 tests.

In test GDE13 the secondary side valve was also opened and the primary system was
depressurized in stages through the pressurizer relief valve before the anticipated CMT flow
interruption. This test was terminated at t=2000s by the operator.

223
 0900

Fig. 2. Temperature measurement in the CMT tank.

224
For the small 2 mm (in dia.) break in the GDE14 test no depressurization was used. A high
water level in the pressurizer was used in the initiation of the test in order to achieve circulation
through the CMT in the early stage of the transient. The test was interrupted immediately after
the condensation initiation at t=1170s. The test matrix is presented in Table III.

TABLE IE. TEST MATRIX FOR PASSIVE CORE COOLING EXPERIMENTS

TEST MATRIX/PHASE II
TEST/ FORESEEN PHENOMENA/AIMS NOTES
DESCRIPTION
GDE11 / Gravity driven ECC effectiveness. For all PCC-tests pressure = 40
tow power Flow regimes. Phase separation and bars. Steady-state initial conditions.
(<80kW), 2.0% stratification. Condensation. Break No depressurization of the primary
(4 mm) cold leg flow. Coolant distribution. or the secondary system.
break with Investigation of the blowdown
gravity driven process at low pressure. Break
ECCS. location.
GDE12/ As above. Reproducibility. As above. Initial conditions as well
2.0% (4 mm) as possible same as above.
cold leg break
with gravity
driven ECCs.

GDE13/ Effect of depressurization. As above. Depressurization of the

2.0% (4 mm) primary and the secondary
cold leg break systems.
with gravity
driven ECCs.
Sudden
depressuriza-
tion of the
primary system.
GDE14/ CMT natural circulation. As above without depressurizations.
0.5% (2 mm) Effect of break size. High pressurizer level at test
cold leg break initiation.
with gravity
driven ECCs.

4. THE RELAPS REPRESENTATION OF PACTEL

A base RELAP5/Mod3 input deck for PACTEL was modified to include the gravity driven
emergency core cooling system. The additions included the CMT and associated pressurizer and
cold leg pressure balancing connections. The model was composed of 257 hydrodynamic vol-
umes, 284 junctions, and 394 heat structures. Although this input served as a starting point for
the calculations, many modifications were made to it during the course of the analysis.
Revisions were made to the original model as new information became available and as input
déficiences were discovered. Those modifications that were expected to have the most effect on
these calculations, and the corresponding input changes are discussed next.

In the CMT, modelled as a cylinder, the effect of nodalization was investigated by changing the
number of CMT nodes. These calculations showed that there was no significant difference

225
between 2, 5 and 10 node CMT models for the overall CMT behavior. However, the amount of
rapid depressurizations of the CMT varied between 2, 5 and 10 node models and none of the
models corresponded to the amount or timing of the depressurizations in the tests. The results
with a CMT modelled as a branch did not give any prediction for rapid pressure drops in the
CMT.

It was also found that the modelling of pressure losses in the PBLs had a significant effect on
CMT depressurization behavior. Unfortunately no measured data was available for pressure
losses in the PBLs. A sensitivity study on pressure losses in the cold leg PBL, pressurizer PBL,
and the ECC line was performed and it was found that depressurization modelling was very
sensitive especially for the value of pressure loss in the cold leg PBL.

The junctions between the cold legs and the downcomer, and between the upper plenum and the
hot legs were at first modelled as crossflow junctions, but later modified as normal junctions in
order to achieve realistic flow paths and water levels in the upper plenum and the upper part of
the downcomer. The modelling of these junctions also had an effect on the heat loss distribution
in the primary system and this way to the primary pressure when the coolant flow was near
stagnation.

The subcooled discharge coefficient at the break was also varied for a better presentation of the
leak mass flow of the experiments.

5. COMPARISON OF TESTS AND COMPUTATIONS OF THE FIRST TEST SERIES

The test results from the transients performed in the PACTEL loop were compared to computer
simulations by the RELAP5/Mod3 program. The actual starting steady state conditions in
individual tests were used as input to the computer simulations. All the calculated transients
began with the opening of the break valve. Also the ECC line valve and the cold leg PBL valve
were opened simultaneously. Condensation of steam in the CMT was observed in all
experiments.

In the calculation of the GDE01, there were five rapid pressure peaks against the measured one
at 1860 s, Fig 3. The experiment was terminated after this. It was found that changing the
maximum time step had an effect on the peak appearance. On the other hand, RELAPS changed
the flow chart from vertically stratified flow to bubbly flow in the CMT at the initiation of
condensation. Also the pressure of the pressurizer, the ECC flow and the vapor content of the
upmost CMT node increased at the condensation initiation.

The best approximation for the condensation induced pressure peaks was achieved in the
modelling of GDE03 experiment, where also the oscillatory period after the condensation was
modelled, Fig 4. However, there were extra pressure peaks also here.

6. EXPERIMENTAL RESULTS FROM THE SECOND TEST SERIES

In the second series of experiments condensation behavior differed a lot from that observed in
the preliminary tests. As the ECC flow in the first tests stopped totally several times because of
rapid and very short condensations there was now only one condensation phase which lasted
much longer. Good reproducibility was achieved in GDE11 and GDE12 test. The CMT
pressures in GDE11 and GDE12 tests are shown in Fig. 5. In both experiments there was a
condensation phase starting at about 1700s and lasting for 300s.

226
 40

35

30 EXPERIMENT
g.
LU
25
OC
13 20
CO
CO
UJ 15
oc
Q_
10
5
0
500 1000 1500 2000

TIME [s]

Fig. 3. The CMT pressure in GDE01

40

35

30 EXPERIMENT
ça
.Q
25
LU
oc
^ 20
CO
CO
UJ 15
OC
Q_
10

0
500 1000 1500 2000
2500 3000

TIME [s]

Fig. 4. The CMT pressure in GDE03

The operator activated primary system depressurization in stages affected to the total collapse
of the vapour space, because in the GDE13 test there were three short condensations observed
in the CMT, Fig. 6.

227
 3000

Fig. 5. The CMT pressures in GDE11 and GDE12 tests

§
I

2000

Fig. 6. The CMT pressure in GDE13

The first condensation was already at t= 1100 straight after the depressurization initiation.
Similar period of short condensations were observed in the experiments of first series in both
experiments with or without depressurizations. This behavior was found difficult to model in the
RELAPS analysis of the experiments of the first phase /3/. During the long condensation period
in the GDE11 and GDE12 experiments the water level decreased to the top of core and even
slightly below. The uncovery lasted only a short time and no significant heat-up in the core was
found. In the GDE13 and GDE14 experiments no core uncovery was found.

A very steep vertical temperature gradient was formed inside the CMT in all tests. Fig. 6. shows
that the temperature difference just before the condensation in the GDE11 experiment was 180
K in a water layer 0.15 m thick (the thermocouple numbering corresponds to that shown in Fig.
2.).

228
An effort for preventing the rapid condensation was done by carrying a thick, insulating level
of hot water to the CMT with a natural circulation loop formed between the CMT and the
primary system via the cold leg PBL and ECC line. For this reason the water level in
pressurizer was set high and a small break size was chosen at the GDE14 test initiation. This
natural circulation phase of the CMT was also in the ROSA-V/LSTF experiment /4/. With these
preconditions a short natural circulation phase was then observed in the GDE14 experiment.
However, this natural circulation phase was not effective enough to form a sufficient layer of
hot water in the CMT. In PACTEL the total water volume above the CMT is small since there
are horizontal steam generators.

GDE11_PACTEL

1000 1100 1200 1300 1400 1500 1600 1700 1800

Fig. 7. Temperature distribution in the CMT at GDE11 test

7. CONCLUSIONS

No core uncovery was found in any of the tests of the first series. However, the emergency core
cooling flow from the core makeup tank was stopped when rapid condensation collapsed the
core makeup tank pressure. The tank repressurized rather quickly and the emergency core
cooling flow was provided until the next condensation phase.

In the second series of experiments only two of the three loops of the facility were used as in
the first series of experiments all the loops were active. The break was now located to the cold
leg and two different break sizes were used. In one of the tests both the primary system and the
secondary system were depressurized. In all the four experiments performed steam was flowing
into the CMT and then later condensed to the cold water of the CMT. There were striking

229
changes in the vertical temperature gradient of the CMT. It was experienced that condensation
was then initiated easily by steam or water flow from the PBLs as the steep stratification in the
CMT was broken. Especially the changes in water level in the pressurizer seemed to be
responsible for most of the condensation periods.

We have also simulated the first five gravity driven core cooling experiments with
RELAP5/mod3.1. The comparison of calculations and experiments show a good agreement both
in magnitude and time of occurrence for most of the different physical events. The main
observed discrepancy was due to limitations in the RELAPS code to accurately predict rapid
condensation in the CMT. The most critical aspect in the calculational results was that the
appearance of condensation was dependent also on computational features, such as the time step
and the nodalization.

Condensation of steam in the CMT could be avoided with some technical arrangements in the
test facility. However, even though improvements were made to gravity driven ECC systems,
we cannot guarantee that current computational models will provide accurate answers.
Therefore, to build this confidence more experimental data has to be obtained and new
computational models developed.

REFERENCES

/!/ T. Kervinen, V. Riikonen, J. Kouhia, "PACTEL, Facility for Small and Medium Break
LOCA Experiments," Proceedings of ENC'90 Conference. European Nuclear Society, Lyon,
France, September 23-28, 1990

fil Munther, R., Kalli, H., Kouhia, J., Kervinen, T. Passive core cooling experiments with
PACTEL facility. ENS TOPNUX'93, Haag, Netherlands, April 25-28, 1993.

/3/ Munther, R., Vihavainen, J., Kalli, H., Kouhia, J., Riikonen, V., RELAPS analysis of gravity
driven core cooling experiments with PACTEL. ARS'94, INTL topical meeting on advanced
reactor safety, Pittsburgh, USA, April 17-21, 1994. ISBN 0-89448-193-2.

/4/ T. Yonomoto, Y. Kukita, Y. Anoda, "Passive Safety Injection Experiment at the ROSA-V
Large Scale Test Facility," Proceedings of the ANS National Heat Transfer Conference, p. 393,
American Nuclear Society, Atlanta, Georgia, August 8-11, 1993.

230
 ALPHA - TBE LONG-TERM PASSIVE DECAY HEAT REMOVAL
AND AEROSOL RETENTION PROGRAM

S. GÜNTAY, G. VARADI, J. DREIER XA9743172

Paul Scherrer Institute,
Switzerland

Abstract

The Paul Scherrer Institute initiated the major new experimental and analytical program ALPHA in
1990. The program is aimed at understanding the long-term decay heat removal and aerosol
questions for the next generation of Passive Light Water Reactors. The ALPHA project currently
includes four major items: the large-scale, integral system behavior test facility PANDA, which
will be used to examine multidimensional effects of the SBWR decay heat removal system; an
investigation of the thermal hydraulics of natural convection and mixing in pools and large volumes
(LINX); a separate-effects study of aerosol transport and deposition in plenum and tubes (AIDA);
while finally, data from the PANDA facility and supporting separate effects tests will be used to
develop and qualify models and provide validation of relevant system codes. The paper briefly
reviews the above four topics and current status of the experimental facilities.

I Introduction
The Paul Scherrer Institute has recently initiated the major new experimental and analytical
program ALPHA Advanced Light Water Reactor Passive Heat Removal and Aerosol Retention
Program), which is aimed at understanding the long-term decay heat removal and aerosol questions
for the next generation of Passive Light Water Reactors. The ALPHA project currently includes
four major items: the large-scale, integral system behavior test facility PANDA (Passive
Nachwaermeabfuhr und Druckabbau Testanlage; a separate effect test facility LINX (Large Scale
Investigation of Natural Circulation and Mixing) for an investigation of the thermal hydraulics of
natural convection and mixing in pools and large volumes; a separate-test facility AIDA (Aerosol
Impaction and Deposition Analysis) for the aerosol transport and deposition in plena and tubes;
while finally, data from the PANDA facility and supporting separate effects tests will be used to
develop and qualify models and provide validation of the relevant system codes.
This paper presents the design concepts and scaling rationale used to define the PANDA facility,
and briefly reviews the separate effects programs LINX and AIDA. The supporting system
calculations for PANDA are being used to understand the behavior of the facility, relate this to
similar calculations for the relevant full scale reactor.

H PANDA - An integral Containment Simulation Facility

HA Introduction

A good understanding of the behavior of the relatively novel containment concepts proposed for the
future advanced passive LWRs is of importance when assessing their safety. These concepts rely on
natural circulation cooling modes; their long-term behavior includes the mixing of steam and non-
condensable gases, condensation of such mixtures in parallel condenser units, large open tanks and
water pools, and the mixing of fluids in large pools, air volumes, etc. Integral containment system
behavior may exhibit multi-dimensional effects, due, for example, to incomplete mixing and
varying modes of operation of parallel units. The PANDA facility has been designed to address
such questions at a relatively large scale.

231
The PANDA facility consists of a 1.5 MW steam source and a number of large pressure vessels,
typically 4 m in diameter and 8 m high, which can be interconnected by external piping and may
contain internal structures, representing the various compartments of a variety of reactor
containments. The vessels are fitted with instrumentation to measure fluid temperatures, levels,
pressures and flows as well as steam and gas concentrations.
Currently the PANDA facility is to be used to examine multidimensional effects for the General
Electric Simplified Boiling Water Reactor (SBWR) decay heat removal system. The SBWR utilizes
two types of condenser units (Fig. 1) to remove the reactor decay heat, following a Loss-Of-
Coolant Accident, from the reactor containment to an outside water pool. First, there are three
Isolation Condensers (1C) connected to the reactor primary system, which are to remove the decay
heat during a reactor isolation at full pressure. The PANDA facility includes scaled models of these
units to investigate their behavior during an accident; it will not, however, simulate their high
pressure, reactor isolation, decay heat removal function. Second, there are, currently, for the SBWR
and PANDA, three low-pressure condenser units connected direcdy to the reactor containment
(Drywell), referred to as Passive Containment Coolers or PCC units. The experimental facility
PANDA will examine, on a large scale (1/25 volumetric), the system, interactions between the
multiple condenser units, and their heat removal capacity in the presence of non-condensable gases
such as nitrogen and helium (as a simulant of hydrogen). The PANDA system behavior tests will
extend the data base of previously performed experiments [2] to a much larger scale, study the
interaction between the various PCC and 1C units, and provide verification of integral system
behavior under a variety of conditions.
The PANDA simulation of the SBWR (Fig. 2) consists of a representation of the reactor pressure
vessel (RPV), reactor containment (Drywell) and suppression pool (Wetwell), as well as the
Isolation Condenser and Passive Containment Cooler units and their associated water pools.
Finally, condénsate will be collected in a "condénsate catch tank" simulating the Gravity Driven
Cooling System (GDCS) pool in the SBWR. The PANDA facility is already constructed. The
commissioning tests are near completion. An experimental test matrix is defined with the aim to
provide necessary information for the US-NRC's certification process.

ÜB General Guidelines
Early during the conceptual design phase of the facility, it was recognized that it is neither possible
nor desirable to preserve exact geometrical similarity between the reactor containment volumes and
the experimental facility. On the other hand, multidimensional containment phenomena such as
mixing of gases and natural circulation between compartments may depend on the particular
geometry of the containment building. The general philosophy followed in designing the
experimental facility was to allow such multidimensional effects to take place by dividing the main
containment compartments in two and by providing a variety of well-controlled boundary
conditions (e.g. imbalances) during the experiments, so that the various phenomena could be
studied parametrically under well-established conditions, and a behavior envelope of the system
established. Carefully conducted parametric experiments can also provide more valuable data for
code validation than attempts to simulate geometrically, but to an insufficient degree, the rather
complex reactor system. Boundary conditions and the behavior of the interconnections between the
various containment volumes can be controlled externally by software to study various system
scenarios and alternative accident paths.
Beyond the general considerations stated above, in designing the PANDA facility and, in particular,
the main vessels, the following general guide lines were followed:
- Full vertical height should be preserved, to correctly represent the various gravity head driving
forces.

232
 Reactor Vent Passive Vent
outside outside
solution reactor Containment reactor
building Cooling building

Non-condensible vent
Dryweii /^~^?{(
Steamy DPVl \

MSÎV GDCS
line
Reactor M- Reactor
vessel vessel

• Three 33.3%i
units
Three 50%
units • Passive
Passive Suppression
operation
operation pool

to
Figure 1 SBWR Isolation Condensers and Passive Containment Coolers
 PANDA SBWR

10 -
Suppression Suppression
Chamber "" Chamber

Scaling :
Height 1 :1
Volume 1 : 25
Power 1 : 25

Figure 2 SBWR Containment and PANDA Comparison

234
- The system should be modular and use simple interconnected cylindrical vessels to simulate
possible 3-dimensional effects in the SBWR annular geometry.
- Volumes should be minimized to the extent compatible with the preservation of the scaling
factor chosen and the system behavior.

- The power-to-volume scaling ratio should be preserved and should be as large as practically
possible.

- The experiments will be conducted under reactor pressure and temperature conditions. (The
facility is designed for nominal operation at 10 bar and 180°C).

Figure 3 shows the current geometrical arrangement of the proposed PANDA facility with two
interconnected Drywells, two interconnected Wetwells, the reactor pressure vessel (RPV), and a
tank (GDCS Pool) to collect the steam condénsate prior to returning it to the RPV. It was decided
to represent the SBWR Drywell and Wetwell with two units in the PANDA facility, in order to
better examine, in a systematic manner, the possible spatially non-uniform mixture of nitrogen and
steam flowing through the condenser, 1C and PCC units. It was considered necessary to be able to
investigate the venting and purging of each of the condenser units for different mixtures of
nitrogen and steam flowing into the venting of uncondensed steam, under such asymmetric
conditions. The volumetric scaling of the PANDA facility shown in Fig. 3 is 1/25. Figure 2 shows
the elevations of PANDA relative to those of the SBWR containment All the SBWR heights are
represented except those below the top of the active fuel (TAF). The argument for reducing the
facility height by eliminating the fluid below the TAF was that this liquid is essentially inactive and
is not required to correctly simulate the gravity heads. Similarly the large volume of water which is
present at the bottom of the Wetwell and is only functional during reactor blowdown phase is not
considered in the PANDA simulation since PANDA simulates the SBWR transients after this phase
is over. Therefore, for a given facility budget it was considered preferable to eliminate these two
volumes from each unit, and also to examine the energy deposition and distribution in the Wetwell
pool, resulting from PANDA and so increase the overall scale of the facility. Eliminating dead
volumes also decreases preconditioning times and fluid inventories and increases experimental
flexibility.

H.C Scaling: The 1C and PCC Condenser Units

The 1:25 scaling factor chosen for the PANDA facility is, of course, a compromise between several
factors. On the one hand there is the requirement to keep the PANDA vessels within a manageable
size and cost, while at the same time the desire is to construct as large a facility as possible, to
provide a meaningful basis for extrapolation from the previous 1:400 scale Isolation Condenser
decay heat removal experiments [2] to the full reactor scale. A critical factor that led to the choice
of a 1:25 scale was the requirement that the condenser unit secondary side behavior should be
representative of the units to be used in the SBWR. Figure 4 provides a schematic of a condenser
module; there are two such modules per condenser unit in the SBWR (see [3] for more details). We
can also see in Fig. 4 how it is possible to construct a unit at the PANDA scale by taking a slice
from an SBWR condenser. Having made the decision to fabricate the PANDA condensers from a
slice of the SBWR units, the only question then is how wide this should be, and Fig. 4 and
show/how a 3-tube-wide slice corresponds to a scale of 1:25. This is the minimum width that will
permit some tubes to be totally surrounded by other tubes. In all other respects (height, pitch,
diameter, and wall thickness) the PANDA condenser tubes are identical to those to be used in the
SBWR.

Adopting the above procedure for the 1C produces a single unit in PANDA that has two
times the tube area, at the 1:25 scale, of that of an SBWR 1C. This means that the PANDA

235
 25 -, r? i
I J««-2«"1 Scaling :

m]" Height 1 : 1
22.0m IC / FCC Pc10l Volume 1 : 25
t
V ——————————————r Power 1 : 25
V = 4 x 1 5rn
l
19.8m
20 - 1 v i
' i ^
""T—X
Dry well 1 Drywell 2

V = 90m 3 (aDCSJ V = 90m3

Pool l
D - 4.0m D^= 4.0m
15 -
.

1
{_t __t,__ . ___ _J

^
——
«
-—3- i
i
V=17.6m
i
j
11.7m

l , Building
i
i
10 -
Suppression ' Suppression
Chamberí ^ ._. ——\ —— ._A Chamber 2
« J
V = 117m3 RPV
V = 117m3
3
D0= 4.0m = 22.8m D0= 4.0m
= 1.25m
l o i
NWL <-6 rn i NWL4.6m
5
- r*- y
TT

i "<—p) 1

.
i
i
!

.
1.0m TAF
v ^^ ! ^^ nr
i» p
0 -"> /l/V V /
ut
/ 7-X-xT7-/T"~ HI
i / '•/ / / 7 7 / / /!/ / / /
/ • /
0 5 / 10 15 [m]
/
y ...

Figure 3 PANDA Experimental Arrangement

236
 Steam Scaling:
Supply
Line 1 : 25 for number of tubes
1 :1 for tube height
Upper Drum diameter and
spacing
Wall Sheet

m
Tube OD <= 50.8 mm
number = 20
Y
A A

-Tube Bundle
, PANDA PCC
nil
consists of a
Lower Drum slice of the
•Vent Une
SBWR PCC
Drain
Une

Section A-A Baffle Plate

Figure 4 PANDA and SBWR Condensers

237
 facility has four condenser units, three equivalent to the three SBWR PCC and one equivalent
to three SBWR ICs.
HD The PANDA Vessels and Power Source
A schematic of the PANDA vessels is given in Fig. 3 while anisometric view is shown in Fig. 5.
As a example of the application of the general guidelines stated above, as well as of other
secondary considerations, the design of the PANDA Wetwell vessel is outlined as follows:
- In order to preserve the pressure response of the entrapped non-condensable gas, it is necessary
to scale the net Wetwell vapor space.

Suppression
Chamber 1
Suppression
Chamber 2

+ r
"o
Figure 5 Isometric View of PANDA Vessels

238
- To have a correct representation of the evaporation/condensation processes at the pool surface, it
is necessary to correctly scale the total Wetwell pool surface area.
- To provide a representative volume of water with which the uncondensed steam vented into the
suppression pool can mix; the water pool depth must extend sufficiently below the condenser
vent line. The suppression pool depth was also required to be large enough to accommodate at
least the topmost main (horizontal) vent and the Wetwell-to-RPV equalization line. This was, in
fact, the limiting factor in determining the pool depth.
In this manner it was possible to define the Wetwell dimensions. Similar procedures were also used
to define the Reactor Pressure Vessel (RPV) and Drywell. In the case of the Drywell, the most
important parameter to scale (for a well-mixed system) is the total volume, since this and the power
level determine the venting time of the Drywell nitrogen to the PCC units.

The lower part of the Drywell volume surrounding the RPV was not included in the height of the
PANDA Drywell volume, since it was felt that possible natural circulation phenomena taking place
in this annular volume (heated on one side by the RPV) could not be adequately modeled. The
volume of the annular space was, however, included in the PANDA Drywell volume.
For ease of construction it was considered desirable to have the Drywell and Wetwell tanks of the
same diameter. Not all processes, and in particular the detailed mixing of the nitrogen and the
steam from the RPV in the Drywell and the mixing of the uncondensed steam with the suppression
pool water, can be accurately simulated in a scaled facility such as PANDA. In these instances
separate effects studies, both experimental and analytical (see Section 3), will be used to guide
parametric studies in the PANDA facility.

For example, nitrogen may be injected into the Drywell to simulate the slow convection of trapped
nitrogen from a compartment with a restricted connection to the main Drywell.
The last two vessels shown in Figs. 2, 3 and 5, are those of the condénsate catch tank (labeled
GDCS pool) and the IC/PCC water pool. The requirements for these two vessels are somewhat
different from those of the RPV, Drywell, and Wetwell. For example, for the PANDA IC/PCC
water pool, in addition to providing sufficient water to keep the condenser tubes covered for a
reasonable time (say 24 hours), the main requirement was one of flexibility. An element of the
design was the requirement that the IC/PCC units could be re-configured in as many ways as
possible, to follow possible changes in the SBWR design, without major impact on the program
cost and/or time schedule. Also, there was a requirement to have the capability of re-filling the
pool, during the course of an experiment, with water at different temperatures, in order to examine
a variety of possible SBWR long-term depressurisation strategies. As can be seen from Fig. 5, the
IC/PCC pool has four inter-connected compartments and are placed on the roof of the PANDA
building (Fig. 3).

The power to the PANDA facility is provided by electrical heaters placed near the bottom of the
RPV (Fig. 6). The heaters are not designed to represent the reactor core, but are placed so that their
tops have the same relative elevation as the top of the active fuel (TAF) in the SBWR. The power
level required for PANDA was determined on the basis that a PANDA transient would be initiated
after reactor blowdown and follow the emptying of the GDCS water into the RPV. These events are
predicted to occur within one hour of accident initiation and reactor scram, and so the required
PANDA power level was set to be equal to the scaled decay heat one hour after scram. For a 1800
MW reactor, the decay heat after one hour is approx. 24 MW and so, for PANDA, approx. 1 MW
of power is required. In order to provide flexibility of operation, the PANDA heaters have a
maximum installed capacity of 1.5 MW. A controller is provided to follow accurately any given
decay heat curve.

239
n.E Valves, Piping, and other components
The piping configuration of the PANDA facility is shown in Fig. 6, and a number of features of the
design are worthy of explanation.

- All the lines (pipes) are valved to provide maximum flexibility and ease of re-configuring the
system with minimum cost and time delay.

- The schematic (Fig. 6) shows the steam line, drain line and vent Une to each of the condenser
units, and the PANDA simulation of the main (horizontal) vents. The main vents are not be fully
scaled, since they are not predicted to clear during the course of a PANDA transient due to the
small Drywell to Wetwell pressure drop, which results from the fact that the PANDA transients
are not initiated until one hour after scram.
- Also shown are two vacuum breakers, each one connecting one of the two Drywell-Wetwell
vessel combinations. The vacuum breakers are predicted [3]to have a major influence on the
behavior of the PANDA facility and are therefore a critical element in both the design of the
SBWR containment and PANDA. Programmable control valves are therefore used in PANDA to
simulate the SBWR vacuum breakers; this will allow a variety of SBWR vacuum breaker
designs to be tested with only software, rather than hardware, changes.
Finally, Fig. 6 shows the water and gas supply Unes that are used to initialize any given PANDA
experiment Sufficient flexibility is built into the facility to investigate the effect on the transient
behavior of, for example:

- A variety of suppression pool water temperature distributions, e.g. weU mixed, stratified,...
- Water pools in the Drywell to simulate liquid line breaks, e.g. GDCS or 1C return line breaks.

- A variety of IC/PCC water pool temperature distributions.

n.F Heat Losses and Heat Capacities

Major factors that can influence the behavior of a small scale test faculty, in comparison to the
reactor, are the relative magnitude of heat losses and system heat capacities. In a wide range of
integral test faculties it has been necessary to go to significant sophistication, including the use of
guard heaters, to reduce heat losses to an acceptable level. In general, heat losses increase in inverse
proportion to the scale of the facility, as the surface area to volume ratio increases at smaller scales.
In this respect, PANDA at 1:25 scale is in a relatively good position. In addition, test facilities may
have extra heat losses associated with additional valves, instrument penetrations, etc. Twa design
goals have been set for the PANDA facility:

- The heat losses, at all times during any transient, should be less than 10% of the prevailing decay
heat level. Initial estimates indicate that this is achievable using commercially available
insulation and that guard heaters are not required.
- All the piping, RPV, Drywell, Wetwell, etc. should be capable of being configured to separately
estimate their individual heat losses, for the range of power levels expected during the course of
a transient.
Heat losses from the SBWR containment during the first 1 to 3 days were evaluated, and found to
be very small i.e. less than 1%. The pipes and the vessels are insulated in order to bring the
experimental heat loses to the values found for the SBWR.

240
 FCC Steady State Supply
l————— ————————l
Í 1C PCC PCC PCC

1C Pool— -PCC Pool

IC-Drain
PCC 3 Vent

PCC 1 Vent PCC 2 Vent

—Í
Break Line \j i rV
PCC
Près
IC-Supply ic PCC1 Equ PCC2 PCC 3
Vent Supply Une Sup. Supply

U [TU
i i

Safety
I Valves GDCS Pool
ÍLJ
GDCS
Drain

-ÍX3- -X- Drywel! 1 Drywell 2

MSL Main MSL
2 Steam 2
RPV Line 1

VB, VB
BP Vacuum BP
VB¡
Breaker

Main
Vent
ÍE _ _J Mai
Main
Vent

Suppression Suppression
Riser -Down- Chamber 1 Chamber 2
comer

GDCS
Drain

Suppression Suppression
Pool 1 T Pool 2

Electr.
Heater X
Eaualization Line

Figure 6 PANDA Schematic Including Piping Conflguralion

241
HG Instrumentation
For basic types of measurements are made to monitor the behavior of the PANDA facility and to
provide information for analytical code qualification. These are:

- vessel wall, vapor space and liquid temperatures

- absolute and differential pressures, differential pressures to measure water levels
- vapor and liquid mass.

As an example of the number and location of instrumentation to be used, Figures 7 and 8 show the
distribution of the mass flow, phase detectors and oxygen sensors. As can be seen the mass flow
measurements are concentrated in the steam/nitrogen and water pipes.

II.H Initial Conditions

As was described above initial conditions will be established in PANDA equivalent to those in the
SBWR containment about 1 hour after reactor scram. During the first hour of an SBWR transient,
the RPV will blowdown through the depressurisation system, and the emergency core cooling water
in the GDCS will pools drain into the RPV. As the blowdown proceeds a large traction of the
nitrogen in the Drywell will be swept into the Wetwell leaving typically less than 10% in the
Drywell, while the transfer of this nitrogen and the compression of the Wetwell gas space will
raise the pressure to between 2.0 and 3.0 bar.
The following provides an example of the conditions that might be expected at the beginning of a
PANDA transient.

Wetwell Drywell RPV

P™ (bar) 3.0 3.0 3.0
P^ibar) 2.8 0.3 —
TIJO(°C) 60 — —
T SAT (°C) — 130 133.5
Parameter variations of the above will include

- absolute pressure (bar) 2.0 to 4.0

- Drywell Nitrogen fraction (%) 1 to 40
- Wetwell pool water surfaces 30 to 70
temperature (°C)

in The LINX Program

In support of the large-scale integral system behavior PANDA tests, an investigation of natural
circulation and mixing phenomena in single- and multi-phase/multicomponent systems in large
pools will be conducted. This work will rely heavily on the application of Computational Fluid
Dynamics (CFD) tools adapted for multiphase flow and verified against a range of both large- and
small-scale separate-effects mixing and natural circulation experiments to be performed at PSI. The
areas of interest and investigation include the mixing of hot and cold liquids in open pools, the
mixing and energy distribution within liquid pools resulting from the submerged injection (venting)
of steam and gas mixtures, and the mixing of steam, nitrogen and, possibly, other gases in large,
interconnected volumes.

242
 PCC Steady State Supply
I————— ————————>

1C Pool-

(C-Drain

PCC 1 Vent
— f •»
Break Linefsxi .,./\j \ f

Près
IC-Supply 1C PCC 1 Eque
Vent Supply Line
i i
^ V
II
I Safety
Valves

txi- Drywell 1
MSI Main
2 Steam
RPV Une 1

Lr
Main
Vent
te „ __jMain
Vent

Suppression Suppression
Riser •Down- Chamber 1 Chamber:
comer

GDCS
Drain

I I
Electr.
Heater
I_____Equalization Line

* For steady state tesîs only

Figure 7 PANDA Instrumentation (Mass Hows/flow indicators)

243
 PCC Steady State Supply
I————— ———————
PCd Kx-v
1C PCC KV»|

1C Pool- — PCC Pool

IC-Drain
ff
££/
PCC 3 Vent

PCC 1 Vent PCC 2 Verft

Break Line •\-i t r^ -txj-
PCC
Près

un
IC-Supply |C PCC 1 Equí PCC2J PCC 3
Vent Supply Line Sup. Supply

îiî
i i \ 4 5 :
4 V
XX
Safety
Valves
GDCS Pool

GDCS
Drain

Drywell 1 Drywell 2
Main MSL
Steam 2
RPV Line 1

VBr VB
p
J? l> fC\ Vacuum P
VB
Breaker

Main
linl I Main
Vent Vent

ssion Supp>resi
Riser — Down- ber 1 Chs mbe
comer

GDCS
r~~m Drain
u rain
i
i
i

Electr.
Heater X
| Equal.zation Line

Figure 8 PANDA Instrumentation (Phase detectors and oxygen sensors)

244
In particular, this program of work will support the PANDA experiments and provide additional
help in scaling the PANDA results to the SBWR, in two broad areas. These are: the condensation
and mixing of the uncondensed steam that flows into the suppression pool from the 1C and PCCs,
and the mixing of steam and nitrogen in the Drywell. In the first of the two areas described, there
are several phenomena that will need to be investigated separately. For example, there is the
condensation of the steam initially in the presence of the non-condensable gas (nitrogen), and then
there is the mixing of the resultant hot water with the bulk of the suppression pool as the hot water
rises in a narrow buoyant plume to the pool surface. An initial investigation of the last of these
effects was initiated at PSI [4]with the performance of some small-scale thermal plume mixing
experiments. Figure 9 shows both a schematic of the plexiglas tank and electrical heater used in
these experiments, and examples of the resultant rise in the water temperature as the water heated
by the electrical heater rises in a very narrow plume to the pool surface and then spreads down in a
1-dimensional manner as the hot water replaces the cold water entrained in the rising plume. The
LINX facility, schematically shown in Figure 10, composed of a large pressurized tank, a complex
piping system for non-condensable gas and steam injection and a comprehensive data measurement
and acquisition system, is currently under construction.

IV The AIDA Program

Under severe accident conditions, fission products in the form of aerosols may escape from the
RPV into the various compartments of the reactor containment. It is therefore possible that the
PCC units, which remove the decay heat, may be subjected to aerosols. The possible formation of
an aerosol layer at the tube entrance (reduction of free flow area at the tube entrance) and on the
inside tube surface (reduction of free flow area in the tube) may cause a new flow distribution into
the tubes. This may dynamically change the heat removal characteristics of the system. This change
may appear as a result of a) the number of tubes which are properly active becomes reduced
therefore, b) some of such tubes (reducing in number with time) will continuously receive more
steam than they can condense, and hence, the condenser efficiency may substantially be degraded.
The long-term pressurization of the SBWR containment, following a postulated severe accident,
depends on the continued function of the PCC units, and this in turn on their aerosol behavior. The
goals of the AIDA program are to:
a) Experimentally determine the degree of PCC condensation degradation in the presence of
aerosols.
b) Investigate aerosol behavior in the upper dome.
c) Investigate aerosol behavior under strong condensation in condenser tubes.
d) Investigate aerosol transport out of the condenser unit with the condansate and non-condensable
gas flow.
e) Provide the basis for the development of a physical model for aerosol behavior and its effects on
the thermal-hydraulics in the PCC units.
A versatile and multiple purpose aerosol testing facility was constructed at PSI in conjunction with
other aerosol programs. Two plasma torches, two reaction chambers, a mixing tank, steam and non-
condensable supply systems are the main components of the facility. The system is computer
controlled and can produce aerosol particles at a desired steady mass flow rate and concentration.
The particles are carried with a carrier gas, composed of steam and non-condensable gas at a
desired composition. The plasma torches used for aerosol generation produces aerosol particles
composed of up to three components from Csl, CsOH and MnO or SnGj with a maximum
concentration of 20 g/m3. Experiments can be performed with 0 to 95% steam to total gas (steam
and non-condensable) ratio, a steam flow rate of up to 250 kg/hr and non-condensable gas flow rate
of up to 280 kg/hr and a system pressure of up to 5 bar.

245
 iï
,— ////
Injection >. Recorde
tube ^ // //
10 - 21 mm

tttl

3 ) 50 so so
\J
TC4-
H —r
^ —— t::
I 0
•& i i
4% j

L
* TC3— ^~^ Wa

1
«AU >-
(A(
•o 400
m
POW sr supply
-^

1
n- 4. Healer
He« Q .„«-1200W

i i-
•~,
o
U, o
OJ
~ ^^~~~-- Hot
Hotwater injection

iii
Thennocouple
arraj'(12 TC) Thermocouple
The array { 4 x A TC}
-TC1 -•-- }
o
o
*~

Measured Water Temperature Distribution

Water Temperature Increase after
60 min. 120 min. 240 min. 360 min.
1
AT(-C) ¿T ('O AT(-C) i AT('C)
i
600
V T7 i V

18
1 ir

11JS i
i
11
i 22
500 1
I7 i
10 1
7 16 i 2Í
E -<oo 8 20
1 = 14 i
S
z
\ to \ 16
i 1 4 \
300 8
_g> 1
0 i
X 2
0 ¡
j
O 200 0
i
i
i
100 ¡
i
i

O 100 200

Distance x ( mm ] Heating Power = 300 W

Figure 9 Mixing Experiments; Facility and Results

246
 Pressure regulation vent

Pressure Vessel

, Windows for
visualisation

Heating and
Cooling Exchangers

i—£ kxfr°

Figure 10 LINX Experimental Arrangement

A slice of the SBWR's PCCS condenser unit, containing full height 8-tubes, full diameter lower
and upper dome was constructed. Figure 11 schematically shows the main components of the AIDA
facility. Figure 12 presents the AIDA condenser unit. The AIDA condenser tubes are either made of
glass or steel. The glass tubes are intended mainly for the visualization of the phenomena. The
tubes are heavily instrumented with thermocouples to measure the gas and wall temperatures as
well as the heat flux across the tube wall. The coolant channel, surrounding the tubes contain glass
windows to facilitate visualization of the possible aerosol deposition-transport phenomena in the
glass tubes. The water which is flowing in the coolant at a desired small velocity and at a predifined
temperature of up to 80 °C simulates the heat transfer conditions expected to occur in the PCCS
pool. The condensed water is collected in a tank (Condénsate tank) simulating the GDCS pool. The
non-condensable gas and uncondensed steam flow in a tank (Scrubber tank) which condenses the
steam and scrubs the aerosol particles carried with the steam-gas flow. The condénsate which is
produced in Scrubbing tank is collected in another tank (Collection tank). Scrubbing and Collection
tanks simulate the behavior of the Wetwell. The pressures in the condénsate and collection tanks

247
oo Steam + G.ib
f r o m Containment
Drywoll

Condeiibor
PCC

PCC-Pool

Suppression Pool GDCS Pool

"Wetwell"
AIDA

Figure 11 Schematic representation of SB WR and AIDA Test Rig

 912

-nil &•
il
—— 1 Ir I

-il : .IF-
\tf\

280

±. !

Figure 12 AIDA Condenser

are regulated to obtain the system pressure which simulates the Drywell and Wetwell pressures.
The facility is instrumented with several devices to provide information on a) energy transfer due
to steam condensation in and outside of the condenser, b) steam mass balance due to steam
condensation in and out of the condenser, c) aerosol mass balance. The instruments provide
on-line data on thermal-hydraulic behavior. The data is displayed on a computer screen to
continuously monitor the system response with or without the presence of the aerosol

249
particles. The aerosol instrumentation comprises of a) off-line devices, like filters,
impactors, and deposition coupons and b) on-line devices, like, photometers, ion detection
devices. A special data acquisition system is developed. Commissioning phase is close to the
completion. A test matrix is prepared.

V Summary and Conclusions

The major new experimental and analytical program ALPHA initiated at the Paul Scherrer Institute
has been briefly described. This program is aimed at understanding long-term decay heat removal
and aerosol questions for the next generation of Light Water Reactors. The ALPHA project
includes four major items: the large-scale, integral system behavior test facility PANDA; an
investigation of the thermal hydraulics of natural convection and mixing in pools and large volumes
(LINX); a separate-effects study of aerosol transport and deposition in plena and tubes (AIDA);
while finally, data from the PANDA facility and supporting separate effects tests will be used to
develop and qualify models and provide validation of relevant system codes.
PANDA consists of a 1.5 MW heat source and a number of large pressure vessels that can be
interconnected by external piping to represent a variety of reactor containments. In the first
instance, PANDA will be used to simulate the response of the SBWR containment to a Loss-Of-
Coolant Accident. PANDA represents a 1/25 volumetric scale, the SBWR RPV, Drywell, Wetwell,
and condensers. The PANDA facility has been designed to capture the asymmetric behavior of the
various 1C and PCC units, arising from the non-uniform spatial distribution of non-condensable
gases, and their influence on the condensation process. It therefore uses two large tanks to represent
the SBWR annular geometry of the Drywell and Wetwell. The facility is erected and is in
commissioning phase. A test matrix has been designed to aid General Electric to provide data for
the SBWR certification process.
It is recognized that no scaled experiment can possibly provide a perfect simulation of all aspects of
the physical behavior of a full scale system. In response to this, and to the fact that two areas of
particular importance in determining the SBWR containment pressure are the mixing of the
nitrogen (and other non condensable gases) and the steam in the Drywell and the mixing of the
uncondensed steam flowing into the Wetwell water pool, a companion, separate-effects program
(LINX) was also initiated. LINX comprises both small- and large-scale experiments and analytical
work, using simple 1-dimensional methods and 3-D CFD codes, to investigate natural circulation
and mixing, of single- and multi-phase/multicomponent systems in large pools. The facility is
currently under construction.

Under severe accident conditions, fission products in the form of aerosols may escape from the
RPV into the various compartments of the reactor containment. It is possible that the PCC units
which remove the decay heat, may be subjected to aerosols. The possible formation of an aerosol
layer at the tube entrance (reduction of free flow area at the tube entrance) and on the inside tube
surface (reduction of free flow area in the tube) may cause a new flow distribution into the tubes.
This may dynamically change the heat removal characteristics of the system. This change may
appear as a result of a) the number of tubes which are properly active becomes reduced therefore,
b) some of such tubes (reducing in number with time) will continuously receive more steam than
they can condense, and hence, the condenser efficiency is reduced. The long-term pressurization of
the SBWR containment, following a postulated severe accident, depends on the continued function
of the PCC units, and this in turn on their aerosol behavior. The AIDA program is being set up to
investigate these phenomena using a scaled down PCCS condenser, associated collection tanks
simulating GDCS pool and the Wetwell and the existing aerosol generation facility. The facility is
erected and is in commissioning phase.
In conclusion, it is considered that the various elements of the ALPHA program will greatly
enhance the understanding of the response of the SBWR containment and other similar concepts to

250
Loss-Of-Coolant and other accidents, and will provide a large-scale experimental facility that can
be used for similar studies of other reactor systems.

REFERENCES

[1] P.Coddington, 'A TRACG investigation of the proposed Long Term Decay Heat Removal
Facility PANDA at the Paul Scherrer Institute, Switzerland', Paper submitted to NURETH 5
(September 1992).

[2] S. Yokobori, H. Nagasaka, T. Tobimatsu, 'System Response Tests of Isolation Condenser

Applied as a Passive Containment Cooler1, Proc. 1st JSME-ASME Int. Conference on
Nuclear
and

H. Nagasaka, K. Yamada, M. Katoh, S Yokobori, "Heat Removal Tests of Isolation

Condenser Applied as a Passive Containment Cooling System1, Proc. 1st JSME-ASME Int.
Conference on Nuclear Engineering (ICONE-1), Tokyo (November 1991).
[3] M. Brandani, F.L. Rizzo, E. Gesi, and A.J. James, 'SBWR - 1C and PCC Systems : An
Approach to Passive Safety1, AEA Meeting, Rome (1991).

S1EXT PA^E(S) I
left BLAÍÍK I 251
 CORE MELT RETENTION AND COOLING XA9743173
CONCEPT OF THE ERP

H. WEISSHÄUPL
SIEMENS/KWU
Erlangen, Germany

M YVON
Nuclear Power International,
Paris, France

Abstract

For the French/German European Pressurized Water Reactor (EPR) mitigative

measures to cope with the event of a severe accident with core melt down are
considered already at the design stage.
Following the course of a postulated severe accident with reactor pressure vessel
meltthrough one of the most important features of a future design must be to
stabilize and cool the melt within the containment by dedicated measures. This
measures should - as far as possible - be passive.
One very promising solution for core melt retention seems to be a large enough
spreading of the melt on a hightemperature resistant protection layer with water
cooling from above. This is the favorite concept for the EPR.
In dealing with the retention of a molten core outside of the RPV several "steps"
from leaving the RPV to finally stabilize the melt have to be gone through. These
steps a re
- collection of the melt
- transfer of the melt
- distribution of the melt
- confining
- cooling and stabilization
The technical features for the EPR solution of a large spreading of the melt are:
- dedicated spreading chamber outside the reactor pit (area about 150 m?)
- high temperature resistant protection layers (e. g. Zirconia bricks) at the
bottom and part of the lateral structures (thus avoiding melt concrete
interaction)
- reactor pit and spreading compartment are connected via a discharge channel
which has a slope to the spreading area and is closed by a steel plate, which
will resist the core melt for a certain time in order to allow a collection of the
melt
- the spreading compartment is connected with the In-Containment Refuelling
Water Storage Tank (IRWST) with pipes for water flooding after spreading.
These pipes are closed and will only be opened by the hot melt itself.
It is shown how the course of the different steps mentioned above is processed
and how each of these steps is automatically and passively achieved.
Finally a short overview of research areas to be addressed and a priority list of
analytical and experimental support together with typical analytical and first
experimental results are presented.

253
1 Introduction
The Defense-in-depth concept of safety has led to a very high safety standard for
nuclear reactors. Great emphasis has been laid in improving features and
measures for severe accident prevention. But nevertheless additional features to
cope with the consequences connected to severe accidents with core melt down
are discussed for future nuclear reactors. For the French/German European
Pressurized Water Reactor (EPR) measures for mitigation of severe accidents are
considered already at the design stage.
To cope with the consequences of a severe accident means to deal with different
phenomena which may threaten the integrity of the containment or may lead to
an enhanced fission product release into the environment (see fig. 1). Following
the course of a postulated accident with core melt down and reactor pressure
vessel melttrougn one of the most important features of a future design must be
to stabilize and cool the melt within the containment by dedicated measures. This
measures should - as far as possible - be passive.
A lot of different concepts for retention and stabilization of the core melt has
been investigated in the recent years by the cooperative partners of the EPR. The
basic concept proposed is the spreading of the melt on a large area outside the
reactor pit (see fig. 2), covered with a high-temperature resistant protection layer

SEVERE ACCIDENT PROGRESSION

WITH CORE MELTDOWN

CORE DEGRADATION/ - MELT DOWN BEHAVIOUR

:OLLECTION WITHIN RPV
- IN-VESSEL-STEAM EXPLOSION
1f

RPV FAILURE/ - REACTOR VESSEL PENETRATION

EJECTION FROM RPV - DIRECT CONTAINMENT HEATING
- EX-VESSEL-STEAM EXPLOSION
if
EX-VESSEL CORE MELT CORE MELT RETENTION
BEHAVIOUR (Core-Catcher)____ ___

4 f

HEAT REMOVAL PRESSURE AND TEMPERATURE

FROM CONTAINMENT INCREASE CONTAINMENT

HYDROGEN GENERATION/
HYDROGEN RELEASE DISTRIBUTION/COMBUSTION

FISSION PRODUCT RELEASE FISSION PRODUCT RELEASE AND

TRANSPORT (SOURCE TERM)

FIG. 1. Severe accidents: Phenomena to be addressed.

254
to prevent molten core concrete interaction. The cooling of the melt is achieved
by covering it with water from the In-Containment Refuelling Water Storage
Tank(IRWST).
In choosing a concept for melt retention one has to be aware that the measures
taken shall be in good compliance with the overall design features of the plant
and with normal operational needs and that the different mitigation measures

FIG. 2. ERP Icy out for spreading and stabilization of core melt.

255
implemented are not independent from each other. Further on the retention
device should as far as possible be simple in construction, to minimize the physical
and technological problems connected with it. This (mostly) guarantees at the
same time that the costs will stay within reasonable limits.
2 Technical Features
The basic concept for the core melt retention and stabilization proposed for the
EPR is the sprading of the melt on a large area outside the reactor pit and cooling
from above with water. The main characteristics of the concept are the following
(fig. 2):
- dedicated spreading area of about 150 m?
- bottom and lateral structures of the compartment have protection layers
designed for thermal and (if applicable) mechanical loads
- reactor pit (with the initial mechanical loads) and spreading compartment are
connected via a melt discharge channel, which has a slope to the spreading
area, and are in the beginning separated by a steel plate (possibly covered
with refractory material), which will be molten after a certain delay time, thus
allowing an accumulation and heat up of the melt.
- the spreading compartment is connected with the IRWST with pipes for water
flooding after spreading; these pipes are closed during normal operation and
accident conditions by plugs which will only be opened by the hot melt itself.
- the produced steam escapes via an open flow channel to the upper
containment compartments
The spreading area is initially dry respectively covered with a very shallow water
layer which can form as consequence of condensing steam on the walls of the
spreading compartment in the case of a Loss-of-Coolant Accident. Thus energetic
melt water interaction during the spreading process is prevented.
Due to the outside arrangement of the spreading area a separation of short-term
mechanical and thermal Toads caused by the reactor pressure vessel (RPV) failure
and the long-term thermal loads caused by the spreaded melt is achieved.
3 Course of the Accident
In designing a core melt retention device one has to look not only at the melt
retention and stabilization capability itself but also at the boundary conditions
arising from the course of the accident - see fig. 3. (So it will, for instance, be
important to know how the composition and constitution of the melt in respect
to oxidic and metallic mass, its temperature and heat source distribution is.) On
the other hand one has to keep in mind the goals to be f unfilled by the retention
device, namely
- prevention of basemat meltthrough
- limitation of fission product release to the containment
If molten core concrete interaction can be prevented the production of additional
hydrogen and other non-condensable gases is strongly limited, thus giving help to
the hydrogen and pressure build-up mitigation measures.

In dealing with the retention of a molten core outside of the RPV several "steps"
from leaving the RPV to finally stabilize the melt have to be gone through. These
steps are (fig. 4)

256
 Boundary Conditions
from the Course
of the Accident

- scenario analysis
- melt constitution / composition
- RPV failure mode
decay heat level / source distribution

CORE MELT RETENTION

(Core-Catcher)

Concepts to be oriented on

- stabilization/cooling of melt
-integrity of containment
-reduction/limitation of source term

FIG. 3. Severe accident progression with core melt down.

- Collection of the melt

- Transfer of the melt to the retention device
- Distribution of the melt within the retention device
- Confining (retention) of the melt
- Cooling of the melt (by special means)
- Stabilization in the long term
These different steps apply to nearly all retention concepts, one time more one
time less pregnant, and should be covered solely by passive means.
In the following it is shown how the course of these steps is processed for the EPR
and how each of these steps is automatically and passively achieved. In fig. 5 the
accident progression during a large spreading of the melt is indicated.
Core Degradation
As mentioned above the composition and mass of the melt when leaving the
failed RPV deals as boundary condition for the further progress of the melt. The
delay time of RPV failure to the first attack of the hot melt at the RPV bottom
plays a significant role in a first collection of the melting core. Core degradation in

257
 CORE DEGRADATION / COLLECTION WITHIN RPV

RPV FAILURE / EJECTION FROM RPV

COLLECTION z;
TRANSFER O
DISTRIBUTION

1 H £
CONFINING 5
6 £
ce
COOLING
STABILIZATION W O

1
LONG TERM O
THERM./CHEM.IMPACT U

±
HEAT REMOVAL
FROM CONTAINMENT

HYDROGEN RELEASE
FISSION PRODUCT RELEASE

FIG. 4. Ex-vessel core melt behaviour - Phases of core melt retention.

respect to amount and slumping time depends on the scenario contemplated. To

gain more knowledge for this accident phase a broad study using mostly MAAP3.0
for the time until core slumping has been performed for different characteristic
scenarios. The time period from slumping to RPV failure has been addressed by
special investigations.
From a scenario analysis, grouping different initiating events and boundary
conditions during core degradation (e.g. water injection) into seven characteristic
damage states, one can see (fig. 6) that in most cases about 155 to 200 tons of core
melt are to be expected, whereas only in a small number of cases less and even
more (additional mass of core internals, shrouding etc.) has to be reckoned with.
For the further evolution of the accident the kind of RPV failure is of minor
importance since the melt will be collected in the reactor pit. Due to the

258
 Î MELT DOWN
Ê COLLECTION WITHIN RPV

f RPV FAILL1RE
i EJECTION FROM RPV

COLLECTION WITHIN PIT

I TRANSFER/
! DISTRIBUTION

! FLOODING
! RETENTION/COOLING/
STABILIZATION

HEAT REMOVAL
therm./chem LOADS on
PROTECTION LAYER
therm.LOADS ON BASEMAT

FIG. J. Accident progression large spreading of melt.

mitigation concept for high pressure RPV failure prevention the primary pressure
will be in most cases well oelow 20 bar (20 bar taking as layout value for dealing
with RPV failure consequences).
Melt Collection within Reactor Pit
Reactor pit and spreading area are separated by a steel plate closure, covered
eventually by refractory material. This closure has to be heated up and molten
through by the melt, thus giving rise to an additional delay time before the melt is
pouring into the spreading area. This delay time allows to further melt down the

259
 350

300

250

B 200
D met. mass

H oxid. mass
150

100

50

CM1 CM2 CMS CM4 CM5 CM6 CM7

% are estimated Coremelt Group

FIG. 6. Melt propagation scenarios.

Core-melt groups immediately after RPV failure.

core and deliberately collect the melt before spreading in order to cope also with
scenarios where core degradation lasts over an extended period of time, with
greater parts of the core coming down in a later phase, and to increase the
spreading ability of the melt by increasing its temperature. No active measure is
needed for this process.
Spreading of the Melt (Transfer. Distribution)
The reactor pit has one opening for melt discharge to the spreading area. The
melt is guided by a melt discharge channel which has a slope to the spreading
area and is cladded with protective material. The spreading area of about 1 50 m?
has been chosen to ensure complete spreading on the one hand and sufficient
coolability on the other hand. An example for a spreading calculation with the
code CORFLOW is shown in fig. 7. One can see very clearly the quick propagation
of the melt and the sloshing when hitting the opposite wall.
Small scale experiments (1 x 1 m) using 30 to 50 kg thermite of 2200°C have been
performed during Winter 92/Spring 93 (fig. 8). Test series with different surface
conditions (concrete, ceramic protection layer) and different amount of water
present (dry to 40 cm) have shown that even under water a sufficient spreading of
melt is achieved, whereas in some cases an energetic melt water interaction
occurred (water trapped below the melt, e.g. initially wet concrete). For the EPR
the spreading compartment is dry during normal operation, eventually covered
by a very shallow layer of condénsate in case of LOCA as depicted in the previous
chapter.
First spreading tests with 150 kg thermite (80 kg metallic Fe, 70 kg oxidic A^Os)
performed in the frame of the KATS test series at KfK have shown the high
spreading ability of the metallic constituent, whereas the oxidic component

260
 "1.

1025 10056

FIG. 7. Simulation of melt-spreading

(Oxidic melt, Isothermal boundary conditions).

spread out only to a 5 to 10 cm thick layer - due to a too low temperature of the
thermite. Further experiments with more adequate melt temperatures performed
on dry and wet surfaces will follow.
Confining of the Melt
The basemat concrete is protected by an arrangement of different layers, e.g. a
high-temperature resistant protection layer of Zirconia bricks and an insulating
layer of refractory concrete thus avoiding melt concrete interaction (fig. 9). The
spreading compartment acts therefore as confining boundary for melt retention.
In addition to the initial thermal loads when the melt is flowing over its surface
the long term thermal-chemical stability has to be looked at.
Experiments dealing with the thermal shock stability and first interaction tests
between real corium and Zirconia bricks, performed for Siemens at St. Petersburg,
lead to the conclusion, that Zirconia bricks are a possible means to fulfill the
confinement function expected.
Cooling of the Melt
The spreaded melt is flooded with water by passive means via connection pipes to
the water of the IRWST. These pipes are closed during normal operation ana acci-
dent conditions by plugs, which will be melted by the hot melt itself (see as an
example fig. 10). The flooding rate is in the order of approximately 50 kg/s, to
ensure on the one hand a moderate flooding time and to limit on the other hand
the amount of water for a possible energetic melt water interaction.
Since there is up to now not enough experimental evidence in respect to a
(partial) quenching of the melt, it is assumed for lay-out considerations that the

261
heat transfer from the melt to its surrounding is solely governed by heat
conduction. This is in respect to the thermal loadings of the protection layer and
the structural concrete below a penalizing assumption.

hight of thermite
steel plate (10mm+5mm)

catcher Sfyrodur- isolation

concrete steel crucible

ceramic
covering

FIG. 8. Test facility 3-2.

262
 steel plate

Zr02-bricks

refractory concrete

structural concrete

FIG. 9. Layer.

IRWST

plastic pipe

height of core meit

ZrOj-bncks

FIG. 10. Spreading area opening device for

interconnecting pipe to IR WST plastic pipe.

The stored heat in the melt and the decay heat are transferred to the water lying
above. The steam generated thereby escapes via the openings in the spreading
compartment into the containment and will there be condensed on the walls and
after the specific grace time for initiating the dedicated containment heat
removal system (CHRS) - in the case of the EPR a spray system - in addition on the
cold water of the CHRS thus decreasing the containment pressure again. The
condénsate and the spray water are flowing back to the IRWST and from there to
the spreading compartment, closing the cycle.
Stabilization in the long term
The heat removal from the melt is established as depicted before. In the long term
a recirculation mode of the CHRS can be chosen which leadstoasubcoolingofthe
water on the melt thus limiting very strongly further fission product escape.
The melt will be solidified in less than two days (depending very strongly on the
solidification temperature assumed: 2 d for T = 1900 °C, 5 hours for T = 2200 °C;
note that pure heat conduction is assumed). In any case a strong crust will be
established within a few hours. This time reflects the necessary "survival" time for
the protection layer. In the long term it is not needed any more.

263
The downwards directed heat flux from the melt leads to an increase in
temperature of the basemat. This is a very slow process which will finally be
reversed due to the decrease of the decay heat. A long term temperature profile
in the basemat can be seen from fig. 11.
4 Experimental and analytical support
In the last years the discussions about the phenomena and potential threats
connected with severe accidents had gained importance and worldwide
experimental and analytical efforts are underway.
To get more certainty in respect to the feasibility of an envisaged concept one has
to identify the key issues connected with the problem confronted. For the large
spreading concept of the melt these key questions are:
- what is the time-dependent evolution of the accident in respect to
composition, mass and temperature of the melt as initial condition for the
spreading itself, taking into account the deliberate delay time needed to melt
the gate between reactor pit and spreading area (scenario analysis)
- how will during the spreading process the metallic and pxidic constituents of
the melt be distributed (the completeness of the spreading process is a minor
issue).
- what is the thermochemical stability of the protection layer in the first hours
of contact with the melt (in the long term the melt is solidified)
- is there any quenching of the melt when flooded
(note: for the lay-out considerations this has not been taken into account, but
would help very much in reducing long term thermal loads)
- what is the energetic interaction between melt and water during the flooding
process
- what is the fission product release during the different stages of accident
progression: this is a question for f. p. release in the short term, but especially
a question of preventing a long term source of fission products
This list is not complete but addresses main items.
To solve the most stringent problems connected with this EPR-concept concerted
actions have been started in the frame of cooperations between the French and
German partners:
- CEA and Kf K cooperating closely together
- CEA with the French industry
- Kf K with the German industry
- and all together in regularly information exchanges and working groups to be
established.
In addition to that BMFT-sponsored activities in the frame of the AGIK-group and
the FARO work program of the JRC Ispra will help to get more insight in the
processes involved.
Main experimental programs are:
- VULCANO (CEA, where already a lot is done in the frame of the CORINNE
experiments)

264
 1 *MMk

• TIME 1 :
9 000 t
ü ( 0.1 DAYS )
. .
to

í
A TIME 2 :
too ooo*
TEMPERATURE (CENTIGRADE)

( 1.2 DAYS)

DID z J
+ TIME 3 :
. .
to

BASEf /1AT (( ONCR ETE) 260000*

1
o
-u

( 2.« DAYS)
X TIME 6 :
o
..

760000t

/
-*

( 8.7 DAYS)
o

« TIME 6 :
o

1 000000*
o

^
ce ( 11,8 DAYS )

/
-*

/^
o

LU

Ï
a>
o

AREA-150M2
o

y/
to

LAYERED COREMELT
o

METALLIC CM ABOVE
o
CB

OXÍOIC CM BELOW
^//
o

0.0645 m/0.1041 m
A.
o

1
35Ó°C PROTECTION LAYERS
o

ZfO2 ABOVE
r=tr^ ^
— i—
DIDURIT 135 BELOW
i „_

——— - -"
^^ __LL A--"^*""" »—
o

I" * 1—— <—— i i 1———i ——i——

-2.4 -2.0 -1.6 -1.2 -O.B
0.0 -0.40.8
0.4 1.2 CM-WATER
HTC - 800 W/m2 K
HEIGHT (m)

Os
Oí F/G. //. Temperature profiles - Base case.
 - spreading tests with real corium (1 t), delayed melt spreading and
accumulation, water addition
• KATS (KfK, with parallel investigations to other core-catcher
concepts-COMET)
- spreading tests with thermite on dry and wet surfaces
• COMAS (AGIK)
- spreading tests with real corium (31) on different surfaces
• FARO (JRC Ispra)
- melt water interaction tests
• CIRMAT (SIEMENS)
- thermal-chemical interaction tests corium with protective material
5 Conclusions
For the EPR core melt retention/stabilization is proposed to be achieved by a large
spreading of melt on a dedicated spreading area of about 150 m2, with high
temperature resistant protection layers and flooding of the melt with water from
the IRWST after spreading. The different steps involved in the course of the
accident till finally the melt is confined, cooled and stabilized are achieved solely
by passive means. Decay heat removal is established via a closed thermohydraulic
circuit, where as ultimate heat sink the dedicated Containment Heat Removal
System (spray system) comes in action with a sufficient delay time, governed by
the need to limit the containment pressure, until system operation is required.
To show the feasibility of the melt retention concept cooperations have been
established with an ambitious work program, including tests with real corium.

REFERENCES
IM M. Yvon, U. Krugmann, J.P. Berger, K. Schmidt
Basic Information on the Design Features of the EPR
IAEA Technical Committee Meeting for Advanced LWR, Moscow, May 94
121 M. Watteau, H. Seidelberger
The European PWR - a progress report
Nuclear Engineering International, October 94
/3/ H.WeisshäupI
Preventive and mitigative measures for the European Pressurized Water
Reactor (EPR) for severe accidents with core melt down
Jahrestagung Kerntechnik '94, Stuttgart, May 94
/4/ B. Kuczera, W. Eglin and H. Weisshäupl
Towards an enhanced quality in pressurized water reactor safety
Kerntechnik, Vol. 59 No. 4-5, August 1994
/5/ J.C. Bouchter, G. Cognet
VULCANO: A dedicated R&D Program to master Corium recuperation for
future reactors
Poster Session, ENC "94 - ANS Foratom, Lyon Oct. 94
/6/ H. Alsmeyer, H. Werle
Kernschmelzkühleinrichtungen für zukünftige DWR-Anlagen
Statusbericht des PSF, Kernforschungszentrum Karlsruhe März 94

266
 FEASIBILITY OF PASSIVE HEAT REMOVAL SYSTEMS XA9743174

Yu. M. ASHURKO
Institute of Physics and Power Engineering,
Obninsk, Russian Federation

Abstract

This paper presents a review of decay heat removal systems (DHRSs) used in liquid
metal-cooled fast reactors (LMFRs). Advantages and the disadvantages of these DHRSs,
extent of their passivity and prospects for their use in advanced fast reactor projects are
analyzed. Methods of extending the limitations on the employment of individual systems,
allowing enhancement in their effectiveness as safety systems and assuring their total
passivity are described.

1. INTRODUCTION

Decay heat removal after a reactor shutdown is one of the most important safety
functions. The degree of reliability of fulfillment of this function affects decisively the
safety level of a nuclear power plant (NPP) as a whole. One of the main points in the
concept of designing new-generation advanced nuclear power plants of any type is to aim at
a maximum use of the inherent safety properties characteristic of this reactor type.
Therefore, design workers tend, to an ever-increasing degree, to use as safety systems those
based on passive principles. As applied to decay heat removal systems it means using natural
convection of coolant as a motive force.

This paper deals mainly with the problem of technical feasibility of passive decay heat
removal systems for fast reactors.

It should be noted that in the field of fast reactors, considerable experience has been
already gained of using natural-convection coolant systems for decay heat removal. Not all
of these systems can be formally classified as fully passive ones in compliance with the terms
and recommendations adopted in [1] because many of them are based on a combination of
passive and active principles for starting up the system and for heat removal. However,
available experience of the operation of these systems and experimental studies can be of
value for designing fully passive DHRSs for advanced fast reactors. And this experience can
be useful for other types of advanced reactors as well.

2. GENERAL ASPECTS OF THE TECHNICAL FEASIBILITY OF PASSIVE DHRSs

Let us try to formulate general criteria for what should be understood by technical
feasibility of passive DHRSs?

In the technical feasibility problem of passive decay heat removal systems there can
be noted the following general points:

A. To show the basic possibility for realization of a particular passive heat removal
method. The problem is divided into two tasks: assurance of passive start-up of the
system and of its subsequent passive operation.

267
B. The limits of applicability of a particular passive heat removal method should be
shown both as to the applicable reactor types and for their power range. Note, that
a reactor type determines the possible range of main reactor plant parameter variation
during operation of the system under consideration.
C. A spectrum of accidental events in which the use of the considered heat removal
method is possible should be defined. This aspect also is dependent on reactor type.
D. The stability of passive heat removal system characteristics should be validated
relative to the possible effect of external and internal factors, including relative to the
initial state of the reactor and system, and relative to single failures and common
mode failures as well.

3. MAIN TYPES OF DHRSs USED IN LMFRs

In most accidental events in fast reactors a system of normal heat removal to the third
circuit through steam generators is used for decay heat removal. Usually these systems are
not safety-grade systems.

As a rule, in LMFRs, for decay heat removal in the most severe accidents, special
systems are provided based on heat removal to air as a final heat sink. Heat removal in them
is accomplished through forced or natural convection of coolant and air, or by a combination
of driving forces. These systems can be classified in different ways:

by the degree of their dependence on power supply sources, i.e. on the principle of
their operation, either passive or active;
by the location of these systems in the nuclear power plant layout;
by the method of heat transfer to air: the use of sodium-air heat exchangers (AHXs)
based on convection or heat removal through the reactor vessel - a combined use of
convective and radiative means for heat removal, etc,.

At present the most widespread method of classification of these systems is by their

position in the nuclear plant layout (Fig.l).

So there can be decay heat removal systems which remove heat directly from the
reactor vessel - direct reactor auxiliary cooling systems (DRAGS). Such systems are used
in pool-type reactors (SPX-1 in France, the European Fast Reactor Project (EFR) (Fig.2),
the BN-1600 project in Russia, etc.), or in so-called top-entry loop-type fast reactors (the
DFBR project in Japan). In DRAGS specially provided loops with immersed sodium-sodium
heat exchangers are used for heat removal from the reactor vessel. These systems are fully
independent of the normal heat removal systems.

In contrast to DRAGS, systems also removing decay heat from the primary circuit -
so-called primary reactor auxiliary cooling systems (PRAGS) - use a heat exchanger in the
IHX and so in the normal flow path for primary sodium. Heat is then removed to air
through special loops, as in DRAGS (PFR in Great Britain).

For loop-type LMFRs (Monju in Japan) and in some pool-type reactors (SPX- I in
France, the BN-800 project in Russia (Fig.3)) there are decay heat removal systems
connected to the secondary circuit - intermediate reactor auxiliary cooling systems (IRACS).
This version of DHRS is characterized by integration some equipment of the safety system
with the normal operational system functions.

268
 RVACS

Fig. 1. Principle scheme of different types of DHRS.

Air-cooler
Dampers
T
Safety
related
Normal DHR System
DHR System

Core

Fig. 2. DHR-Normal/Safety Related systems (EFR).

269
 Elect ro-
magnetic
pumps

Fig. 3. DHR Safety Related System (BN-800).

All the above DHRSs use sodium-air heat exchangers for heat transfer to air. In
some reactors, the systems for air cooling, of the external surfaces of steam generators (SGs)
are used as IRACS (Phénix in France, BN-350 reactor in Kazakhstan, FBTR in India).

Within the framework of the American modular liquid metal-cooled fast reactor
PRISM project, a qualitatively different way of heat removal from the reactor was proposed
through the reactor and guard vessels to air passing in the gap between the guard vessel and
the reactor silo lining or supply header (Fig.4).

It should be noted that systems for heat removal through the reactor vessel exist in
the Phénix and SPX-1 reactors. In these, heat is removed not to air but to the water cooling
system placed within the reactor silo concrete. The water cooling system is an active one.
As it is difficult in practice to make these systems passive, we shall not analyze them below.

However, from the viewpoint of safety requirements, the classification of the systems
under consideration by their degree of passivity is an important approach.

Thus the system for heat removal through the reactor vessel - reactor vessel auxiliary
cooling system (RVACS) - is a fully passive one and is classified according to the degree of
passivity of classification adopted in [1] as category B.

In many DHRSs with AHX, forced circulation of coolant in some circuits is provided
for normal operation and the natural convection conditions provide stand-by cooling for the
case of forced circulation failure. However, such systems were always designed on the basis

270
 Principle scheme of traditional system Proposals to improve the traditional system
of emergency decay heat removal through
reactor vessel wall

1 -main vessel, 2-gap between main vessel and guard

vessel, 3-guard vessel, 4-gap between guard vessel and
air supply header, 5-air supply header, 6-gap between air
supply header and reactor silo lining, 7-reactor silo lining,
8-air inlet, 9-air outlet, 10-outlet part of air path (exhaust
stack), 11-plates, 12-fins, 13-perforated gcreens, 14-holes in
the screens 14
-*—— Arrows Indicate air flow direction

FIG. 4.
that the DHRS should also ensure decay heat removal with the required efficiency under
natural convection conditions. Nevertheless DHRSs with AHX cannot be classified as wholly
passive systems, because some active components (air dampers and, perhaps, sodium valves)
are used in their start-up. At best the degree of passivity of these systems can be brought
to category D, being intermediate between the passive and active systems.

The degree of passivity of DHRSs with AHX can be enhanced up to category B by

designing for a permanent heat loss through the DHRS at a level which would ensure reactor
plant safety even in the event of total failure of all active heat removal systems. Such a
solution has been adopted in the EFR project. On three of six DRAGS loops the dampers are
in a fixed open position during normal power operation ensuring a permanent heat loss of
about 30 MW.

It should be noted that natural convection cooling is also used in fast reactors for
ensuring core debris confinement, within the reactor vessel. A so-called core catcher at the
bottom of the reactor vessel specially provided for this purpose (SPX-1, the BN-800 project)
is designed so as to assure efficient decay heat removal from the destroyed core using natural
convection of the coolant.

4. PROSPECTIVE DHRSs FOR ADVANCED LMFRs

Let us analyze some advantages and disadvantages of various DHRS designs revealed
as a result of experimental and calculational studies aimed at the determination of the
prospects of their use in advanced LMFR projects. An analysis of the maximum attainable
degree of passivity for a particular DHRS design and of its applicability limits is presented.

1) RVACS

This system has been designed for advanced PRISM project and is a fully passive one
(category B). The system is extremely simple and considerably reduces the number of
elements which must meet safety requirements [2,3].

Its main disadvantage is its restricted applicability. At present this system has been
adopted and investigated as applied to low-power reactors. The determining parameter for
RVACS is not the absolute value of reactor power but its ratio to the heat capacity of the
reactor vessel (or to the reactor vessel volume) and to the reactor vessel-to-air flow heat -
transfer surface.

The calculational studies conducted confirm this. Reactors such as BN-1600 and
SPX-1 prove to be more suitable for using these systems than, e.g., the BN-800 reactor. For
the BN-1600 reactor during RVACS operation, the maximum level of average sodium
temperature in the reactor vessel will not exceed ~ 730-820°C, whereas for the BN-800
reactor it will be ~ 770-870°C, all other things being equal.

Studies on RVACS efficiency enhancement are currently under way. The following
are possible:

an increase of the exhaust stack height;

the use of special radiation collectors with modified heat transfer surface located in
the gap between the guard vessel and reactor silo lining (Fig.4);

272
 optimization of the gap width between the guard vessel and reactor silo lining;
abandoning of the guard vessel and passing its functions to the reactor silo lining
(such abandonment was studied for the French SPX-2 reactor project);
filling the gap between the reactor mam and guard vessels with sodium.

Methods of surface modification for the heat radiation collector have been proposed
as follows:
the use of porous material [4] ;
the use of longitudinal fins [5];
the use of plates placed at an angle to the guard vessel surface [6] ;
the use of a pack of semipermeable screens which can be made in the form of grids,
perforated screens or semipermeable films [6].
In Figs.5-9 the calculation results of the use of the RVACS applied to the BN-800
reactor are presented. In Fig.5 the results of optimization of the width of the gap between
the guard vessel and the reactor silo lining for conventional RVACS (as in PRISM) are
presented.

In Figs.6-7 the results of optimization of the gap width and the number of screens for
an advanced RVACS with semi-permeable screens are shown. Fig.8 illustrates the
dependence of the maximum level of the average mixed coolant temperature in the BN-800
reactor vessel on the initial power level. In Fig.9 the results of gap width optimization for
a version without the guard vessel are presented.

In these figures the following symbols are used:

H - height of air path exhaust stack,
e - emissivity of reactor vessels and reactor silo lining materials,
N - the number of semipermeable screens in the heat radiation collector,
INA=O - a system operation mode when the gap between the reactor vessel and the
guard vessel contains no sodium.
INA= I - a system operation mode when the gap between the reactor vessel and the
guard vessel is filled with sodium.

These figures illustrate possibilities of improving RVACS characteristics and of

extending their applicability limits. Investigations have shown that RVACS can also be used
for larger power reactors but the relationship between power, vessel size and sodium
temperature under RVACS operation leads to a limitation or reactor power.

In connection with the above, there arises a problem of experimental, and

calculational study of RVACS for larger power reactors, in particular, the problem of an
investigation of natural coolant convection in large vessels during RVACS operation.

2) IRACS

Air heat exchangers have considerable hydraulic resistance so that there is only one
practical possibility for their attachment to the secondary circuit, i.e. on a by-pass to the
main normal heat removal line pipework. This can be a by-pass of the main pipe section
with a check valve on it (SPX-1), or a by-pass relative to the steam generator (BN-800). In
any case, their will be active components such as sodium valves and air dampers within the
DHRS.

273
Maximum coolant temperature in the reactor vessel as function of width of the gap between guard
vessel and reactor silo lining
Traditional RVACS Improved RVACS with screens
Temperature, °C Temperature, °C
1200 110000

100000

1000 -4-

90000

80000

I 70000
20 40 60 80 100 000 2000 4000 6000 8000 10000
Width of gap, cm Width of gap un
H = 8m, c = 0.85,
o- H = 60 m, INA = 1, e = 0.85 .-H =8 m, 1NA=l, c= 085 o - N = 0 , INA = 0 • - N - O, INA -- l
D-H = 60 m, INA = O, e = 0.85 • - H = 8 m , INA = 0, c = 0.85 D - N = 1 , INA = 0 «-N=l, INA=I
A-H = 60 m, I N A = 1, e = 0.5 « -H = 8m, INA = 1, c = 0.5 A-N = 2, 1NA = 0 ,-N = 2, INA=I
•-H = 60m, INA = 0, e = 0.5 + - H = 8 m, INA = 0, c = 0.5 • - N = 5 , INA = 0 + - N = 5, INA = i
v - N - 2 0 , INA = 0 *_N = 20, INA = l

FIG. 5. FIG. 6.
 Temperature, °C

0 4 8 12 16

Number of screens
H = 8 in, e = 0.85
n-d = 7cm, INA = 0 . - d = 7 cm, INA = 1
â - d = 1 5 c m , INA = 0 » - d = 15 cm, INA = 1
* - d = 25 cm, INA = 0 + - d = 25 cm, INA = 1
v - d = 100 cm, INA = 0 * - d = 100 cm, INA = 1

FIG. 7. Maximum coolant temperature in the reactor vessel as function of number of

perforated screens (improved RVACS with screens)

Temperature, °C

1 '
0 / •* C
1 %
' / / x

1 t /
/

Relative po\ver, per-unit

e = 0.85
o - H = 60 m, INA = 0, do = 23 cm, N = 7
a-H = 60m, I N A = 1 , do = 25 cm, N = 8
A - H = 8 m, INA = 0, do = 23 cm, N = 7
*-H = 8m, I N A = 1 , do = 25 cm, N = 8

FIG 8. Maximum coolant temperature in the reactor vessel as function of reactor power
(improved RVACS with screens)

275
 Temperature, °C

JM-

c :: vi «a
Width of gap, cm
o-H = 8m , £ = 0.85
D- H = 60 m, £ = 0.85
A-H = 8m, £ = 0.5
*-H = 6 0 m , £ = 0.5

FIG. 9. Maximum coolant temperature in the reactor vessel as function of width of the gap
between vessel and reactor silo lining (RVACS without guard vessel)

The use of air cooling system on the outside of a steam generator as an IRACS has
the following advantages:

such active components as sodium valves are eliminated;

the coolant circulation circuit has a more simple arrangement, there are no by-passes.

It is seen that even in the case of natural circulation in all DHRS circuits there is a
dependence on the serviceability of active components. In addition, the stability of
circulation depends on the initial temperature condition of the DHRS and of the reactor plant
as a whole, on the transient conditions of such active components as the main primary and
secondary pumps and on the procedure for putting the DHRS into operation. Making such
systems fully passive is possible by means of partial opening of sodium valves and air
dampers during NPP normal operation. However, it results in deterioration of NPP
economic factors. In addition, uncertainty in the conditions of passing from forced to natural
circulation, which are accompanied by main primary and secondary pumps coast-down,
cannot be eliminated in principle. Therefore, it cannot be eliminated in principle a chance
of occurrence of conditions impeding the esstablishment of natural convection of coolant in
the DHRS and even its reversability.

In addition IRACS have the following disadvantages. Unclosed sodium valves on the
main pipe line lead to marked deterioration of decay heat removal efficiency. In IRACS a
great number of components must meet the enhanced requirements put on safety grade
systems.

276
 3) DRAGS
DRAGS removes heat directly from the reactor vessel with the use of special loops
independent of the main heat removal loops. Such independence allows elimination of
sodium valves performing a switch-over of heat removal from the main equipment to the
emergency circuit. Air dampers are the only active components. However, realization of
a fully passive DHRS is possible in principle at the expense of the provision of a continuous
air leak through AHXs as has been done in the EFR. In this case of the NPP economic
factors have to be optimized and some losses in economy must be borne.

Important problems that exist for such systems are the problems of experimental
investigation of such items as coolant flow pattern in the reactor vessel under natural
convection, coolant stratification, interaction between the upper plenum and the core, and
optimization of the location of immersed heat exchangers. A large number of investigations
in this field have already been carried out in Germany [7,8] and in Japan [9]. This work
should be continued.

In Russia calculation studies on optimization of immersed heat exchanging have been

carried out [10]. It has been shown that at their location in the hot plenum some difficulties
with the development of natural convection in the intermediate loops are possible. At present
the possibility of locating the immersed heat exchangers in the cold plenum is being
analyzed.

In Fig. 10 a version is proposed where heat from the reactor vessel is transported by
coolant to an AHX directly connected on one side to the reactor vessel by two pipes and on
the other side to the expansion tank. During NPP normal operation the loop with the AHX
is filled with argon and there is no heat loss through the AHX. In an accidental event
accompanied by a failure of all heat removal systems, heating-up of coolant in the reactor
vessel results in filling the loop incorporating the AHX due to a pressure rise in the reactor
gas space. Coolant natural convection through the AHX takes place and decay heat is
removed to the outside. Thus the system is fully passive both in its start-up and operation.
The possibility of a system failure in the case of a reactor vessel loss of gas tightness can be
overcome by various means, including by supplementing this system with a similar one but
located lower down and filled only due to a rise of the coolant level in the reactor vessel.
One of the advantages of DRAGS is relatively small number of components included
in the safely-grade systems. As compared to RVACS they can remove more power upto a
level which is virtually unlimited.

4) PRAGS

PRAGS have basically the same solution as DRAGS to the heat removal problem and,
accordingly, have the same advantages and disadvantages.

5. CONCLUSIONS

An analysis of the present DHRSs and of the possibilities improving their

characteristics including their degree of passivity reveals the following.

The most preferred systems to be used in advanced LMFR projects are RVACS and
DRAGS (or PRAGS). These systems permit full realization of passive principles in their
start-up and operation.

277
00 Air outlet

f ni7Tiri , i ,,,,,,, , , n-i

Cold

Fig. ÎO. Principle scheme of DRAGS with passive switch-on.

 They are sufficiently simple and independent of normal heat removal systems. They
largely eliminate, the effect of transient conditions of normal heat removal active components
upon the stability and efficiency of the operation of the DHRS.

There are feasible ways to enhance RVACS efficiency and to extend the limits of their
applicability from the viewpoint of reactor power range. However, a rather high temperature
level in the reactor vessel during their operation makes attractive the idea of combined use
of RVACS and DRAGS in LMFR projects. In this case DRAGS would be used as a main
heat removal system and RVACS would be used as an ultimate decay heat removal system
if DRAGS fans.

REFERENCES

[1] Safety Related Terms for Advanced Nuclear Plants. IAEA-TECDOC626, September
1991.
[2] C.E.Boardman, A.Hunsbedt. Performance of ALMR Passive Decay Heat Removal
System. Specialists' Meeting on "Passive and Active Features of LMFRS", Oarai,
Japan, 5-7 November 1991, pp. 113-120.
[3] A.Hunsbedt. Experiments and Analyses in Support of the US ALMR Thermal-
Hydraulic Design. Specialists' Meeting on "Evaluation of Decay Heat Removal by
Natural Convection", Oarai, Japan, 22-23 February 1993, pp. 97-118.
[4] Y.Nishi, I.Kinoshita. Study on Decay Heat Removal Capability of Reactor Vessel
Auxiliary Cooling System. Specialists' Meeting on "Passive and Active Features of
LMFRS", Oarai, Japan, 5-7 November 1991, pp. 125-131.
[5] I.Mackawa and M.Nakaoji. A Study on the Decay Heat Removal Capability of a
Reactor Vessel Auxiliary Cooling System. Specialists' Meeting on "Evaluation of
Decay Heat Removal by Natural Convection", Oarai, Japan, 22-23 February 1993,
pp. 67-77.
[6] Yu.M.Ashurko, G.E.Lazarenko. Characteristics of Systems of Emergency Decay
Heat Removal Through Reactor Vessel Wall and Possible Ways of Their Efficiency
Increase. Intern. Topical Meeting, Obninsk,Russia, October 3-7, 1994, pp. 6.24-
6.38.
[7] H.Hoffmann, D.Weinberg, R.Webster. Investigation on Natural Convection Decay
Heat Removal for the EFR-Status of the Program. Specialists' Meeting on "Passive
and Active Features of LMFRS", Oarai, Japan, 5-7 November 1991, pp. 83-89.
[8] Hoffmann H., Rust K., Weinberg D. Studies on the EFR Safety Graded Decay Heat
Removal Concept. Results of Model Experiments and Core Simulations. Intern.
Topical Meeting, Obninsk,Russia, October 3-7,1994, pp. 6.86-6.98.
[9] Y.Ieda, H.Kamide, H.Ohshima, S.Sugawara, and H.Ninokata. Strategy of
Experimental Studies in PNC on Natural Convection Decay Heat Removal.
Specialists' Meeting on "Evaluation of Decay Heat Removal by Natural Convection",
Oarai, Japan, 22-23 February 1993, pp. 37-50.
[10] 10. P.N.Birbraer, V.S.Gorbunov and etc. Comparison of Decay Heat Exchangers
Placing in the Primary Circuit of Pool Type Fast Reactor. Specialists' Meeting on
"Evaluation of Decay Heat Removal by Natural Convection", Oarai, Japan, 22-23
February 1993, pp. 119-126. 1991, pp. 125-131.

279
 AVAILABILITY ANALYSIS OF THE AP600 PASSIVE CORE
COOLING SYSTEM

M. SYARIP XA9743175
National Atomic Energy Research Agency,
Yogyakarta

I. R. SUBKI
BATAN head Office,
Jakarta

Indonesia

M.H. CANTON
Westinghouse Electric Corporation,
USA

Abstract

AVAILABILITY ANALYSIS OP THE AP600 PASSIVE CORE COOLING SYSTEM.

The reliability analysis of the AP600 Passive Core Cooling System
(PXS) has been done. The fault tree analysis method was used for the
quantitative analysis. The PXS can be grouped to several sub-systems
i.e: Reactor Coolant System (RCS) Injection Subsystem, Emergency
Core Decay Heat Removal Subsystem, and Containment Sump pH Control
Subsystem. The quantitative analysis results indicates that the
system unavailability is highly dependent on the valves
configuration of the Automatic Depressurization System (ADS). If the
ADS valves is arranged in Option-1, the system unavailability is
2.347E-03, this means that the yearly contribution to plant down
time can be estimated to be about 20.56 hours per year. Whereas, by
using Option-2 of fourth stage ADS valves, the system unavailability
is reduced to be 9.877E-04 or 8.65 hours per year and this value is
consistent with the allocated goal value (8.0 hours per year). The
ADS contributes 66.89% to the system unavailability if it is
arranged in Option-1, and will reduced to be about 21.21% if its
fourth stages are arranged in Option-2. If the ADS is not included
as a subsystem of the PXS (relocate to RCS as a subsystem of RCS),
then the PXS unavailability will reduced to be about 7.784E-04 or
6.82 hours per year and this is less then the allocated goal value.
The major contributors to the system unavailability are mostly
dominated by Stage-4 ADS valves (air piston operated valves and
squib valves), inservice testing valves of ADS (solenoid operated
valves), solenoid valves of Nitrogen Supply to Accumulator, and
Passive Residual Heat Removal actuation valves (air operated
valves). Therefore, it is recommended that those valves be analyzed
more detail to gain the improvement in its reliability. It is also
recommended that the fourth stage of ADS valves should be arranged
according to Option-2, i.e. one 10-inch normally open motor operated
gate valve in series with one 10-inch normally closed squib valve.

1. INTRODUCTION

The AP600 is a 600 MWe, two loop, advanced passive plant, developed
by the Westinghouse Electric Corporation in cooperation with the
U.S. Department of Energy (DOE) and Electric Power Research
Institute (EPRI). Indonesia is one of the international participants
in this program, and this paper is a part of that participation.

281
The AP600 Passive Core Cooling System has been allocated to
contribute 8.0 hours per year to the total estimated plant yearly
downtime. This paper presents an availability analysis based on
current System Specification Document, by using the fault tree
analysis method. The failure rate and unavailability data (data
sources) for various components used for the fault tree
quantification was mostly from: Nuclear Plant Reliability Data
System (NPRDS) and Westinghouse Reliability Data Base. ).
2. GENERAL SYSTEM DESCRIPTION

A detailed description of the Passive Core Cooling System (PXS) is

provided in the System Specification Document, Reference 1. The PXS
is a safety-related system designed to provide adequate core cooling
for design basis events, this system consists of two Passive
Residual Heat Removal systems (PRHR) Heat Exchangers, two
Accumulators, two Core Makeup Tanks (CMTs), one In-containment
Refueling Water Storage Tank (IRWST), two RCS depressurization
spargers, associated valves, piping and instrumentation. The
simplified diagram of the PXS is shown in Figure 1 and 2.
The PXS is designed to perform the following major safety-related
functions :
- Emergency RCS Makeup and Boration, provide RCS makeup and
boration during transients or accidents where the normal RCS
makeup supply from the Chemical and Volume Control System
(CVCS) is unavailable or is insufficient.
- Safety Injection, provide safety injection to the RCS to ensure
adequate core cooling for the complete range of Loss Of Coolant
Accidents (LOCAs) up to and including the double ended rupture
of the largest RCS piping. The ADS supports the PXS in
performing the safety injection function by depressurizing the
RCS to allow lower pressure injection supplies to inject.
- Emergency Core Decay Heat Removal, provide core decay heat
removal during transients, accidents, or whenever the normal
heat removal paths are unavailable.
- Containment Sump pH Control, provide for chemical addition to
the containment sump during post accident condition with high
radioactivity in containment to establish floodup chemistry
conditions that support radionuclide retention and prevent
corrosion of containment equipment during loong-term floodup
condition.
The PXS is also designed to perform the non safety related function
i.e. to store the water required to flood the refueling cavity
during normal plant refueling operations. The PXS can be grouped to
several sub-systems i.e: RCS Injection Subsystem, Emergency Core
Decay Heat Removal Subsystem, Containment Sump pH Control Subsystem,
and Automatic Depressurization Subsystem. A detailed diagram of the
PXS is provided in the system Piping and Instrumentation Diagram
(P&ID), Reference 2.
2.1. RCS Inj ection Subsystem
The RCS injection subsystem consists of CMTs, Accumulators, an
IRWST, and associated valves, piping and instrumentation. The CMTs
provide RCS makeup and boration during events not involving loss of
coolant when the normal makeup system is unavailable or
insufficient. There are two CMTs located inside the containment at
an elevation slightly above the reactor coolant loops, and the
boration capability of these CMTs provides adequate core shutdown
margin following a steam line break. The CMTs are connected to the
RCS through a discharge injection line and two inlet pressure

282
balance lines i.e. one connected to the pressurizer and one to a
cold leg. The discharge line and the inlet pressure balance line
from the cold leg are each blocked by two normally closed, parallel
air-operated isolation valves that open on a loss of air pressure or
electrical power/ or on control signal actuation. The pressure
balance line from the pressurizer is normally open to maintain the
CMTs at RCS pressure, which prevents water hammer upon initiation of
CMT injection. This pressurizer line contains two check valves in
series, to prevent the CMTs from depressurizing in the event of a
pressurizer steam space break or a pressure balance line break. The
pressurizer line and a portion of the cold leg pressure balance line
between the isolation valves and the CMTs are normally maintained
full of steam from the pressurizer. The small amount of condénsate
that forms in this insulated lines is collected by a condénsate trap
and returned to the cold leg channel head of one Steam Generator.
The outlet line from the bottom of each CMT is relatively large and
provides an injection path to one of the two direct vessel injection
(DVI) lines, which are connected to the reactor vessel downcomer
annulus. Upon receipt of a safeguards actuation signal, the two
parallel valves in each inlet and discharge line open to align the
associated CMT to the RCS. At the end of CMT discharge line there
are two tilt-disc check valves in series that are designed to remain
open without flow in the line, these valves prevent reverse flow
through this line from the accumulator, that would bypass the
reactor vessel in the event of larger loss of coolant accident in
the cold leg or the cold leg pressure balance line.
The two accumulator are located inside the containment contain
borated water with a boron concentration of about 2500 ppm and
compressed nitrogen cover gas (maintained at approximately 700 psig)
to provide rapid injection. The discharge from each accumulator tank
is connected to one of the DVI lines, which are connected to the
reactor vessel downcomer. Each accumulator discharges through a
normally-open motor operated isolation valves and two check valves
in series, to isolate the accumulators from the RCS during normal
plant operation.
The IRWST contains cold borated water, is located in the containment
at an elevation slightly above the RCS loop piping. The IRWST is
connected to the RCS DVI lines through two gravity injection lines.
Each gravity injection line is connected to the bottom of the IRWST
and the Containment Sump, and contains a normally open motor-
operated isolation valves and four check valves (two series check
valves in two paralel paths). Both Containment Sumps are connected
to an associated gravity injection line via two paralel paths, one
path contains two check valves in series to prevent backflow, and
the other path contains two normally closed isolation valves which
can be opened to dump the IRWST water into the Containment Sump in
case of a core melt.
2.2. Emergency Core Decay Heat Removal Subsystem
The emergency core decay heat removal subsystem primarily consists
of two PRHR heat exchangers and associated valves, piping and
instrumentation. The heat exchangers are located in the IRWST, which
provides the heat sink for the heat exchangers. Only one heat
exchanger is required for core decay heat removal, the second heat
exchanger provides additional heat removal capacity and to isolate a
heat exchanger without a plant shutdown in the event of tube
leakage. The PRHR heat exhangers are connected to the RCS through a
common inlet line from one RCS hot leg through a. tee from one of the
fourth stage ADS lines, this inlet line is normally open and
connects to the PRHR heat exchanger channel head. The common outlet

283
line from the heat exchangers is connected to the associated steam
generator cold leg plennum reactor coolant pump suction. This outlet
line contains normally closed air-operated valves that open on loss
of air pressure or on control signal actuation.
The alignment of the PRHR heat exchangers with normally open common
inlet motor-operated valves and normally closed common outlet air-
operated valves, maintains the the heat exchangers full of reactor
coolant at RCS pressure and prevents water hammer upon initiation of
PRHR heat exchanger operation. Both heat exchangers are elevated
above the RCS loops to induce natural circulation flow through the
heat exchangers when the reactor coolant pumps are not available.
When the reactor coolant pumps are operating, they provide forced
flow in the same direction as natural circulation flow through the
heat exchangers. If the reactor coolant pumps are operating and
subsequently trip, then natural circulation continues to provide the
driving head, for heat exchanger flow. A vertical pipe stub with the
gas level detectors on the top of the inlet piping serves as a gas
collection chamber. There are provisions to allow the operator to
open shielded manual valves to locally vent these gases to the IRWST
during power operation.
2.3. Containment Sump pH Control Subsystem
The Containment Sump pH Control Subsystem is located inside the
containment, consists of the pH adjustment tank and associated
valves, piping and instrumentation. This subsystem provides for
chemical addition (a 30 weight percent sodium hydroxide) to the
containment recirculation sump in certain severe accident floodup
conditions where core damage has occured and core radioactivity has
been released from the RCS into containment, this chemical addition
is initiated upon receipt of a high containment radiation signal
using a 2 out of 4 logic coincidence. The sodium hydroxide addition
is designed to achieve a pH in the containment sump water between
7.0 to 9.5, which will significantly reduce radiolytic formation of
elemental iodine in the containment sump, and ultimately will reduce
the aqueous production of organic iodine and the total airborne
iodine in containment.
The pH adjustment tank discharges through two paralel normally
closed squib valves to two discharge sumps, each sump discharge line
contain a flow tuning orifice that is used to provide a mechanism
for the field adjustment to balance the discharge line flow rates. A
temporary connection can be made up to demineralized water system to
perform flow testing of the discharge piping. The used of squib
valves (which do not open on loss of power) and packless metal
diaphragm valves in this subsystem, minimizes the potential for
leakage.
2.4. System Operation
2.4.1. Normal Plant Operation
During normal plant power operation, the two CMTs are full of cold
borated water and maintained at RCS pressure. The pressurizer line
and a portion of the cold leg line between the isolation valves and
the CMT are normally maintained full of steam, with condénsate
removed through a steam condénsate drain back to the cold leg
channel head of one SG. The PRHR heat exchangers are maintained full
of cold RCS coolant at full RCS pressure. The IRWST is normally
maintained nearly full of water with an air space at the top of the
tank that is sealed from the containment atmosphere, whereas the
accumulators are normally maintained approximately 85 percent full
of water with a nitrogen cover gas at about 700 psig.

284
 CORE MAKEUP
TANK (I OF 2)

F/G. 7. A P600 passive safety injection.

PRESSURIZER

STEAM
GEN.
IRWST
PRHR PRHR
HX 1 HX 2

4TH
SIACC
l
ACS -00-.»

ML
RCP
REACTOR
CORE VESSEL

FIG. 2. AP600 passive residual heat removal.

285
Following a shutdown or trip, no PXS actuation occur as long as
normal RCS heat removal from the Startup Feedwater System (SFW), and
inventory control from the CVS, are maintained.
2.4.2. Plant Accident Operation
- Non LOCA Operation
The non-LOCA events can lead to significant increases or reductions
in the capability of the secondary system to remove heat generated
in the core, the two most limiting events are the loss of main
feedwater and the feed line break, as well as the steam line break
and inadvertent opening of a SG or safety valve.
Should the Main Feedwater System (MFW) and SFW be unavailable, the
PRHR heat exchangers are actuated by a low narrow range SG level and
coincident low SFW flow signal, to cool down the RCS. When the PRHR
heat exchanger cooling sufficiently reduces pressurizer level or RCS
temperature, the CMTs are initially actuated an inject borated water
directly into the reactor vessel downcomer annulus. Once the CMTs
are actuated the RCS pumps are tripped, and the PRHR heat exchangers
begin to operate under natural circulation. The RCS does not
depressurize sufficiently to permit the accumulators to deliver
makeup water to the RCS. Subsequent to stabilizing plant conditions
and satifying PXS termination criteria, the operator terminates PXS
operation and initiates normal plant shutdown operations.
The feed line break are associated with a double-ended rupture of a
feed line at full power. For this event, the PRHR heat exchangers
and the CMTs are actuated. Since the RCS pumps are tripped on
actuation of the CMTs, the PRHR heat exchangers operate under
natural circulation. The RCS does not depressurize sufficiently to
permit the accumulators to deliver makeup water to the RCS, and
subsequently the operator terminates the PXS operation and initiates
normal plant shutdown operations.
The steam line break are associated with a double-ended rupture of a
main steam line, occurring at zero power. In this event the PRHR
heat exchangers and the CMTs are actuated but not sufficient to
prevent the reactor from returning to criticality during the
transient. The injection flow is not sufficient to reduce CMT level
and to actuate ADS. The RCS may depressurize sufficiently to permit
the accumulators to deliver makeup water tank to the RCS, and
subsequently the operator terminates the PXS operation and initiates
normal plant shutdown operations.
Inadvertent opening of steam generator (SG) relief or safety valve,
in this event the reactor is tripped, the CMTs and the PRHR heat
exchangers are actuated and RCS pumps are tripped. The CMTs may
drain down if the RCS cooldown is fast enough to reduce the
pressurizer level to a low level. However, the safety analysis shows
that the ADS is not actuated.
- LOCA Operation
A LOCA is a rupture of the RCS piping or branch piping that results
in a decrease in RCS inventory that exeeds the flow capability of
the normal makeup system. The postulated piping breaks in the RCS is
divided into major pipe breaks or large breaks i.e. a rupture with a
total cross sectional area equal to or greater than one square foot,
and minor pipe breaks or small breaks (a rupture with a total cross
sectional area less than one square foot). Following a postulated
LOCA, the RCS pressure dcreases and initiates a reactor trip and
safety injection. The safety injection signal trips the RCS pumps

286
and opens the CUT inlet and outlet isolation air operated valves
(AOVs). The CMTs provide high pressure injection and can operate via
water recirculation or steam-compensated injection at full RCS
pressure. For smaller breaks, the pressurizer level is sufficient to
initially establish water recirculation, but for larger break sizes,
the pressurizer level decreases more rapidly and steam-compensated
injection occurs.
When the level in either of the CMT decreases to its Low-1 level
setpoint, ADS is actuated. The depressurization of the RCS is staged
to limit the depressurization rate and the maximum vent flow from
the spargers to the depressurization spargers. At a volume of about
67%, the first stage valves actuate, these 4 inch MOVs are connected
to the top of the pressurizer and discharge to the IRWST via the
spargers. In 60 seconds after the first stage valves actuate, the
second stage valves actuate, these are 8 inch MOVs that are
connected with the same flow path as the first stage valves. In 120
seconds after the second stage valves actuate, the third stage
valves actuate, these 8 inch valves are identical to the second
stage valves. As the CMT drops to a low volume about 20%, the fourth
stage valves are actuated , these are 10 inch MOVs that are
connected to both hot legs and they discharge directly to the SG
compartments.
After depressurization, the IRWST provides gravity injection flow
and this flow continues until containment flood-up initiates
containment sump recirculation. When the water level in the IRWST
reaches a low-level, the water level in the containment sump has
increased to a sufficient level to passively initiate recirculation
flow. This permit continued cooling of the core by recirculation of
accumulated water in the containment. When the IRWST level reaches a
low-low level setpoint, two MOVs in the line between the continment
sump and the gravity injection line open. This provides a redundant
flow path in parallel with the containment sump check valves, in
this long term cooling mode, the core is covered and steams to the
containment via the break and/or ADS valves. The steam is condensed
on the steel containment shell, which is cooled via the Passive
Containment Cooling System (PCS) and water is returned to the
reactor vessel via the IRWST and/or the recirculation lines.
The other LOCA operation are a Steam Generator Tube Rupture (SGTR)
and PRHR Heat Exchanger Tube Rupture. Following a SGTR event,
reactor coolant flows from the primary to the secondary side of the
ruptured SG, the pressurizer level decreases due to the loss of
inventory, and RCS pressure decreases, reactor trip and SI signals
are generated due to low pressurizer pressure. The CMTs operate via
water recirculation or steam-condensated injection to maintain RCS
inventory. The PRHR heat exchangers serve to remove core decay heat,
and since the reactor coolant pumps are automatically tripped on
actuation of the CMTs, the PRHR heat exchangers operate under
natural flow conditions. As the RCS cools, pressurizer level and
pressure decrease, equalizing with SG pressure and automatically
terminating break flow. In this events, the plant conditions are
stabilized without actuating the ADS. Whereas in the PRHR heat
exchanger tube rupture event, the operators can use available
instrumentation to identify the faulted heat exchanger and action
can then be taken to remotely isolate both heat exchangers by
closing the motor-operated inlet isolation valves, which are
normally open. The faulted heat exchanger can then be isolated, and
the plant can operate indefinitely with one of the heat exchangers
isolated.

287
3. M E T H O D O L O G Y

The methodology used in this analysis is a quantitative Fault Tree

Analysis (FTA) method, that is to provide the quantitative estimate
of the system's contribution to plant unavailability. The
quantitative estimate of the system unavailability is then compared
to its allocated or goal value as shown in Table 1 of Reference 4.
If the estimated value is greater than the allocated value, then the
recommendations will be presented for further consideration and
evaluation.
The FTA methodology utilized for the PXS availability analysis is
shown in the functional (reliability) block diagram in Figure 3.
This diagram defines the logic flow for the functional success or
failure of the system, the fault tree is then developed from this
functional block diagram. In the fault tree quantification pocess;
the failure rates, repair times, and unavailability values for each
components are calculated based on the historic data for similar
components. As results of quantifying the fault tree are : the
quantitative estimate of the system's contribution to the plant
unavailability, and a list that ranks the components in order of
the relative contribution to the total system unavailability.

LOSS OF BOTH LOSS OF BOTH LOSS OF PRHR AND

CMTs, VALVES, ACCUMULATORS, N2 EQUIPMENT (HEAT-
PIPING, AND FILL SYSTEM, EXCHANGERS , VALVES — — ~
INSTRUMENTATION VALVES, PIPING, & PIPING AND
INSTRUMENTATION INSTRUMENTATION)

LOSS OF IRWST AND LOSS OF CONTAIN- LOSS OF AUTOMATIC

ASSOCIATED MENT SUMP pH DEPRESSURIZATION
EQUIPMENT CONTROL SUBSYSTEM SYSTEM (ADS)

FIG. 3. Simlified reliability block diagram for the passive core cooling system.

Refer to the PXS System Specification Document (Reference 1), that

the Automatic Depressurization System (ADS) has been relocated to
RCS SSD, but because of successful operation of the PXS is dependent
on automatic depressurization of RCS, therefore two scenarios is
established in this analysis. The first scenario is by including the
ADS as a subsystem of PXS, and the second is by excluding the ADS
from the PXS subsystem.
There are two valve options in arrangement of ADS valves, for the
second and third stage of the ADS valves, both options is considered
to be similar from the reliability point of view, and for stage 4
both valve options are considered in the fault tree. The first PXS
fault tree is constructed using the first option of ADS valves (in
all stages), the second PXS fault tree is constructed with the stage
4 of ADS valves are arranged in Option 2, and the last PXS fault
tree is constructed by excluding the ADS from the PXS subsystem.

288
The ADS valves are arranged in 4 different stages and the valve
stages are configured into lines, each lines containing 2 valves in
series. The configuration of ADS valves are as follows:
- Stage 1 : consists of one 4-inch motor operated normally closed
(NC) isolation gate valve in series with, one 4-inch
motor operated NC globe control valve.
- Stage 2 (is the same with Stage 3) : there are two valve
options for stage 2 and stage 3;
Option-1: two 8-inch motor operated NC gate valves in series.
Option-2: one 8-inch motor operated NC gate valve (isolation)
in series with one 8-inch motor opertaed NC globe
valve (flow control).
- Stage 4 : there are also two valve options;
Option-1: two 10-inch air piston operated NC gate valves in
series.
Option-2: one 10-inch motor operated normally closed gate valve
(isolation) in series with one 10-inch normally
closed squib valve (control).
The ADS RCS final valve configuration has not been selected, as
such, the RCS P&ID (Reference 2) contains generic ADS valves.

4. RESULTS AND EVALUATION

In developing and quantifying the PXS fault tree, the following

assumptions have been made:
- All component failure rates used are assumed to be constant
with time, and age degradation is not modeled.
- The repair time (MTTR) for major PXS components with an
external leak requiring maintenance is assumed to be 64 hours
i.e. 10 hours to cooldown to 200 °F, 10 hours to repair valve,
40 hours to heatup to no-load temperature and 4 hours to
synchronize to grid.
- For components requiring replacement, the MTTR is assumed to be
200 hours, and for components that are isolatable from RCS
pressure or do not involve a pressure are assumed to have
smaller MTTRs (24 hours or less).
- All repairs can be performed within technical specification
requirement.
The GRAFTER code was used for the quantification process. The PXS
data and fault tree are presented in Appendix A and Appendix B
respectively. The quantitative analysis result is presented in Table
1, this quantitative results indicates that the PXS unavailability
with all ADS valves arrangement in Option-1 is 2.347E-03, this means
that the yearly contribution to plant down time can be estimated to
be about 20.56 hours per year. Whereas, by using Option-2 of fourth
stage ADS valves, the PXS unavailability is reduced to be 9.877E-04
or 8.65 hours per year. The major contributors to the yearly plant
downtime are listed in Table 2 and Table 3. The major contributors
are mostly dominated by Stage-4 ADS valves i.e.: air piston operated
valves (if valves configuration of Option-1 is chosen) and squib
valves (if configuration of Option-2 is chosen), inservice testing
valves of ADS or solenoid operated valves, solenoid valves of
Nitrogen Supply to Accumulator lines, and PRHR actuation valves.
It is shown in Table 1 that the ADS contributes 66.89% to the system
unavailability if it is arranged in Option-1, and will reduced to be
about 21.21% if it is arranged in Option-2 for fourth stage of ADS.
If the ADS is not included as a subsystem of the PXS (relocate to
RCS as a subsystem of RCS), then the PXS unavailability will reduced
to be about 7.784E-04 or 6.82 hours per year.

289
 Table 1. The PXS unavailability (Q) and its subsystem
ontribution (using Option 1 and Option 2 of ADS valves
and without ADS valves).

SUBSYSTEM ADS OPTION 1 ADS OPTION 2 NO ADS

Q %CONTR Q %CONTR Q %CONTR
RCS Inject.(CMTs, 3.923E-04 16.71% 3.923E-04 39.72% 3.923E-04 50.40%
ACCs, and IRWST)
Emerg. Core Decay 3.123E-04 13.30% 3.123E-04 31.62% 3.123E-04 40.12%
Heat Removal (PRHR)
Containment Sump 7.386E-05 3.15% 7.386E-05 7.48% 7.386E-05 9.49%
pH Control.
Automatic Depre- 1.398E-03 66.89% 2.095E-04 21.21% - -
surization (ADS)
Total (PXS) 2.347E-03 100% 9.877E-04 100% 7.35E-04 100%

Table 2. The PXS major contributors to the yearly plant downtime

using ADS valves configuration in Option 1.
SYSTEM UNAVAILABILITY (Q) 2.347E-03
COMP. IDÉNTÏFÎgR COMPOSEÍÍT IMPORTANCE * OF DECREASE BASIC EVENT
(BASIC EVENT) DESCRIPTION (%DECREASE) C.S.
IN Q PROBABILITY

1 PW014AFTO Piston op. vlv V014A failure 7.33 1 1 .7200E-04 1 .7200E-04

2 PW004AFTO Piston op. vlv V004A failure 7.33 1 1.7200E-04 1 .7200E-04
3 PW014CFTO Piston op. vlv V014C failure 7.33 1 1.7200E-04 1.7200E-04
4 PW004CFTO Piston op. vlv V004C failure 7.33 1 1.7200E-04 1.7200E-04
5 PW014BFTO Piston op. vlv V014B failure 7.33 1 1 .7200E-04 1 .7200E-04
6 PW004BFTO Piston op. vlv V004B failure 7.33 1 1.7200E-04 1.7200E-04
7 PW014DFTO Piston op. vlv V014D failure 7.33 1 1.7200E-04 1.7200E-04
8 PW004DFTO Piston op. vlv V004D failure 7.33 1 1.7200E-04 1.7200E-04
9 AW108AELRILSO Air op. vlv V108A failure 5.11 1 1. 2000E-04 1 .2000E-04
10 AW108BELRILSO Air op. vlv V108B failure 5 .11 1 1.2000E-04 1 .2000E-04
11 SW021AELR Solenoid op. vlv V021A failure .99 1 2 .3200E-05 2 .3200E-05
12 SW021BELR Solenoid op. vlv V021B failure .99 1 2 .3200E-05 2 .3200E-05
13 SW007AELR Solenoid op. vlv V007A failure .99 1 2 .3200E-05 2 .3200E-05
14 SW007CELR Solenoid op. vlv V007C failure .99 1 2 .3200E-05 2 .3200E-05
15 SW006AELR Solenoid op. vlv V006A failure .99 1 2 .3200E-05 2 .3200E-05
16 SW006CELR Solenoid op. vlv V006C failure .99 1 2 .3200E-05 2 .3200E-05
17 QW301AELR Squib valve V301A failure .41 1 9. 6000E-06 9.6000E-06
18 QW301BELR Squib valve V301B failure .41 1 9.6000E-06 9.6000E-06
19 RIRIA160ALL Containment rad. sensor RIA160 .37 3 8.5800E-06 1.6900E-03

The AP600 system unavailability estimates and allocations for the

PXS is allocated as 8.0 hours per year (Reference 4). Thus, the
estimated PXS unavailability with the ADS valves configuration in
Option-1 does not meet the system unavailability allocation (much
greater than the allocated goal), and for the PXS with the fourth
stage of ADS valves is arranged according to Option-2 (by using
squib valves), the system unavailability is consistent with the
allocated goal.

290
 Table 3. The PXS major contributors to the yearly plant downtime
using ADS valves configuration in Option 2.
SYSTEM UNAVAILABILITY (Q) 9.877E-04

COUP . IDENTIFIER COMPONENT IMPORTANCE t OF DECREASE BASIC EVENT

(BASIC EVENT) DESCRIPTION (%DECREASE) C.S.IN Q PROBABILITY
1 AW108AELRILSO Air op. vlv V108A failure 12.15 1 1.2000E-04 1.2000E-04
2 AW108BELRILSO Air op. vlv V108B failure 12.15 1 1.2000E-04 1.2000E-04
3 SW021AELR Solenoid op. vlv V021A failure 2.35 1 2.3200E-05 2.3200E-05
4 SW021BELR Solenoid op. vlv V021B failure 2.35 1 2.3200E-05 2.3200E-05
5 SW007AELR Solenoid op. vlv V007A failure 2.35 1 2.3200E-05 2.3200E-05
6 SW007CELR Solenoid op. vlv V007C failure 2.35 1 2.3200E-05 2.3200E-05
7 QW004AFTO Squib vlv V004A fail to open 1.21 1 1.2000E-05 1.2000E-05
8 QW004CFTO Squib vlv V004C fail to open 1.21 1 1.2000E-05 1.2000E-05
9 QW004BFTO Squib vlv V004B fail to open 1.21 1 1.2000E-05 1.2000E-05
10 QW004DFTO Squib vlv V004D fail to open 1.21 1 1.2000E-05 1.2000E-05
11 QW004AELR Squib vlv V004A ex. leak/rupt. .97 1 9.6000E-06 9.6000E-06
12 QW004CELR Squib vlv V004C ex. leak/rupt. .97 1 9.6000E-06 9.6000E-06
13 QW004BELR Squib vlv V004B ex. leak/rupt. .97 1 9.6000E-06 9.6000E-06
14 QW004DELR Squib vlv V004D ex. leak/rupt. .97 1 9.6000E-06 9.6000E-06
15 QW301AELR Squib vlv V301A ex. leak/rupt. .97 1 9.6000E-06 9.6000E-06
16 QW301BELR Squib vlv V301B ex. leak/rupt. .97 1 9.6000E-06 9.6000E-06
17 RIRIA160ALL Containment rad. sensor RIA160 .87 3 8.5800E-06 1.6900E-03
18 RIRIA161ALL Containment rad. sensor RIA161 .87 3 8.5800E-06 1.6900E-03
19 RIRIA162ALL Containment rad. sensor RIA162 .87 3 8.5800E-06 1.6900E-03
20 RIRIA163ALL Containment rad. sensor RIA163 .87 3 8.5800E-06 1.6900E-03
21 OW306TELR Press. Ctrl op. vlv V306T fails .80 1 7.8700E-06 7.8700E-06
22 AW002AELR Air op. vlv V002A failure .73 1 7.2400E-06 7.2400E-06

5. CONCLUSIONS AND RECOMMENDATIONS

The analysis results show that the unavailability (Q) of AP600 PXS
can be estimated as follows:
1. Q = 2.347E-03 or 20.56 hr/year, if the ADS is included as a s
subsystem of the PXS and the first option of ADS valves
arrangement is used.
2. Q = 9.877E-04 or 8.65 hr/year, if the ADS is included as a
subsystem of the PXS and the second option arrangement of ADS
valves is used.
3. Q = 7.784E-04 or 6.82 hr/year, if the ADS is excluded from the
PXS subsystem (relocated as a subsystem of RCS)
The system unavailability in conclusions 1 is greater than the
allocated unavailability goal, the value in conclusion 2 is
consistent with the allocated goal, whereas the system
unavailability in conclusion 3 is better than the allocated goal
of 8.0 hr/year.
The main contributors to the plant downtime attributed by this
system are mostly dominated by air piston operated valves (ADS),
solenoid operated valves (inservice testing of ADS), solenoid
operated valves of Nitrogen Supply to Accumulator lines and PRHR
actuation valves. Therefore, it is recommended that those valves be
analyzed more detail to gain the improvement in its reliability. It
is also recommended that the fourth stage of ADS valves should be
arranged according to Option-2, i.e. one 10-inch normally open motor
operated gate valve in series with one 10-inch normally closed squib
valve, this configuration will lead the PXS unavailability much
closer to the allocated goal.

ACKNOWLEDGEMENT
The assistance and support of the people from Reliability
Engineering group of Westinghouse Electric Corporation are greatly
appreciated.

291
 REFERENCES
1. Schultz T.L./Brown W., "AP600 Passive Core Cooling System -
System Specification Document", AP600 Document No: PXS-M3-001,
Revision 1, 1994.
2. Passive Core Cooling System Piping and Instrumentation Diagram,
Drawing # 1874E76, AP600 Doc.#: PXS M6-001/004, Revision 7.
3. Reactor Coolant System Piping and Instrumentation Diagram,
Drawing # 1874E74, AP600 Doc. #: RCS M6-001/003, Revision 7.
4. Charles E. Meyer, "Westinghouse AP600 Program Update To System
Unavailability Estimates And Allocations", Update #2, AP600
Document f: GW-GRR-006, September 1992.
5. Kerch S.P./Chicots J.M., "AP600 RAM Program - Availability
Analysis Of The Passive Core Cooling System", Revision l, AP600
Document #: PXS-GOA-001, October 1992.
6. Westinghouse Calculation Note RE-352, AP600 Passive Core Cooling
System Unavailability FTA, 6 November 1990.
7. Corletti M.M./Stirzel R.K., "Reactor Coolant System - System
Specification Document", AP600 Document No: RCS-M3-001,
Revision 1, 1994.
8. Kitzmiller J.T./Lynde J.M., "SPWR RAM Program - Inadvertent
Actuation Analysis Of Automatic Depressurization System",
Reliability Engineering Doc. NATO, August 1992.
9. Ezekoye, L.I., "Preliminary Assessment of SQUIB Valves", MED-
AEE-9840, Letter Report to R.P. Vijuk, Dec. 15, 1993.
10. GRAFTER Code, Revision 1.6
11. Westinghouse Reliability Data Base.
12. Nuclear Plant Reliability Data Systems, NPRDS.
13. IEEE STD-500, 1984.

292
 APPENDIX A: FAILURE RATE DATE FOR RCS AND PXS

•MASTER DATA PILE FOR AP600 RCS AND PXS SYSTEMS'

98 15
1 3.13E-04 O.OOE+00 2 'AP6 ' •AV •RCS' •PRESSURIZER BALL VALVE SPUR. OPER. (FO)/LEAK/ROPT
2 1.20E-04 O.OOE+00 2 'AP6 ' •AV •RCS' •PRESSURIZER BALL VALVE FAILS TO CLOSE
3 4.16E-05 O.OOE+00 2 'AP6 • •AV •RCS' 'PRESSURIZER BALL VALVE FAILS TO OPEN
4 3.12E-07 O.OOE+00 2 'AP6 ' •FE- •RCS' •FLOW ELEMENT (ORIFICE) EXTERNAL LEAK/RUPTURES/PLUGS
5 5.55E-05 O.OOE+00 2 'AP6 • TT' . •RCS' •FLOH INDICATOR FAILS ANY MODE
6 2.60E-04 O.OOE+00 2 'AP6 ' •TV' •RCS' •FLEXI-DISC CODE SAFETY VALVE FAILS SPUR. OP/LK/RUPT
7 5.76E-07 O.OOE+00 2 'AP6 • 'LT' •RCS' •LEVEL TRANSMITTER LEAKS/RUPTURES
8 6.12E-06 O.OOE+00 2 'AP6 ' •LT' •RCS' •LEVEL TRANSMITTER FAILS ALL MODES
9 1.29E-07 O.OOE+00 2 'APS ' •RD- 'RCS' •CODE SAFETY RUPTURE DISC FAILS
10 1.60E-04 O.OOE+00 2 'AP6 ' •8V' •RCS' 'MISCELLANEOUS VESSEL PROBLEMS
11 6.84E-07 O.OOE+00 2 'AP6 ' •PI' •RCS' •PIPING CRACKS/RUPTURES (10 METER LENGTH)
12 3.00E-04 O.OOE+00 2 'AP6 • •PM' •RCS' 'REACTOR COOLANT PUMP FAILS ANY MODE
13 5.76E-07 O.OOE+00 2 'AP6 • 'PT' •RCS' 'PRESSURE TRANSMITTER FAILS ALL MODES
14 2.70E-03 O.OOE+00 2 'AP6 • •SG' 'RCS' •STEAM GENERATOR FAILS ANY MODE
15 8.11E-07 O.OOE+00 2 'AP6 ' •TE- •RCS' •TEMPERATURE ELEMENT EXTERNAL LEAK/RUPTURE
16 4.17E-05 O.OOE+00 2 'AP6 • TE' •RCS' •TEMPERATURE ELEMENT FAILS HIGH/LOW OR DRIFTS
17 3.07E-06 O.OOE+00 2 'AP6 ' •XV 'RCS' •MANUAL VALVE INTERNAL LEAK/FAILS OPEN
IS 4.85E-06 O.OOE+00 2 'AP6 ' •XV 'RCS' •ANGLE VALVE RÜPTURES/LEAKS/FAILS CLOSED
19 2.94E-06 O.OOE+00 2 'AP6 ' •XV •RCS' •MANUAL VALVE FAILS CLOSED OR FAILS TO OPEN
20 1.91E-06 O.OOE+00 2 'AP6 ' •XV •RCS' •MANUAL VALVE EXTERNAL LEAK/RUPTURE
21 4.98E-06 O.OOE+00 2 'AP6 ' •XV •RCS' 'MANUAL VALVE RUPTURES/LEÄKS/FAILS OPEN
22 2.47E-04 O.OOE+00 2 'AP6 ' •PZ' •RCS' 'PRESSURIZER FAILS ALL MODES
23 7.78E-06 O.OOE+00 2 'AP6 ' •MV •RCS' •MOV FAILS CLOSED/EXTERNAL LEAK/RUPTURE
24 1.18E-04 O.OOE+00 2 'AP6 ' •MV 'RCS' •MOV FAILS TO CLOSE/INT. LEAK/EXT. LEAK/RUPTURE
25 7.24E-06 O.OOE+00 2 'AP6 ' •AV •PXS' •AIR-OP GLOBE EXTERNAL LEAK/RUPTURE
26 7.20E-05 O.OOE+00 2 'AP6 ' •AV 'PXS' •AIR-OP GLOBE SPURIOUSLY OPENS
27 3.2BE-04 O.OOE+00 2 'AP6 ' •AV •PXS' 'AIR-OP GLOBE/GATE VALVE FTO/FTC, MTTR-40 hrs.
28 4.82E-OS O.OOE+00 2 'AP6 ' •AV 'PXS' 'AIR-OP GLOBE EXTERNAL LEAK/RUPTURE/INTERNAL LEAK
29 1.20E-04 O.OOE+00 2 'AP6 ' •AV 'PXS' •AIR-OP GLOBE EXT. LEAK/RUPTURE/INT. LEAK/SPUR. OPEN
30 1.99E-04 O.OOE+00 2 'AP6 ' •AV 'PXS' 'AIR-OP BALL VALVE EXT. LEAK /RUPTURE /SPURIOUSLY OPENS
31 6.02E-06 O.OOE+00 2 'AP6 ' •AV •PXS' •AIR-OP BALL VALVE FAILS OPEN/FAILS CLOSED
32 3.28E-04 O.OOE+00 2 'AF6 ' •AV 'PXS' 'AIR-OP BALL VALVE FAILS TO CLOSE/FAILS TO OPEN
33 2.63E-06 O.OOE+00 2 'AP6 ' •MV •PXS' 'MOTOR-OP GATE VALVE EXTERNAL LEAK/RUPTURE
34 4.81E-06 O.OOE+00 2 'AP6 • •XV •PXS' •MANUAL GLOBE/GATE EXTERNAL LEAK/RUPTURE
35 8.40E-07 O.OOE+00 2 'AP6 ' •MV •PXS' •MOTOR-OP GATE VALVE RUPTURES
36 9.97E-06 O.OOE+00 2 'AP6 ' •MV •PXS' 'MOTOR-OP GLOBE EXT. LEAK/RUPTDRE/SPURIOUSLY OPENS
37 1.54E-05 O.OOE+00 2 'APS ' •MV •PXS' •MOTOR-OP GLOBE INTERNAL LEAK/SPURIOUSLY OPENS
38 7.13E-04 O.OOE+00 2 'AP6 ' •MV •PXS' •MOTOR-OP GLOBE EXT. LEAK/RUPTURE/INT LEAK/FAILS OPEN
39 3.66E-06 O.OOE+00 2 'AP6 ' 'CV 'PXS' •CHECK VALVE EXTERNAL LEAK/RUPTURE
40 3.84E-05 O.OOE+00 2 'AP6 ' 'CV 'PXS' 'CHECK VALVE INTERNAL LEAK
41 1.26E-06 O.OOE+00 2 'AP6 ' 'cv 'PXS' •CHECK VALVE EXTERNAL LEAK/RUPTURE
42 1.20E-04 O.OOE+00 2 'AP6 ' 'cv 'PXS' •CHECK VALVE INTERNAL LEAK
43 1.84E-06 O.OOE+00 2 'AP6 • •CV 'PXS' •CHECK VALVE RUPTURES
44 4.62E-06 O.OOE+00 2 'AP6 • 'PI' •PXS' •PIPING RUPTURE (68 •), KTTR-200 hrs
45 2.18E-08 O.OOE+00 2 'AP6 ' 'PI' 'PXS' 'PIPING RUPTURE, BLIND FLANGE (l B), MTTR-64 hrs
46 6.80E-07 O.OOE+00 2 'AP6 ' 'PI' •PXS' 'PIPING RUPTURE (10 m), MTTR-200 hrs
47 1.63E-06 O.OOE+00 2 'AP6 • •PI' •PXS' 'PIPING RUPTURE (100 B), MTTR<=48 hrs
48 8.16E-07 O.OOE+00 2 'AP6 ' 'PI' •PXS' 'PIPING RUPTURE (100 a), MTTR°24 hrs
49 1.56E-06 O.OOE+00 2 'AP6 ' •PI' •PXS' 'PIPING RUPTURE (23 m), MTTR-200 hrs
SO 4.22E-06 O.OOE+00 2 'AP6 ' •PI' •PXS' 'PIPING RUPTURE (62 m), MTTR-200 hrs
51 3.72E-06 O.OOE+00 2 'AP6 ' •PI' •PXS' •PIPING RUPTURE (62 B), MTTR-200 hrs
52 3.07E-06 O.OOE+00 2 'AP6 ' •XV •PXS' •MANUAL GLOBE VALVE INTERNAL LEAK
53 1.69E-06 O.OOE+00 2 'AP6 ' •XV •PXS' •MANUAL GLOBE EXTERNAL LEAK/RUPTURE
54 2.30E-06 O.OOE+00 2 'AP6 ' •XV •PXS' •MANUAL GLOBE INTERNAL LEAK
55 8.40E-07 O.OOE+00 2 'AP6 ' 'XV 'PXS' •MANUAL PLUG VALVE RUPTURES
56 1.76E-06 O.OOE+00 2 'AP6 • 'XV •PXS' 'MANUAL GATE VALVE RUPTURE S/EXTERNAL LEAK
57 3.20E-04 O.OOE+00 2 'AP6 ' •LT' 'PXS' 'LEVEL TRANSMITTER FAILS - ALL MODES, MTTR-64 hrs
58 1.20E-04 O.OOE+00 2 'AP6 ' 'LT' 'PXS' 'LEVEL TRANSMITTER FAILS - ALL MODES, MTTR=24 hrs
59 1.20E-04 O.OOE+00 2 'AP6 ' •PT' 'PXS' •PRESSURE TRANSMITTER FAILS - ALL MODES
60 1.20E-04 O.OOE+00 2 'AP6 ' 'FT' 'PXS' •FLOH TRANSMITTER EXTERNAL LEAK
61 3.60E-06 O.OOE+00 2 'AP6 ' 'TK' 'PXS' •TANK RUPTURES, MTTR=200 hrs
62 2.32E-05 O.OOE+00 2 *AP6 ' •sv •PXS' 'SOLENOID-OP GLOBE EXTERNAL LEAK/RUPTURE
63 5.28E-05 O.OOE+00 2 'AP6 • •sv •PXS' 'SOLENOID-OP GLOBE INTERNAL LEAK/SPURIOUSLY OPENS
64 3.00E-05 O.OOE+00 2 'AP6 • •SV 'PXS' 'SOLENOID-OP GLOBE EXT LEAK/RUPT/INT LEAK/SPUR. OPENS
65 1.26E-06 O.OOE+00 2 'AP6 ' •SV 'PXS' •SOLENOID-OP STOP CHECK VALVE EXTERNAL LEAK/RUPTURE
66 6.27E-06 O.OOE+00 2 'AP6 ' •RV 'PXS' •RELIEF VALVE EXT LEAK/RUPTURE/INT LEAK/SPUR. OPENS
67 3.80E-06 O.OOE+00 2 'AP6 • •FE- •PXS' •FLOW ELEMENT, VENTURI FAILS
68 4.45E-OS O.OOE+00 2 'AP6 ' •HX' •PXS' 'HEAT EXCHANGER TUBE LEAK IN HX 2, HX 1 UNAVAILABLE
69 2.17E-05 O.OOE+00 2 'AP6 ' •HX' 'PXS' 'HEAT EXCHANGER TUBE RUPTURE
70 1.63E-08 O.OOE+00 2 'AP6 ' •BF' 'PXS' •BLIND FLANGE, 2 INCH PIPE EXTERNAL LEAK/RUPTURE
71 1.22E-04 O.OOE+00 2 'AP6 ' •cv 'PXS' •CHECK VALVE INTERNAL LEAK/RUPTURE
72 6.02E-06 O.OOE+00 2 'AP6 ' 'MV 'PXS' •MOTOR-OP GATE VALVE FAILS OPEN/FAILS CLOSED
73 6.14E-06 O.OOE+00 2 'AP6 • •MV •PXS' •MOTOR-OP GATE VALVE FAILS OPEN/INTERNAL LEAK
74 6.98E-06 O.OOE+00 2 'AP6 ' 'MV 'PXS' •MOTOR-OP GATE VALVE FAILS OPEN/INT. LEAK/RUPTURE
75 7.81E-05 O.OOE+00 2 'AP6 ' •MV 'PXS' 'MOTOR-OP GATE VALVE INT. LEAK/SPUR. OPEN/FAILS OPEN
76 3.07E-06 O.OOE+00 2 'AP6 • •MV 'PXS' •MOTOR-OP GATE VALVE INTERNAL LEAK
77 4.47E-06 O.OOE+00 2 'AP6 • •pv •PXS' •PISTON-OP GATE VALVE EXTERNAL LEAK/RUPTURE
78 1.54E-05 O.OOE+00 2 'AP6 • 'PV 'PXS' •PISTON-OP GATE VALVE INTERNAL LEAK/SPURIOUSLY OPENS
79 1.98E-05 O.OOE+00 2 'AP6 • •PV •PXS' •PISTON-OP GATE VALVE EXT LEAK/RUPT/INT LEAK/FAIL OP
80 2.94E-06 O.OOE+00 2 'AP6 • •MV •PXS' 'MOTOR-OP VALVE FAILS TO OPEN DUB TO MECH. FAILURE
81 9.60E-06 O.OOE+00 2 'NPRD' •QV •PXS' •SQUIB VALVE EXTERNAL LE AK /RUPTURE, MTTR-24 hrs.
82 1.28E-04 O.OOE+00 2 'AP6 ' •SV 'PXS' •SOLENOID-OP GLOBE VALVE FAILS TO OPEN, MTTR-64 hrs.
83 2.56E-04 O.OOE+00 2 'AP6 ' •SV •PXS' •SOLENOID-OP GLOBE VALVE FTO/FTC, MTTR-64 hrs.

293
 84 2 .94E-06 0.OOE+00 2 •AP6 •XV' -PXS- 'MANUAL GLOBE VALVE FAILS CLOSED
65 4 .89E-04 0.OOE+00 2 •AP6 •ST- 'PXS- 'STEAM TRAP FAILS CLOSED
86 1 .76E-06 0.OOE+00 2 •AF6 •ST' 'PXS' 'STEAM TRAP EXTERNAL LEAK/RUPTURE -same as manual vlv
87 2 .29E-06 0.OOE+00 2 •AP6 'MV' 'PXS' 'MOTOR-OP GLOBE VALVE EXT. LEAK/RUPTURE
88 S . 88E-06 0 .OOE+00 2 •AP6 •MV 'PXS' 'MOV GATE/GLOBE VALVE FTO/FTC DOE TO MECH. FAILURE
89 2.02E-07 0 .OOE+00 2 •AP6 'SV' 'PXS' 'SOLENOID-OP GLOBE VALVE RUPTURES
90 1.30E-06 0.OOE+00 2 •AP6 •FT' -PXS' 'FLOW TRANSMITTER RUPTURES, MTTR=100 hrs.
91 1.87E-07 0.OOE+00 2 •ALWR •MV' 'PXS' 'INADVERTENT ACTUATION OF ADS VALVES.
92 1 .72E-04 0.OOE+00 2 'NPRD 1 •PV 'PXS' 'PISTON OPERATED GATE VALVE FTO, MTTR«24 hrs.
93 2.15E-03 0.OOE+00 2 'IEEE 1 •HI' 'PXS' 'RADIATION SENSOR (GM) t TRANSMITTER FAILS ALL MODES.
94 7-87E-06 0.OOE+00 2 'IEEE '0V 'PXS' 'PRESSURE CONTROL /SELF OPERATED EXT. PRESSURE, EL,R.
95 3 .12E-05 0.OOE+00 2 'NPRD •QV 'PXS' 'SQOIB VALVE FAILS ALL MODES, MTTR-24 hrs.
96 1.20E-05 0.OOE+00 2 'NPRD 1 •QV 'PXS' 'SQUIB VALVE FAIL TO OPEN, MTTR=24 hrs.
97 4.80E-06 0.OOE+00 2 •NPRD •QV 'PXS' 'SQUIB VALVE INTERNAL LEAK, MTTR=24 hrs.
98 2.74E-03 0.OOE+00 2 'ENGT •IF' 'PXS' 'ADS TESTING t MAINT. UNAVAILABILITY («very 4 months)
'NOTES i The MTTR for major RCS components with external leak requiring maintenance is assumed to be :
64 hours (10 hrs to cooldown to 200 deg F, 10 hrs to repair valve, 40 hrs to heatup to no load
' temp and 4 hrs to synchronize to grid), and for components requiring replacement the MTTR is
• assumed to be 200 hours. Components that are isolatable from RCS pressure or do not involve a
' pressure boundary (e.g. valve operators) are assumed to have smaller MTTRs.

•RBFFERENCES :'
• I

•AP6 : AP600 RAM PROGRAM, Cale. Sote í RE-352, November 1990. And AP600 Doc. t: PXS-GOA-001, Oct. 1992 '
•ALWR : SPWR RAM PROGRAM, Inadvertent Actuation Anal, of the ADS, J.T. Kitzmiller £ J.M. Lynde, RE, NATO'
'IEEE : IEEE STD 500-IEEE, 1984.'
'NPRD : NUCLEAR PLANT RELIABILITY DATA SYSTEM'
•ENGJ : ENGINEERING JUDGEMENT'

294
 APPENDIX B: AP600 PASSIVE CORE COOLING SYSTEM FAULT TREE

PASSIVE COPE ^
ICOULIHG SrSICN
(UNAVAILABLE

Q_
S I
HI TRAIN A IÍMI TRAIN 8 ^ /ACCU TRAIN A > ÍACCH TRAIN B ^ (PRHR EQUIPMENT ^ (ÍRKST EQUIPMENT "\ /ADS EQUIPKEHT "^\ AT ADJUSTMENT "^
OUlPMENI ¡EQUIPMENT EOUIPXENI EQUIPMENT 1 IFAILUHE FAILURE FMLU« ESungNI
AILURE FAILURE FAILURE FAILURE

J V > V J
SEE PAGE 7 SEE PAGE B SEE PAGE 9 SEE PAGE 10 SEE PAGE 11 SEE PAGE 12 SEE PAGE 13

KpN
IPRESSURIZER ANO ^ IÉXT LEVEL ^ ICNT TESI HEADER ^| |€xT INJECTION "\ (¿HI TANK LEW OR
COLD LEG INSTRUMENTAI I OH ANO SAMPLE LINE LINE FAILURE RUP1URE
INTERFACE LINE FAILURE
JL Jl J r1«** .
FAILURE

£tL
SEE PAGE 3 SEE PAGE 6 /^ ""\

-(¿_

r~~1
(fOKPONENT "* f AILURE OF CNT "> (fes LEAK ———> NCE^j ÍEVEL T ———— TTR ^ jCCVEL TRANSMTTR^ |CEVEL TRANSMTTR^ iCcVEL IRANSMTTR
[FAILURE AIR-OP VALVES ÎTESIÎNG V FÀÏLL
IALL MOOES ALL MOOES IALL MOOES 1 ALL MOOES
J ILTISOIIFA J JLTLSOI3FA J LTLSOIVA J LTLSOIJFA

c\\
1
SEE PAGE ? SEE PAGE 3 SEE PAGE

' 0 0 0 0

) )
(6-BIA (FOI "^ (S-BTA IFOI ^ ¿-8IA >| (Í-8IA (S-BTA rt-B8A "> (totOEHSATE TRAP"\ flfl RUPTURE ~^
AOV GLOBE VALVE AOV GLOBE VALVE MOV GATE VALVE CHECK VALVE ICICCK VALVE MANUAL GLOSE HATER HAMMER 0-ÍA4, 3-AAA
EL. R EL. R EL. R VALVE. EU R PREVENTION LINE
U "A IAVV003AELR IMVVOOJAELH IcvvOOBAELR ICVVOQ7AELR IXVVOOBAELR 11 I IPICMTPIIR
\"V ' L" J

0 0 0 0 0 0 Í1 rd 0
r-
MANUAL CLOSE ^ (STEAM TRAP IOIA> /ÍOLENOIO-OP ^ jÉniFice no4A ~\ (SOLENOIO-OP ^ iCOMBIHAIION OF ^1 f AILURE OF TDO ^
VALVE V032A GLOBE VALVE GLOBE VALVE FAILURES IN
V033A RUPTURES I IVOJOA RUPTURES CONO. TRAP LINE SOL-OP VALVES
I«VV032AELR j ISTTOIAELR Esvv033AR IFEH04AELR I ISVV030AR

0 0 0 0 0
I 17 I 2
1

E
OHDEHSATE TRAP ~\ l€OLENOIO-OP "^ I$OLENOIO-OP ^ (ÍCX.ENOIO-OP ^
AILS CLOSED VALVES FAIL 10 GLOBE VALVE GLOBE VALVE
lOPEN ON OEMANO V03IA EL. R V030A FO
TTOIAFC II J lsw03IAELR j lsvV030AFO

0 __tfl 0 0
&H.ENOIO-OP "\ (SOLENOID-OP ">
CLOSE VALVE CLOSE VALVE
V030A FIO V031A FIO

0 0
ÍSVV030AFTO J ISVV031AFTO j

295
 PASSIVE HEAT REMOVAL SYSTEM WITH INJECTOR-CONDENSER

K.I. SOPLENKOV
Ail-Russian Institute of Nuclear XA9743176
Power Plant Operation,
Electrogorsk Research and Engineering Centre of
Nuclear Power Safety,
Russian Federation

Abstract
The system described in this paper is a passive system for decay heat removal from VVERs.
It operates off the secondary side of the steam generators (SG). Steam is taken from the SG
to operate a passive injector pump which causes secondary fluid to be pumped through a heat
exchanger. Variants pass either water or steam from the SG through the heat exchanger.
There is a passive initiation scheme. The programme for experimental and theoretical
validation of the system is described.

Description of PHRS-IC

The All-Russian Scientific Research Institute for Nuclear Power Plant (NPP) operation
(VNIIAES) has developed a System for Passive Heat Removal using an Injector-Condenser
(PHRS-IC). The principle PHRS-IC scheme for NPP steam generator (SG) heat removal are
shown in fig.l. The main components of the PHRS-IC are: 1 - the steam generator to be
cooled (SG); 2 -injector-condenser (1C); 3 - heat exchanger of evaporating type; 4 - check
valve; 5 - start-up valve; 6 - start-up tank.

Scheme "steam —steam" (s-s) Scheme "steam-iiquid" (s-1)

Í- Steam Generator 2- Injecter-Condenser 3- Heat Exchanger

4- Check Valve 5- Start-up Valve 6- Start-up Tank

Fig. 1.

297
The arrangement "Steam-steam" (S-S) is different from the scheme "Steam-liquid" - (S-L)
in the way the coolant is supplied into the heat exchanger (3).

The PHRS-IC works in the following wayrcoolant from the SG (1) enters the 1C (2) and the
evaporating heat exchanger (3). The cooled condénsate from heat exchanger (3) is directed
to the 1C mixing chamber (2). After the diffuser, the water (the pressure of which is higher
than that in SG) is directed into the SG (1) through the check valve (4).

The PHRS-IC start-up. Initially the start-up valve (5) is closed, and the pressure in the
start-up tank is much less than that in the circuit. If an emergency situation occurs the
start-up valve (5) is opened in a passive way and the coolant begins to enter the start-up tank
coming through the 1C. The pressure in the start-up tank increases and at some moment in
time becomes higher than that in the SG (1). The check valve (4) opens and the PHRS-IC
begins to operate.

Experimental facility

The PHRS-IC intended for heat removal from the heat generating source was developed and
tested on the experimental facility of the Electrogorsk Research and Engineering Centre of
Nuclear Plant Safety (EREC). The general view of the facility and relative elevations of the
main components are presented in fig. 2:

1) Supply tank.

The total height of the Supply tank is 5.3 m, its volume is 0.5 m3. There is a system for
steam supply and removal of liquid and steam (not shown in fig. 2) which allows simulation
of the different emergency situations (for example, in the SG). The pressure, temperature and
water level are measured in the Supply tank. The maximum design pressure and temperature
are up to 10 MPa and 315°C respectively.

Fig. 2.

298
2) Injector condenser.

The typical 1C for PHRS-IC and thermal-physical processes experiment is presented in Fig.2.
The injector allows removal of 3.5 - 4 MWt of power from the heat source.

3) Heat exchanger.

The heat exchanger is: 5 m - height and 0.53 m - diameter. There are two pipe coils
enclosed in the vessel. The length of each piping is 80 m. The total heat exchange area is
21 m2. If the forced water supply is directed to the secondary cooling loop then it is possible
to remove 4-6 MWt of heat power.

4) Check valve

It is a typical check valve, located between the 1C and the supply tank.

5) Start-up valve.

An air-driven valve is installed on the start-up line. Its actuation time is 0.7 - 0.9 s.

6) Start-up tank.

The start up tank is 1.5 m height and 0.426 m in diameter. The allowed pressure is 10
MPa, and the maximum temperature is 315°C.

Measurement system.

The facility allows measurement of pressures, temperatures, pressure differences and water
levels. The measurement in non-stationary conditions is made using the conventional primary
transducers typical for thermal-physical experiments. The pressure transducers are installed
in the facility to measure the fast processes in the 1C and the start-up tank during start-up.

The measurement and data collection system is based on the bases of a personal
computer IBM PC/AT. Standard "CAMAC" hardware is used as means of communication
with the experimental set-up. The system provides for the collection, storing and displaying
of the data from pressure and temperature probes. The frequency of channel measurement
is 2 Hz and for fast processes is 2 kHz.

Experimental results

The "steam-liquid" scheme was tested on the experimental facility (fig.2) with the
injector, a photo of which is presented in the same figure. Results are presented in figures
3-5. The following designations have been used:

Psg - pressure in SG;

Pc - pressure in the cold leg upstream of the 1C;
dPp - pressure drop on the 1C;
Pp - pressure downstream from the 1C; Pn - pressure at nozzle outlet;
Pmch - pressure in the 1C mixing chamber;
Tjg - temperature in the 1C;
Tc - temperature of the "cold" water upstream of the 1C;

299
 Tp - temperature of the coolant downstream from the SG;
G0 - mass flow rate of the steam passing through the nozzle;
Gc - mass flow rate of the "cold" water;
Gp - mass flow rate of the water downstream from the 1C.

The experimental results of the PHRS-IC start-up and definition of the maximum
pressure drops on the 1C are presented in fig.3. After start-up valve 5 opens - (fig.2) there
is a drop of pressure, Pp, Pn, and P,,^ (fig.3) and mass flow of the steam and "cold" water
are established through the 1C. It can be considered that the 1C is put into operation if the
pressures Pn and P^ correspond to the saturation pressure at the temperature in the mixing
chamber. It can also be seen that the injector start-up time is very short (3-5 s). The
start-up of the system (dPp > 0) occurs later and depends on the volume of the start-up tank
6 (fig.2). After the filling of the tank 6, the pressure downstream from the 1C becomes
higher than that in the SG and this leads to the opening of the valve 4. This is one way of
starting up the PHRS-IC. It should be noted once more that heat removal from the SG
begins just after the
valve 5 opens and it is strongest at that time.

The hydraulic resistance downstream from the 1C suddenly increases during the
experiment when the time is equal « 200s, « 400s, and « 600s (fig.3). The system works
in a stable way and the pressure in the mixing chamber does not change. The maximum
pressure drop in the 1C was slightly higher than 2 MPa.

Behaviour of the PHRS-IC parameters is shown in fig.4 for the conditions of

step-by-step pressure reduction in the SG. It could be seen that the system works in a stable
way in the range of pressures 1-7 MPa.

In fig.5, where during the first 400s the pressure in the SG was increased from 4.6
MPa up to 6.8 MPa and then it was reduced in a monotone way to 2 MPa, the system
operated in a stable way. The changing of the pressures Pn and P,,^ is caused by the fact that
temperature of the "cold" water Tc was changed during the experiment.

The series of experiments have showed us that PHRS-IC has the following
characteristics:

Passive operations. Steam energy resulting from residual heat generation is used for
coolant circulation in the circuit;
Simplicity of passive start-up and possibility of renewed manual start-ups;
Minimal time interval between the accident and beginning of heat removal;
Stable functioning in non-stationary conditions within the wide range of SG changing
parameters;
Stability of the system to strong external disturbances (e.g., safety relief valve
operation);
the possibility of automatic or manual PHRS-IC power control in order to -ensure
heat removal.

Mathematical modeling of PHRS-IC

Mathematical models at different levels of detail have been developed for the
description of the dynamic processes in the PHRS-IC.

300
 /
8 _. 1
.... . . . on
1

/
2.1
S
o .1 ----''*" / E
S d-J. / \ I Q_

1 '
1.4 'D

*•'
! ^ h
2- 0.7
3 I

0 200 4CO 600 300 800

t.s

1 - P.9 . 2 - Pc , 3 - dPp PB . 2 - Pnc, 3 - Pp. 4 - Pmch

4.00
1
x

300 t
200-
o
j
i ___^^-^'
200 •
j
h-' "^"
100-
_^^
100 -
f
^————"
27

0- —— — ———— — - 000
0 200 40 C 6C 0 8C0 . 200 400 600 800
t.s t.s
1
1 _T
' 19 •
9
¿
T
'ei
•J* _ T
'p 1 - Ge . 2 - Gp . 3 - Go

Fig. 3.
 8.0 0 4

6.0 03

o
I 4.0 ! 0.2

2.0 /v 0 1

00 0.0
0 500 1000 1500 2000
t,s
1 - ?,, . 2 - Pc . 3 - dPp . 1 - PS9. 2 - P.«,. 3 - Pn

300-
-N.

y - ~^-s
225-
——————^ -

o
^7
2 — ~^--^_
•o ^^
^ ——

/
75-

0- 0.0 -l
r) 5'.ÎO 10 00 15 CO 20 00.
t, i
1 - T,s . 2 - T. . 3 - Te 1 - 2 - GO , 3 - Gc

Fig. 4.
 80 -r- 0.4 7.5

60
03

o
45
Q_
I 0.2 I 2
0.' C.'
•o 3.0
2

20 - i

Í
01
1.5 -f

0.0 -I
5CO 1000 1500 2000 1000 1500 2000
t.s t,s
- P,g . 2 - P« . 3 - dPp — P
' mchi "^
^ — P
' n

300 T 3.0

20

"31
OC

1.0

0.0 -«•
2000

2 - Go

u>
o
Integral model ("black-box").

It was determined that flow through PHRS, heat removed and other parameters depend
mainly upon the pressure in the SG under condition that the water temperature in the pool
is about 100°C. The model is valid under the conditions that t > t*, t^ - transport time in
the loop.

Model with distributed parameters.

This model carries out the usual calculations of the loop in which the new element 1C is
introduced. The 1C is described in the steady state conditions on the basis of the parameters
upstream of the 1C, the model determines the parameters downstream of the 1C.

Modeling of "rapid" processes in the PHRS loop is intended to analyze transient phase of
filling tank, etc.

The first two models are used in the code TRAC-PF1/MOD2 for the simulation of
accident situations at the NPP with the PHRS-IC.

utilization of PHRS-IC for the WER-440 NPP

The VNIIAES, EREC, GIDROPRESS and AEP Institutes have developed the
technical requirements for PHRS 1C the VVER-440 NPP, where it was shown, that:

the system is compact and it could be easily incorporated into existing equipment;
one can use the existing technology of the HE, piping, valves etc;
the cost of the PHRS-IC is much lower than other safety systems having the same
functions.

Calculations of the "station blackout" accidents for the WER-440 have been
conducted using the Code TRAC-PFl/Mod2. They showed that it is enough to have one
PHRS-IC with power of 10 MWt in order to remove heat from one SG.
The behaviour of parameters in the steam generators of the WER-440 NPP is shown
in fig.6 when 4 PHRS-IC are put into operation. The pressure in the primary circuit dropped
to 4 MPa after 4 x 104 s (11.1 hours).

The behavior of parameters when 2 PHrS-IC are put into operation is shown in fig.7.
After 10*s (2.8 hours) the system achieves a quasi-stationary regime when residual heat
generation is equal to heat removal by the PHRS-IC.

The special project has been developed in EREC for testing the full-scale PHRS-IC
for the VVER-440 NPP with a power of 10 MWt. A general view of this facility is presented
in fig.8.

304
 Temperatures in the loops
Prcssunze- pressure Moss flow in 'oops
P. M=o T. K . kg/s
575 300-r

550 -

200-
525 -

500

475 -

Time. 9
O.o 450 ————r

0 IOOCO 20000 30COO '.3000 50000 O 10COO 2000C 30000 40020 50000 0 10000 20000 30000 40000
I - SG without PHRS: 2 - SG w.'ih PHRS; 1 - SG without PHRS; 2 - SC with PHRS;
3 - hot line;

Pressure in the SG's Water level in the SG Water level in the pressunzer
P, MPo Level, m
2.0 T 5.0 T

4.0 -

1 5 -
3.0 -

2.0 T
1.0 -

1.0 -

D.5 0.0
0 10000 20000 30000 ¿0000 50000 0 10000.20000 30000 40COO 50000 O 10000 20000 30000 40000 50000
1 - SG «ithoul PMRS; 2 - SG with PHRS: I - SG withou! PHRS; ?. - SC with PHR3;

Mg. 6. WER-440 BLACK OUT, 2 PHHS-IC-10 MWt

 Temperatures in th'j loops
Press urne' pressure iVoss flow in loops
P. Y G. 1-Ç/3
70-r
I I

60-

520
2030 -1000 eOOO BOOO 1QOOO 0 200C 4000 6000 80CO 10000 O 2COO 4000 6000 8000 10000
1 - SC without PHFS; 2 - 5 3 with PURS; 1 - SG without FHRS; 2 - SG wilh PHRS:
i - hot line;

Water level in the SG Water level in the pressurizer

Level, m
5.0 -i

Í.5 -

4.0 -

4.0 -
Vj 3.5 -

3.0 -
3.6 -

Time, s Time. s
3.2 - 1.2 2.5 71- -1
C 2COO 40CO 6000 8000 ÎOOOO 0 2000 40CC 6000 SOCO 10COO 2000 4000 6000 8000 10000
t - SC *ithoul PHRS: 2 - SC »i'.li PHR3;

Mg. 7. WER BLACK OUT 4 PHRS-IC-10 MWt

 SUrt-up-Unk
Steam generator^
naporcHepaTop

He at—exchanger
TSn/lOOOMeKHHK

CnOT-10 M3T

Fig. 8.

Usage of PHRS-IC

The PHRS-IC is a perspective safety system for the new generation of NPPs, since
it solves the heat removal problem for various accident scenarios.

307
 APPENDIX I

ADDITIONAL PAPERS ON PASSIVE SAFETY

 PASSIVE SAFETY SYSTEMS FOR INTEGRAL REACTORS XA9743177

V.S. KUUL, O.B. SAMODLOV

OKB Mechanical Engineering,
Russian Federation

Abstract

In this paper, a wide range of passive safety systems intended for use on integral
reactors is considered. The operation of these systems relies on natural processes and does
not require external power supplies. Using these systems, there is the possibility of
preventing serious consequences for all classes of accidents including reactivity, loss-of-
coolant and loss of heat sink as well as severe accidents.

Enhancement of safety system reliability has been achieved through the use of self-
actuating devices, capable of providing passive initiation of protective and isolation systems,
which respond immediately to variations in the physical parameters of the fluid in the reactor
or in a guard vessel. For beyond design base accidents accompanied by complete loss of
heat removal capability, autonomous self-actuated ERHR trains have been proposed. These
trains are completely independent of the secondary loops and need no action to isolate them
from the steam turbine plant.

Passive safety principles have been consistently implemented in AST-500, ATETS-200

and VPBER 600 which are new generation NPPs developed by OKBM. Their main
characteristic is enhanced stability over a wide range of internal and external emergency
initiators.

1. INTRODUCTION

The design of reactor plants with enhanced safety for the new generation of NPPs is
one of the most important problems for the nuclear industry.

The solution of this problem is based principally on the design of reactors with
inherent safety properties and deployment of passive safety systems. The basis of improved
reactor plant designs developed in OKBM is the integral PWR characterized by simplicity
and compactness of the primary circuit. Retaining all positive self-protection properties of
PWRs, the integral reactor allows provision of further improvement in safety. This includes
protection against the class of accidents most critical for PWRs, namely primary circuit
loss-of-integrity. This protection has been established by exclusion of accidents with large
and medium leaks. The large water inventory above the core provides a long time margin
before core uncovery in accidents with primary pipeline breakage.

Decrease of the neutron fluence to the reactor vessel extends the useful life-time of
the Reactor Pressure Vessel (RPV) to 60 years of operation. The integral design also
eliminates the damaging influence of cold coolant on the reactor vessel during operation of
powerful ECCS. Together with the inherent safety characteristics of the integral reactor,
safety enhancement is achieved by passive safety systems, operating on the basis of natural
processes without external power supply, and utilization of self-actuated devices to initiate
them. Passive safety is applied for all kinds of accidents including accidents with positive

311
reactivity insertion, accidents with loss of heat removal from the reactor, and accidents with
primary circuit loss-of-integrity. A plant design with enhanced, perhaps maximised, safety
was successfully implemented in the AST-500 nuclear district heating plant. Subsequently,
the main critical design solutions for AST-500 safety, such as the integral design of the
reactor and the various passive safety systems became the basis for the design of several
other plants developed with natural and forced coolant circulation (e.g. ATETS-200,
VPBER-600, etc.).

2. SYSTEMS FOR REACTOR EMERGENCY SHUTDOWN

2.1. A characteristic feature of the reactors developed by OBKM is the application of a

highly effective mechanical system for reactivity control. This has been achieved by
installation of control rod/assemblies in almost all the fuel assemblies of the core
(Fig. 1). Reactor shutdown is performed by emergency protection signals leading to
the dropping of control assemblies into the core following drive deenergization. In
this case the reactor is transferred to a subcritical state with a reserve to allow for
some control rod drive assemblies remaining stuck in a withdrawn position without
the need for injection of boron solution. Residual Heat Removal Systems (RHRS) are
also provided to bring the reactor system to a cold shutdown condition.

- control rod group

- individual control rod

T J - fuel assembly without control rod

Rg. 1.
VPBER-600 Control Rods Layout

312
2.2. Together with automatic systems, self-actuated devices are used for deenergization
of a sufficient number of Control Rod Drive Mechanisms (CRDM) to provide
emergency protection. This actuation system is independent of the automatic system
circuits; it responds to a pressure rise in the reactor or guard vessel (Fig.2).

Two types of pressure actuated power breakers (PAPB) are being developed: a PAPB
built in as an integral part of the CRDM or a remote PAPB built into the reactor cover. The
latter may deenergize a single CRDM or a group of CRDMs.

2.3. A passive system of boron emergency injection is intended for complete scram of the
reactor core and maintaining it in a subcritical state in the case of the mechanical
system malfunctioning (Fig.2). System actuation is performed by opening
pneumatically operated valves on the pipelines connecting the boron solution tank and
the reactor pressure vessel, or by a rupture disk actuated directly by a rise in the
primary circuit pressure. Boron solution is supplied to the reactor by gravity due to
the elevation of the boron solution tank above the reactor, once the pressures in the
reactor and in the tank have been equalised.(Fig.2).

3. EMERGENCY HEAT REMOVAL SYSTEM

3.1. The AST-500 (AST-500M) emergency heat removal system will use the main heat
exchanger loops for heat removal. Heat is removed in a three circuit scheme by
natural coolant circulation and evaporation of water from designated tanks (Fig.3).

1 - Reactor CSS - control rod controling system

2 - CSS CRDM NFIS - neutron flux instrumentation set
3 - Control and safety system (CSS) TEPS - technological equipment protection set
4 - Direct-acting device EPP - emergency protection panel
5 - Passive channel for liquid boron injection MCP - main control panel
6 - Active channel for liquid boron injection SCP - standby control panel

fig. 2.
Reactivity Control Means

313
 An air heat exchanger is provided on one of the channels side by side with the water
tanks. This ensures an unlimited period for residual heat removal without the need
for power supply or water make-up (Fig.4).

When an accident occurs, the system is initiated by valves actuated by signals from
the automatic control system or by direct reactor parameter effects (pressure, level).

1. Reactor
2. Emergency decay heat
removal HX
3. Valve
4. Secondary circuit loop

Fig. 3

Emergency decay heat removal channel switched to the secondary

circuit valves

1 - ERHR heat exchanger

2 - Heat exchanger's water storage tank
3 - Cooling tower

Fig.4

Emergency decay heat removal channel connected

to the secondary circuit

314
3.2. In the ATETS-200 power reactor, heat is removed through the steam generator by
natural circulation of coolant following secondary loop isolation from the
steam-turbine plant. Secondary water circulates through the SGs and the RHR heat
exchanger located in a water storage tank.

3.3. To exclude failure of heat removal capability in AST-500, a continuously operating

heat removal system with an auxiliary heat exchanger situated in parallel with the
main cooling heat exchanger is proposed. In this case the heat drawn by the auxiliary
heat exchanger is used for the district heating network (Fig. 5).

3.4. Owing to the considerable water inventory in the AST-500 plant intermediate circuit,
evaporation of intermediate circuit water through a relief valve (Fig.6) can be
considered as an auxiliary system of emergency heat removal during beyond design
base accidents.

1. Reactor
2. ERHR heat exchanger
3. Heat exchanger
4. Secondary circuit loop
5. Orificing devices
Fig. 5
Emergency decay heat removal channel permanently connected
to the secondary circuit

1. Reactor
2. Secondary circuit pressurizer
3. Pilot operated relief valve
4. Secondary circuit loop

Fig.6
Emergency decay heat removal channel via the pilot operated relief valve in
the secondary circuit

315
3.5. A passive emergency heat removal system considered for installation in VPBER-600,
is independence of the secondary circuit and requires no isolation from the steam
turbine plant. For this purpose, special emergency cooling heat exchangers are
arranged above the SG level but below the primary water level (Fig.7). Heat is
removed through an intermediate circuit by natural coolant circulation (Fig.8).
Another continuous passive heat removal system is also being considered. In this
case the heat drawn from the primary circuit by the emergency heat removal channel
is used for heating the secondary circuit feed water (Fig.8).

3.6. An independent passive cooling system intended for beyond design accidents with
complete loss of normal reactor heat removal capability is being considered for some
integral reactors designs. A condenser-heat exchanger is arranged above the RPV
head. Primary circuit heat is transferred through a double wall condenser-heat
exchanger by natural circulation to a water inventory tank and removed to the
atmosphere (Fig.9). The channel is self-actuated in response to primary pressure
increase via a rupture disk.

from condénsate
pump^

from water treat-

ment system

1 Main circulating pump 9. Guard vessel

2. Reactor 10. Containment
3. Steam generator 11. Heat exchangers unit
4. Heat exchanger - condenser 12. Emergency boron injection system
5. Continuous heat removal system 13. Tank with boron solution
6. Self-actuating devices 14. Passive heat removal system
(direct action) 15. Coolant clean-up and boron
7. Intermediate heat exchanger reactivity control system
8. CRDM 16. Primary circuit makeup system

Fig.7

VPBER-600 reactor plant flow diagram

316
 Feed water heating up

Continuous heat Passive heat

removal system removal system
(CHRS) (PHRS)

Fig. 8
Emergency residual heat removal system

1. Reactor
2. Decay heat removal
condenser
3. Water storage tank

Fig. 9

Self-actuated ERHR channel on the reactor

317
4. ISOLATION SYSTEMS

4.1. Integral reactor compactness allows to locate the reactor in a strong-leaktight guard
vessel (GV). The guard vessel is a passive protective and isolating device, ensuring
safety in the case of primary pipeline rupture or reactor vessel loss-of-integrity
(fig. 10). Its design pressure is that expected to occur following a primary circuit
loss-of-integrity. The GV prevents core uncovery and provides core cooling. It also
provides for confinement of radioactive products. There is no need for active water
injection systems for core cooling in emergency situations when a guard vessel is
used, because the reactor core is kept covered by water.

The guard vessel performs an important function during severe accidents. When
postulating complete core melting, corium confinement in the reactor vessel is provided by
the guard vessel. Along with the integral reactor feature of decreased thermal load on the
vessel, the presence of water in the guard vessel during primary circuit loss-of-integrity
accidents ensures, from the very outset of the accident, external cooling of the reactor vessel.
High efficiency of heat removal due to the relatively high pressure in a guard vessel is an
important factor in mitigating the consequences of the accident.

4.2. For the three-circuit heat transfer scheme in AST-500, the intermediate circuit
functions as a passive protection and isolation system ensuring retention of primary
circuit radioactive product.

Guard vessel

Reactor

Reactor core

Fig.10
AST-500 Reactor

318
4.3. In the VPBER-600 reactor plant double isolation valves designed for primary circuit
pressure are built in to each loop. One group of valves is activated by a signal from
the automatic control system, the other one is actuated either by a signal from the
automatic control system or passively as a result of low coolant level in the RPV.

5. MAIN FEATURES OF PASSIVE SAFETY SYSTEMS

The wide spectrum of passive safety systems presented in this paper allows their
common main features and advantages to be identified.

The operation of passive safety systems relays on natural processes and does
not require supply of external energy. This ensures the reliability of the
safety system in the condition of a station blackout for a long or unlimited
time;
Failure-free operation of passive systems relaxes the need for system
redundancy, provides for simplification, and enhances the economics;
An important benefit in the use of some passive systems is the possibility of
checking during operation their efficiency and conformity to design
performance requirements;
Enhancement of system reliability is achieved by use of self-actuating devices
leading to reliable operation of protective and isolation safety systems
following any change in the reactor physical parameters;
Use of passive safety systems gives effective protection against erroneous
actions or personnel non-action and creates an additional protective barrier
against sabotage;
Specially designed passive systems or devices for prevention of failure of
emergency reactor shutdown, prevention of over-pressurization of the reactor
in the event of loss of all means for heat removal, and the ensured cooling
of the reactor vessel from the outside practically excludes damaging severe
accidents.

6. CONCLUSION

The safety concept of integral PWRs using natural or forced circulation of coolant
(e.g. AST-500, ATETS-200 and VPBER-600 type) developed by OKBM for power plants
of the new generation is based on the wide use of multi-purpose passive safety systems. This
concept ensures, in principle, a higher level of safety, enhanced techno-économie indices and
stability of nuclear power units in the case of severe accidents.

MEXT PAGE(S)
left
319
 CANDU SAFETY UNDER SEVERE ACCIDENTS XA9743178

V.G. SNELL
Atomic Energy of Canada Limited

S. ALIKHAN
New Brunswick Electric Power Commission

GM. FRESCURA
Ontario Hydro

J.Q. HOWIESON
Atomic Energy of Canada Limited

F. KING
Ontario Hydro

IT. ROGERS
Carleton University, Ottawa

H. TAMM
Atomic Energy of Canada Limited,
Whiteshell Research Laboratory

Canada

Abstract

The characteristics of the CANDU reactor relevant to severe accidents are set first
by the inherent properties of the design, and second by the Canadian safety/licensing approach.
The pressure-tube concept allows the separate, low-pressure, heavy-water
moderator to act as a backup heat sink even if there is no water in the fuel channels. Should this
also fail, the calandria shell itself can contain the debris, with heat being transferred to the
water-filled shield tank around the core. Should the severe core damage sequence progress
further, the shield tank and the concrete reactor vault significantly delay the challenge to
containment. Furthermore, should core melt lead to containment overpressure, the containment
behaviour is such that leaks through the concrete containment wall reduce the possibility of
catastrophic structural failure.
The Canadian licensing philosophy requires that each accident, together with
failure of each safety system in turn, be assessed (and specified dose limits met) as part of the
design and licensing basis. In response, designers have provided CANDUs with two
independent dedicated shutdown systems, and the likelihood of Anticipated Transients Without
Scram is negligible.
Probabilistic safety assessment studies have been performed on operating
CANDU plants, and on the 4 x 880 MW(e) Darlington station now under construction;
furthermore a scoping risk assessment has been done for a CANDU 600 plant. They indicate
that the summed severe core damage frequency is of the order of 5 x lO^/year.
CANDU nuclear plant designers and owner/operators share information and
operational experience nationally and internationally through the CANDU Owners' Group

321
(COG). The research program generally emphasizes the unique aspects of the CANDU concept,
such as heat removal through the moderator, but it has also contributed significantly to areas
generic to most power reactors such as hydrogen combustion, containment failure modes, fission
product chemistry, and high temperature fuel behaviour.
Abnormal plant operating procedures are aimed at first using event-specific
emergency operating procedures, in cases where the event can be diagnosed. If this is not
possible, generic procedures are followed to control Critical Safety Parameters and manage the
accident. Similarly, the on-site contingency plans include a generic plan covering overall plant
response strategy, and a specific plan covering each category of contingency.

1. NATIONAL CONTEXT

1.1 STRUCTURE OF THE CANADIAN NUCLEAR INDUSTRY

The CANDU nuclear power concept was realized in 1962 with the first operation
of the Nuclear Power Demonstration (NPD)" prototype, a co-operative venture between the
designer, Atomic Energy x>f Canada Limited (a federal government Crown Corporation), and the
operator, Ontario Hydro (a provincial government utility). Now there are twenty seven
operating CANDU reactors worldwide, with eleven more under construction in Canada,
Romania, and India. Ontario Hydro owns and operates 18 Canadian reactors (with two under
construction), and now performs both plant design and safety assessment. Two more Canadian
provincial utilities own and operate CANDUs - Hydro Québec and the New Brunswick Electric
Power Commission. Atomic Energy of Canada Limited (AECL) has evolved into a number of
related companies, including a design company, AECL-CANDU, and a Research Company
(AECL-Research) which performs both fundamental and applied research in support of the
CANDU concept.
All of these organizations, plus owners of CANDU plants in Korea and
Argentina, coordinate their needs and exchange information through the CANDU Owners'
Group, or COG. The safety analysis to support the CANDU is performed both at the
owner/utility and at AECL-CANDU.
Nuclear power is regulated in Canada by a federal government agency, the
Atomic Energy Control Board (AECB). Each provincial government has the responsibility for
offsite emergency planning within its borders.

1.2 DEFINITION OF A SEVERE ACCIDENT

^ severe accident is defined as one in which the fuel heat is not removed by the
coolant in the primary heat transport system (PHTS). In most other reactor designs, this is
equivalent to a core melt, and indeed severe core damage (defined as loss of core structural
integrity) is one end of the spectrum in CANDU. However the inherent characteristics of
CANDU provide a broad spectrum of scenarios where, even if primary and emergency cooling
are lost, the fuel does not melt.

1.3 REPORT OUTLINE

The characteristics of the CANDU reactor relevant to severe accidents are set
first, by the inherent properties of the design, and second, by the Canadian safety/licensing
approach. For a basic introduction to the safety approach, see [Snell, 1985].
In Section 2, the evolution of the licensing approach is described, and in Section
3, the design aspects related to severe accidents are summarized. The characteristics of severe
accidents themselves, in terms of frequencies and consequences, are summarized in Section 4.

322
The Canadian research programme which supports the conclusions reached in severe accident
analysis is presented in Section 5. The operating philosophy and procedures relevant to
arresting and mitigating severe accidents are described in Section 6.
Hereafter the features of a "typical" CANDU reactor are described. Most of the
conclusions reached are generic.
This report is a more detailed version of an invited paper presented at "The
International Symposium on Severe Accidents in Nuclear Power Plants", in Sorrento, Italy,
March 21-25, 1988 [Snell, 1988].

2. CANADIAN SAFETY AND LICENSING APPROACH

2.1 EARLY PROBABILISTIC DEVELOPMENTS

The safety/licensing approach in Canada has had a probabilistic component going
as far back as the 1950s (see [Snell, 1986] for a; review). The accident which damaged the NRX
research reactor at Chalk River, Ontario, in 1952, was caused by a failure of a normal process
system (a process system is defined as any system required for the normal operation of the plant)
and a partial failure of the protective system (shutdown) designed to protect against the fault
([Lewis, 1953], [Hurst, 1953]). This spurred an early interest in the frequency of accidents, and
in the reliability and independence of the protective systems. These ideas led [Siddall, 1959] to
definition of frequency targets for failures of the process systems, and reliability targets for the
protective systems, which had to be demonstrated in practice.
A severe accident could only result if a process system failed and the appropriate
protective system was simultaneously unavailable. With the systems sufficiently independent,
the frequency of a severe accident could be made acceptably low. This philosophy of
separation of process and safety systems, and verifiable reliability targets for each, became the
hallmark of Canadian safety and licensing [Laurence, 1961].
These ideas were expanded with Canada's first power reactors - the 25 MW(e)
Nuclear Power Demonstration reactor and the 208 MW(e) Douglas Point prototype. A safety
goal was defined for risk of death to any member of the public. This goal was used to establish
the reliability requirements for the process systems, the shutdown systems, the emergency
coolant injection system, and containment (the latter three were later called the special safety
systems). The possible combinations of process failures with or without safety system action
formed an accident matrix which included a number of severe accidents; these were analyzed
with the tools of the day as part of the licensing submission.

2.2 SINGLE/DUAL FAILURE MATRIX

With the construction of the four-unit Pickering-A nuclear generating station
near Toronto, the AECB licensing guidelines, while retaining a probabilistic component, became
more deterministic. All currently operating plants up to Darlington have been since licensed
under these rules [Hurst, 1972]. The spectrum of possible accidents is divided into two broad
categories - single failures, or the failure of a process system which requires the intervention of
one or more of the special safety systems; and dual failures, a much less likely event defined as
a single failure coupled with the assumed unavailability of one of the special safety systems.
(The single failure is an assumed system failure and is not related to the same term used
elsewhere to describe a random component failure additional to the initiating event.) For each
class, designers had to demonstrate that specified frequency and consequence targets were met
(Table 2.1). For example, the spectrum of dual failures included loss-of-coolant plus failure of
the emergency coolant injection system, and loss-of-coolant plus failure of containment
ventilation to isolate. For each of these, the maximum individual whole-body dose to the

323
critical individual at the site boundary had to be demonstrated to be less than 0.25 Sv, and the
maximum collective dose in the surrounding population had to be shown to be less than 104
person-Sv, under pessimistic atmospheric dispersion conditions. There were additional
limitations on thyroid dose, as shown in Table 2.1. The frequency targets are not expected
frequencies - they were chosen large enough that compliance could be demonstrated (from
direct observation of single failure frequency, and from safety system reliability in periodic
testing) in a few years of actual station operation.

TABLE 2.1 - DOSE/FREQUENCY GUIDELINES

ACCIDENT MAXIMUM FREQUENCY INDIVIDUAL POPULATION

DOSE LIMIT DOSE LIMIT
Single 1 per 3 years 0.005 Sv wb 102 person-Sv
Failure 0.03 Sv thy 102 thy-Sv
Dual 1 per 3000 years 0.25 Sv wb 104 person-Sv
Failure 2.5 Svthy 104 thy-Sv

Note: wb=whole body; thy=thyroid.

The special safety systems are designed and operated to:

1) demonstrate during operation, by test, a dormant unavailability no greater than 10~3, or about
eight hours per year;
2) be physically and functionally separated from the normal process systems and from one
another. For example each shutdown system has its own detectors, amplifiers, logic relays,
and actuating mechanisms, which cannot be shared with either the other shutdown system,
the other special safety systems, or the reactor control system; which are of generally diverse
design and manufacture; and which where practical are located in physically separated areas
of the plant. During the design a stringent peer review, design review and QA programme
is applied to ensure, among other things, that separation standards are met.

23 THE C~6 FIVE-CLASS APPROACH

• The latest CANDU in Canada, the 4 x 880 MW(e) Darlington Nuclear
Generating Station, was licensed using the approach described in AECB document C-6 [AECB,
1980]. C-6 retains the deterministic elements of its predecessor, the single/dual failure matrix,
but recognizes that describing the spectrum of accidents by only two classes is too limiting: the
number has been expanded to five, with consequence targets set for each class, and accidents
assigned to classes implicitly according to frequency.
C~6 represents another step in the continuous tradition, in the licensing approach
in Canada, of designing for a number of classes of severe accidents, and limiting their predicted
consequences.

2.4 2.4 TWO-GROUP PHILOSOPHY

For common-cause events such as earthquakes, fires, and missiles, Canada has
developed the two-group approach. All important systems in the plant are divided into two
spatially separated and independent groups, either of which can, by itself, shut the plant down,
remove decay heat, and monitor the plant safety-status. Physical protection or environmental

324
qualification is provided so that at least one group will be available when required - e.g., a
protected secondary control area is provided in case the main control area becomes uninhabitable
due to an earthquake or fire. This approach reduces the chance of severe core damage due to
common-cause initiators.

3. DESIGN ASPECTS RELATED TO SEVERE CORE DAMAGE

3.1 THE CANDU CONCEPT
The CANDU is a natural uranium fuelled, heavy water moderated, heavy
water cooled reactor. The pressure-boundary in the core consists of several hundred 10 cm.
diameter pressure tubes, each containing twelve or thirteen short (0.5m) fuel bundles.
Surrounding each 0.44 cm. thick pressure tube (Fig. 3.1) is a 0.14 cm. thick calandria tube;
between the calandria tube and the pressure tube is an insulating gas-filled gap, which reduces
normal heat loss to the moderator.
3.2 PRESSURE TUBES AS PRESSURE BOUNDARY
All the reactivity devices (control rods, shutoff rods) penetrate the moderator but
not the coolant pressure boundary, and so, with one exception, are not subject to hydraulic forces
from a loss-of-coolant accident (LOCA). The exception is a channel failure, which is a small
break LOCA. The calandria tube may or may not contain the pressure tube rupture, but no
credit is taken for this in the design, and relief pipes, sized for channel failure, are provided to
protect the calandria vessel (which contains the moderator) from overptessure. It has also been
shown ([Ross-Ross, 1963], [Muzumdar, 1987]) that a channel failure will not propagate to other
pressure tubes, nor will it damage more than the neighbouring few shutoff rod guide tubes. The
shutoff rod shutdown system is therefore provided with enough redundant mechanisms (typically
28) to remain effective without credit for the rods with possibly damaged guide tubes, nor for the
most effective rod among those with undamaged guide tubes.
3.3 DECAY HEAT REMOVAL
There are a number of emergency heat sinks for decay heat from the fuel, which
can prevent or mitigate a severe accident.
33.1 Shutdown Cooling System
A shutdown cooling system is provided in all CANDUs for normal decay heat
removal (as an alternative to the boilers) and for cooldown below 100C. It can operate at full
heat transport system temperature and pressure, and can therefore be used as an emergency heat
sink from hot, shutdown, full-pressure conditions, should the boilers be unavailable.
33.2 Emergency Water System
Most CANDUs also have an Emergency Water System (EWS), seismically
qualified to remove heat after a Design Basis Earthquake. It provides a supply of water to the
boilers independent of the normal and auxiliary feedwater. Since it is sized to remove decay
heat shortly after shutdown, it can also be used as an emergency heat sink should normal and
auxiliary feedwater, and the shutdown cooling system, all be unavailable.
33.3 Emergency Coolant Injection
As in all water-cooled reactors, an emergency coolant injection system refills the
fuel channels following a loss-of-coolant accident. To ensure that injection for small breaks is
not blocked by high Primary Heat Transport System pressure, the main steam safety valves on
the main steam lines are opened on a loss-of-coolant signal. These are sized to cool down the
boiler secondary side, thereby depressurizing the PUTS. Emergency coolant injection thereafter
is conventional recovery of water from the reactor building sump, and re-injection.

325
3.3.4 Moderator
In normal operation, about 5% of the thermal energy produced by the fuel is
deposited into the moderator, by radiation and direct nuclear heating and, to a much Smaller
extent, by conduction through the insulating gas gap of the pressure—tube/calandria-tube
assembly. This heat is removed by a moderator cooling system, consisting of pumps and heat
exchangers. In a severe loss-of-coolant accident, the same system will remove decay heat from
the fuel channels, even if they contain no coolant at all. Fuel would be severely damaged, but
would not melt, and the channel would remain intact and contain the debris. This capability has
been verified by full-diameter channel tests at the Whiteshell Research Laboratory, as described
in Section 5. The moderator is thus a distributed low-pressure emergency heat sink surrounding
each fuel channel.
33.5 Calandria and End-Shield Cooling System
In normal operation, heat is generated in the calandria shell and in the end shields
which support the fuel channels and which provide radiation shielding for the reactor vault in
front of the reactor faces. This heat, amounting to about 0.3% of the full-power heat generation,
is removed by a dedicated shield cooling system. In addition, the cylindrical calandria shell is
located inside either a metal shield tank, or a concrete vault, either of which is filled with water
to provide both cooling and radiation shielding (Fig. 3.2). The vault floor itself is typically
2 1/2 m. thick. Should the emergency coolant injection system, and the moderator heat sink be
lost after a loss-of-coolant accident, the shield cooling system can, depending on the failure
sequence, prevent melt-through of the calandria vault or shield tank, or delay it for many hours
as the shield water is boiled away. The analysis which supports this conclusion is discussed in
Section 4.3.
3.4 3.4 CONTAINMENT
CANDU reactors use two types of containment (Fig. 3.3): single—unit
containment, at the CANDU 6 nuclear generating stations, and multi-unit vacuum containment,
at the Ontario Hydro nuclear generating stations. Both use a high-rate water spray, called
dousing, which condenses steam released in an accident and reduces the containment pressure.
In the single-unit containment, the reactor and the dousing system are all located in the same
building. In the vacuum system, four or eight reactors, each with its own local containment, are
connected by large ducting to a separate common vacuum building kept, as its name implies, at
near-zero absolute pressure. Should steam be released from a pipe break in the reactor building,
it, and any radioactivity, is sucked along the duct and condensed by dousing in the vacuum
building. Long-term pressure control is by local containment air coolers, and by a filtered air
discharge system.
The dual failure "loss of coolant plus loss of emergency coolant injection", while
it does not lead to a loss of core geometry, nevertheless permits the fuel to reach high
temperatures. The Zircaloy fuel sheaths can be highly oxidized, and the hydrogen gas which
evolves will make its way through the break to containment. The control of hydrogen following
severe accidents depends on the station design. In the vacuum containments, a network of
hydrogen ignitors, powered by the most reliable source of electricity (Class I batteries), is
engineered to reduce local flammable hydrogen concentrations before they can reach explosive
conditions, and to ensure that the energy from combustion is released gradually. Alternatively,
the natural circulation through the reactor vault can be accounted for. In particular, for the single
unit containment at Point Lepreau, the accident analysis for loss of coolant plus loss of
emergency coolant injection (LOCA/LOECI) predicts that flammable concentrations (in excess
of 4% hydrogen) of the mixed containment atmosphere are not reached. Should a flammable
concentration nevertheless occur, the analysis also shows that the containment would not be
damaged by the pressures generated by the burn. The reason for the low hydrogen
concentration, even for LOCA/LOECI, is that when the moderator acts as an emergency heat

326
sink, it limits the pressure tube temperatures below the level at which significant oxidation can
occur. Thus the pressure tube metal does not contribute significantly to the hydrogen source
term. This is discussed further in Section 4.
3.5 REACTIVITY CONTROL AND SHUTDOWN SYSTEMS
The reactivity control devices penetrate the low-pressure moderator but not the
coolant pressure boundary, as noted earlier, so they are not subject to pressure-assisted ejection
(a channel failure is too small a break to develop enough pressure within the calandria to delay
the rods significantly). The maximum rate of reactivity addition from the control devices is set
by their inherent mechanical or hydraulic operation - normally this is 0.1 mk/sec (1 mk or
"milli-k" is about 1/6 beta or 16 cents), and at most it is about 1 mk/sec during shutoff rod
withdrawal from a shutdown state. The total reactivity holdup in the movable control devices is
about 15 mk. This low value is set not by the need to compensate excess reactivity, but by
operational requirements on decision and action time after a reactor trip. The pressure-tube,
natural uranium concept permits on-power refuelling as the longer-term means of reactivity
control.
CANDU stations control reactor power automatically over the entire range from 6
or 7 decades below full power up to full power. At low powers, up to about 10% full power,
power measurement is based on ion chambers, while at high powers, in-core flux detectors are
used. Both types of measurement are sufficiently prompt for all practical purposes.
Reactivity control at all power levels, both for bulk and for spatial purposes
(spatial control is needed only above 25% power), is based on water-filled zone controllers. If
their worth is inadequate, mechanical control absorber and adjuster rods are available for both
positive and negative reactivity addition, again under totally automatic control. There is also
poison addition to, and removal from, the Ü2O moderator, both of which are very slow and
relatively rarely required.
Protection against reactivity insertion accidents is provided both by the control
system itself, via power stepbacks on high rate log and high flux, and also by powerful, rapid
shutdown - see [Snell, 1986 December], [Snell, 1987], and [Howieson, 1987] for more detail. In
the CANDU 6 for example, shutdown system 1 consists of 28 gravity-operated, spring-assisted
absorber (shutoff) rods, and shutdown system 2 consists of 6 nozzles which inject liquid
gadolinium nitrate, at high pressure, into the moderator. Each system is, independently, fully
capable of shutting down the reactor for all accidents. Each system has its own detectors,
amplifiers, relays, logic, and actuating mechanisms, and is independent of the control system and
of the other shutdown system. Because the shutoff units are inserted into the low-pressure liquid
moderator, they can respond very quickly to an accident.
In particular, the trip parameters!on each system are chosen to provide redundant
coverage, where practical, for every accident in the design/licensing set. These trips have been
studied extensively in terms of their trip coverage (i.e., the range of initial power level and
process conditions for which the trips are effective), and the combined reactor trip coverage is
found to be fully comprehensive.
The fastest means of reactivity insertion is through the large loss of coolant
accident. Thermohydraulic effects limit the rate to less than 4 mk a second for the worst break.
For a large LOCA, the initial rate of rise of reactor power is 50-100%/second. These rates
determine the speed of the shutdown safety systems, which must therefore act within about two
seconds for the most severe LOCA, a rate achievable with mechanical or hydraulic devices. For
hypothetical reactivity insertions even above prompt critical, the rate of power increase is set by
the longer prompt neutron lifetime of CANDU (at least ten times that of light water power
reactors). Thus the rate of rise of power is not very sensitive to going beyond prompt criticality
in CANDU.

327
 All recent CANDU reactors have two fully independent shutdown systems, either
of which can, by itself, terminate any reactivity insertion accident or LOCA. The provision of
dual, fast, independent shutdown systems means that, for these reactors, Anticipated Transients
Without Scram, including LOCA, are low enough in probability that they can be ignored for
design purposes, as they are a negligible contribution to total risk.

4. SEVERE ACCIDENTS

4.1 PROBABILISTIC SAFETY ASSESSMENTS

In Canada, the nuclear industry (designers and plant owners/operators) has taken
the lead in performing probabilistic safety assessments (PSAs). From the early use of risk to
define design requirements, the PSAs evolved ih the 1970s to fault tree/event tree analyses,
which were used to confirm the reliability and separation goals specified for the design.
The first such study was performed by AECL in 1975 on the service water system
at Ontario Hydro's Bruce-A Generating Station. The benefits from this study were:
a. a comprehensive identification of crosslinks, since service water has interfaces with many
systems;
b. identification of which support functions needed backup cooling water, and
c. definition of the necessary operator actions to mitigate the loss of service water.
PSA studies (called Safety Design Matrices at the time) were performed from
1978 to 1983 on the CANDU plants in the design and construction phase during that period
([Gumley, 1985], [Shapiro, 1986]).
The regulatory agency also recognized the usefulness of the studies for the
Bruce-A Nuclear Generating Station, and the PSA studies became part of the licensing process
for all CANDU stations constructed in Canada after Bruce-A.
These PSAs went beyond the assessment of support systems, and were used to
systematically identify and quantify all major sequences that could release radiation from the
plant at credible event frequencies [Rennick, 1987].
4.1.1 Darlington Probabilistic Safety Evaluation
The Darlington Probabilistic Safety Evaluation (DPSE) [Ontario Hydro, 1987]
was carried out by Ontario Hydro as part of the design verification process for the 4 x 880
MW(e) Darlington station, during the final stages of station design and construction. The study
is essentially equivalent to a Level 3 Probabilistic Risk Assessment (PRA); however, no detailed
off-site consequence analysis was performed for certain low probability severe accidents. The
scope of the study in addition did not include initiating events external to the station nor those
arising from internal fires and flooding, which were judged unlikely to contribute significantly to
risk because of rigorous, deterministic design criteria, as discussed in Section 2.4.
Important features of the DPSE include a very comprehensive set of initiating
events internal to the plant and a high degree of detail in the fault tree analysis of all major
process, safety and support systems, including specific modelling of potential instrumentation
and control failures, e.g., [Raina, 1986]. Human reliability modelling was likewise
comprehensive, including detailed identification of human error opportunities both prior to and
after the initiating event. Preliminary human reliability quantification was performed using
prepared data tables [Iwasa-Madge, 1985]. Final quantification of important human error
probabilities was obtained by using a structured expert judgment procedure involving plant
operations staff.

328
 The spectrum of potential core damage was divided into ten fuel damage
categories (FDCs), labelled FDCO to FDC9. Of these, FDCO to FDC3 cover the range of events
considered to meet the severe accident definition in this report. FDC1 to FDC3 deal largely with
loss-of-coolant initiating events accompanied by failure of emergency core cooling, either on
demand or during the mission time, in which the moderator is called upon to act as the heat sink.
FDCO contains all events with the potential to cause a loss of core structural integrity. This can
occur due to the failure of the moderator to act as a heat sink when required, failure to shut down
(if such failure would result in fuel damage), or severe over-stressing of the calandria structure.
The magnitude of fuel damage associated with FDC3 is quite small and largely
represents an economic, rather than public health, risk. FDC2 results in significant fuel damage,
and FDC1 is conservatively estimated to result in 15-30% of the core equilibrium fission
product inventory being released from the fuel. FDCO could result in a greater or smaller
release, depending on the nature of the mechanism causing loss of core structural integrity.
The frequency estimates are the result of complete computer-assisted integration
of the event trees and fault trees, fully accounting for system crosslinks. Due to the level of
detail, the development of special methods and procedures was needed in order to simplify the
fault trees and structure the integration process to make it computationally feasible ([Chan,
1987], [King, 1987]). Table 4.1 contains the DPSE mean frequency estimates for the severe
accident categories.

TABLE 4.1: DARLINGTON SEVERE ACCIDENT FREQUENCY ESTIMATES

Category Description Mean Frequency

(/reactor-yr)
FDC3 Moderator required as a heat 6 x lO"4
sink more than 1 hour after
reactor trip
FDC2 Moderator required as a heat 8 x 10~5
sink from 200s to 1 hour after
reactor trip
FDC1 Moderator required as a heat 2 x 10"6
sink less than 200s after
reactor trip
FDCO Potential for loss of core 4 x lO"6
structural integrity

The severe core damage frequency is bounded by the frequency for FDCO, and at
4 x lO^/reactor-year, it is very low indeed.
The complex multi-unit CANDU containment includes, as described earlier, a
negative-pressure vacuum system and an emergency filtered air discharge system. The
containment event trees include failures of: overpressure suppression, envelope integrity,
long-term pressure control and filtration [Dinnie, 1986]. Fuel damage and containment failure
logic were fully integrated to search for potential crosslinks. Consequences were estimated
representative of a wide range of fuel damage category and containment subsystem failure
combinations. The results include an estimate of the frequency of a large release from the core

329
accompanied by the potential for loss of the containment function, leading to the possibility of a
large, offsite release. The mean frequency was estimated to be 8 x 10~7/reactor-year.
The overall conclusion is that the calculated health risk is very low.
4.1.2 Probabilistic Risk Assessment of CANDU 6
In 1986 and 1987, AECL performed a CANDU Level 2 Probabilistic Risk
Assessment study of CANDU 6, because some countries have expressed a need to be able to
compare the overall safety of reactors as a factor in making a choice of a reactor option. This
involved a probabilistic evaluation of events of a frequency of less than 10~7/year, and a
consequence analysis of severe core damage events and related releases" [Howieson, 1988].
In performing the probabilistic evaluation, the following groundrules were used:
1. The reference plant was an existing Canadian CANDU 6 unit, licensed for operation in
1983, with the addition of automatic cooldown of the heat transport system on high
end-shield temperature. The required licensing, operating, and design information was
readily available.
2. As assumed in water reactor probabilistic risk assessments, the initial plant state was 100%
full power operation. External events such as earthquakes and fires were not assessed in this
study, although they of course are covered deterministically in the design, as described in
Section 2.4.
3. The reactor core contains equilibrium fuel.
Previous probabilistic safety assessments of CANDU proved to be valuable input
to the CANDU 6 PRA.
Fault trees were used to determine the frequency of the initiating events, and the
failure probability of the mitigating systems. Event trees were used to assess the plant response
following the initiating event, and incorporated the possibility of failures of the required
mitigating systems.
In the preparation of the event trees, crosslinks were identified between systems,
up to the level of major components and electrical power supplies; however, crosslinks between
systems via control components (e.g. contacts, relays, and fuses) were not examined.
The operator model used was the same as was used in the previous CANDU 6
Probabilistic Safety Assessment studies. The PSA operator model is a post-initiating-event
model, in which operator actions are shown explicitly in the PSA event sequence diagrams. This
approach was carried over, and the operator actions were explicitly shown in the event trees. A
brief comparison was made, where appropriate, to other operator models.
This preliminary CANDU 6 study was sufficient to identify the major risk
contributions with a high degree of confidence because:
1. The detailed design is "known" and has already been subject to probabilistic safety analyses;
in addition, the reference plant has been running successfully for the last five years.
2. The CANDU design philosophy calls for independence of safety systems and process
systems. This approach minimizes the potential for crosslinks between the two types of
systems. As discussed in Section 2.1, separation has always been a key issue in design and
licensing of CANDU, and is verified on each plant by an exhaustive review during the design
and construction, by the designer, the utility, and the regulatory board.
The study analyzed a total of thirty-two "internal" initiating events, with detailed
event tree analysis to estimate frequencies of release categories. As shown in Fig. 4.1, the severe
core damage frequency for the reference CANDU 6 plant is of the order of 5 x 10"6 per year.
This low frequency, comparable to that found for the Darlington plant as discussed above,
reflects the presence of the moderator as an emergency heat sink. The major contributor to

330
severe core damage is loss of service water, as this affects cooling water for systems such as the
moderator, calandria vault, secondary heat transport system and emergency coolant injection
system heat exchangers. The study also found that the initiating event leading to a power
excursion coupled with a failure to shutdown is very unlikely: 3 x ICH/year. This low value
results from the use of two independent, rigorously tested shutdown systems in CANDU.
The analysis of severe accident releases drew upon existing Canadian safety
analysis for predictions of the containment behaviour for many events. For severe core damage
sequences, the significant CANDU design features are the moderator water surrounding the
reactor fuel channels, and the shielding/cooling water surrounding the calandria. This water
(even without cooling) provides an inherent heat sink for many hours, limiting the progression of
a severe core damage sequence. Finally, if the sequence should progress further, the CANDU 6
prestressed concrete containment may crack (but is unlikely to fail) due to overpressure,
reducing potential releases from a severe accident.
Further work is underway to refine the operator and consequence models, as
described in [Howieson, 1988].
4.2 SEVERE ACCIDENTS SETTING DESIGN REQUIREMENTS
4.2.1 LOCA with Coincident LOECI
As discussed in Section 2, one of the classes of postulated events considered in
CANDU licensing analysis is a loss of coolant accident (LOCA) coincident with the failure of
the Emergency Coolant Injection (ECI) system to operate on demand. Given the high reliability
(99.9 percent) of the ECI system, such a combination of events is extremely unlikely to occur.
Analyses of LOCA/LOECI sequences focus on demonstrating that the regulatory
dose limit is met and on verifying that the safety design target of maintaining the integrity of all
the fuel channels is also met. The maintenance of channel integrity provides assurance that the
fuel bundles remain within their respective channels throughout the accident. Thus, the
geometry of the reactor core is well defined and can be analyzed on a channel-by-channel basis,
to provide estimates of the timing and extent of fission product release and hydrogen generation.
Over the past few years, considerable effort has been devoted by the Canadian
utilities and AECL to further characterize the phenomena relevant to this class of accidents.
Conservative analytical models, supported by a large body of experimental data (Section 5), are
now in place and are used to assess the consequences of such accidents. Highlights of the recent
developments in these models are now discussed, along with the mechanisms and factors that
impact on channel integrity, fission product release, and hydrogen evolution during these
accidents. Analytical models and methods vary somewhat throughout the Canadian nuclear
industry; the models and methods presented here are typical, but the specifics are those currently
used by Ontario Hydro.

4.2.1.1 Large LOCA With Coincident LOECI

Postulated large LOCAs are characterized by rapid coolant voiding in the fuel
channels which induces an overpower transient. Reactor shutdown systems are activated by one
of several redundant trip signals and consequently reactor power is reduced to decay power
levels within seconds. The PHTS depressurizes at a rate determined by the break size. For most
large breaks there is sufficient convective cooling throughout the transient to avoid severe fuel
temperature excursions and consequent large fission product releases, unless the ECI system is
assumed unavailable. Severely degraded fuel cooling and significant activity release result if it
is assumed that the ECI system fails to operate on demand.
The overall methodology used to assess CANDU core behaviour during large
LOCAs with ECI unavailable is shown schematically in Fig. 4.2. System thermohydraulic codes

331
are used to determine the pressure transient and to provide an estimate of the range of transient
heat removal conditions in the core. Variations in individual fuel channel characteristics such as
initial power, elevation and feeder hydraulic characteristics, in conjunction with possible variable
conditions in the reactor headers (e.g. coolant phase separation), produce a wide range of
channel conditions which may co-exist in the reactor core during a degraded cooling accident.
In the assessment of the thermal and mechanical behaviour of the fuel and fuel channels, channel
flow transients are derived from a conservative estimate of the system behaviour. Various
conservative channel flow transients are applied to groups of channels with similar
characteristics. The results of these single channel analyses are then combined to provide a
bounding assessment of the core behaviour under severely degraded cooling conditions.
Under such conditions, fuel heatup leads to fuel deformation and may cause
pressure tube yielding ([Howieson, 1986], [Brown, 1984], [Muzumdar, 1983 January],
[Muzumdar, 1983 May]). The coolant pressure at the time of overheating determines the mode
of pressure tube deformation. Higher pressures (greater than approximately 1 MPa) lead to
pressure tube ballooning and, at 16% pressure tube strain, to complete circumferential contact
between the pressure tube and the calandria tube in the overheated region (Fig. 4.3). At lower
pressures (near atmospheric), pressure tube sag is more prevalent and leads to more localized
contact between the pressure tube and the calandria tube. At intermediate pressures (between
atmospheric and 1 MPa) a combination of sag and ballooning can result in localized contact
followed by complete circumferential contact between the pressure tube and the calandria tube.
In all cases - sag, strain, or no contact (for regions of lower power) - a heat removal path to the
moderator is established which is effective in limiting the fuel temperature excursions, and
consequently limiting fission product release and hydrogen production ([Gordon, 1982], [Lau,
1981]). The detailed assessment shows that:
Over the entire range of large break LOCAs with ECI unavailable, the fuel
temperatures do not reach the melting point of UÛ2»
An assessment is performed to ensure that channel integrity is maintained
throughout large break LOCAs with coincident loss of ECI. The potential for pressure tube
failure prior to uniform pressure tube contact with the calandria tube is examined. The potential
failure mechanism under these conditions is local overheating of the pressure tube followed by
rapid local strain to failure. It is found that for the expected range of contact conditions between
the fuel and a pressure tube, local pressure tube overheating is not severe enough to cause
localized over-strain and failure prior to pressure tube/calandria tube contact [Gulshani, 1987a].
The prevention of sustained, calandria tube dryout following pressure tube
contact is a sufficient condition for pressure tube integrity, since it ensures that the fuel channel
wüTñot strain further. The factors which affect the potential for calandria tube dryout are the
pressure tube contact temperature (i.e. the stored energy available), the contact heat conductance
between the pressure tube and calandria tube (i.e. the ease with which heat can be transferred
from the pressure tube to the calandria tube), and the subcooling of the surrounding moderator
(since this determines the magnitude of the critical heat flux). The experimentally-determined
relationship between these factors is presented in Section 5.2 (see Fig. 5.1, [Gillespie, 1981] and
[Gillespie, 1982]) and its application is discussed in [Archinoff, 1984], [Brown, 1984], and
[Muzumdar, 1982 March]. An assessment is performed of the transient, local moderator
subcooling required to prevent calandria tube dryout anywhere in the core. This required
moderator subcooling is then compared to the predictions of the available moderator subcooling
during the accident. The assessment of the transient spatial variation of the moderator
subcooling throughout the accident includes the effect of the additional heat load due to pressure
tube/calandria tube contact in a number of channels in the core.
The thermal and mechanical behaviour of a fuel channel under degraded
convectivo cooling conditions is assessed ([Lau, 1986], [Akalin, 1982], [Reeves, 1985], [Reeves,
1982]), including the feedback effect of pressure tube and fuel deformation on the distribution of

332
steam flow in a channel, and consequently on the fuel and pressure tube thermal behaviour
(Fig. 4.2). Pressure tube ballooning and/or fuel bundle slumping promotes the bypass of steam
flow around the interior of the fuel bundles in a channel ([Reeves, 1983], [Akalin, 1983
February], [Akalin, 1983 September]). Thus, the extent of both the exothermic Zircaloy/steam
reaction and the convective heat removal may be reduced in the central region of the fuel
bundles due to a limited steam supply. Depending on the rate of fuel heatup, the extent of the
exothermic Zircaloy/steam reaction may be further reduced due to relocation of the molten
Zircaloy-4 sheath material [Lau, 1987], as now discussed.
If the fuel sheath is not completely oxidized when the Zircaloy-^ melting
temperature is attained, then there is potential for the molten Zircaloy to react with the UÛ2 fuel,
form a low melting point eutectic, and relocate ([Akalin, 1985], [Rosinger, 1985 June],
[Rosinger, 1985 September]). If the oxygen content of the molten Zircaloy is high, then the melt
wets the UC>2 easily and tends to relocate into pellet cracks and dishes. If the oxygen content of
the molten Zircaloy is low, the melt does not easily wet the UC>2 and tends to relocate along the
outer surface of the element (Fig. 4.4). The results of experiments on CANDU fuel bundle
behaviour at temperatures in excess of 1900C demonstrate this type of melt relocation behaviour
([Wadsworth, 1986], [Hadaller, 1984 September], [Kohn, 1985]). Contact of this eutectic with
the pressure-tube has been shown not to threaten pressure-tube integrity - an experimental
programme to confirm the models is underway^ ;
Flow bypass due to pressure tube and fuel bundle deformation, and molten
Zircaloy relocation, are both mechanisms which effectively reduce the overall rate of the
Zircaloy/steam reaction in a channel. This exothermic reaction is an important source of heat to
increase fuel temperatures under severely degraded cooling conditions, and also determines the
timing and extent of hydrogen evolution from a channel. An example of the effect of fuel and
pressure tube deformation on the cumulative hydrogen production is shown in Fig. 4.5, for a
large LOCA/LOECI wherein a constant steam flow of 10 g/s is assumed to occur in all channels
after 40 seconds [Blahnik, 1984]. Such a steam flow is chosen because it maximizes hydrogen
production and heat addition due to the exothermic Zircaloy/steam reaction, while providing a
minimum amount of convective heat removal.
The fuel temperature transients generated are used in the" assessment of fission
product release (Fig. 4.2). The distribution of active fission products within the fuel under
normal operating conditions [Muzumdar, 1982], the timing and extent of sheath failure, and the
transient release of fission products from the fuel are assessed [Archinoff, 1983]. The transient
release mechanisms considered include pressure-driven release of the free inventory, rewet
and/or high temperature release of the grain boundary inventory, temperature-driven diffusion
release from the fuel grains, steam-enhanced grain growth and consequent grain boundary
sweeping release, release from the fuel grains due to the reaction with molten Zircaloy, and
long-term leaching release from the failed fuel in water [Lau, 1985].
At present it is conservatively assumed that any fission products released from the
fuel are transported out of the channels, through the long, relatively cool feeders to the break,
with no retention. Future research (see Section 5.5) will address the extent to which fission
product retention in the PHTS delays and/or precludes the release to containment of various
fission product species.

4.2.1.2 Small LOCA With Coincident LOECI

Small LOCAs are characterized by continued forward flow through the reactor
core during most of the transient and relatively slow system depressurization. For these breaks,
the reactor power regulating system can compensate for most, if not all, of the void-induced
reactivity. Therefore, reactor power is maintained in the operating range until a reactor trip
occurs.

333
 In small LOCAs with an assumed coincident failure of emergency coolant
injection, the fuel channels would receive adequate single-phase liquid or two-phase coolant
(Fig. 4.6a) until well after reactor trip. Eventually, due to the unabated loss of coolant inventory
from the PHTS, feeder connections at the supply header would be uncovered. The uncovered
inlet feeders still contain low quality coolant, which must drain into the channel before
single-phase steam cooling commences (Fig. 4.6b). There is also a substantial liquid level in the
channel which contributes to effective cooling. Eventually, as the liquid in the channel boils off
(Fig. 4.6c), the fuel is cooled by a decreasing flow of steam and fuel temperature excursions
commence. The thermohydraulic response of a fuel channel under these conditions has been
assessed using models that are well-verified against experiments ([Luxat, 1987], [Archinoff,
1986], [Hussein, 1985], [Gulshani, 1986]).
Slow boil-off in a fuel channel may result in temperature variations around the
circumference of the pressure tube. If the pressure tube is locally hot enough to deform, then
these temperature variations could result in localized over-strain and pressure tube failure prior
to uniform pressure tube/calandria tube contact. Transient thermohydraulic information is used
to assess the transient fuel and pressure tube temperature distributions at any axial location in a
channel ([Locke, 1987 March], [Locke, 1987 June], [Locke, 1987 April], [Gulshani, 1987b],
[Locke, 1985 June], [Lowe, 1986]). The results of analyses indicate that localized over—strain
failure, due to thermohydraulic-induced circumferential temperature gradients on the pressure
tube, is not expected for the range of conditions of interest in this accident.
Fission product release and hydrogen generation are bounded by the results for
large break LOCA/LOECI scenarios. As in that case, there is no fuel melting in any small
LOCA/LOECI.

4.2.2 Containment Impairments

The containment system is comprised of several active and passive subsystems.
Active subsystems are those which are not normally operating prior to an assumed process
system or equipment failure and are then required to operate. Passive subsystems are those
which are in operation prior to a failure and continue to operate. The requirement to design for
dual failures means that combinations of process system and containment failures must be
analyzed; however, the independence which is designed into containment subsystems permits
impairments of containment subsystems to be considered rather than total containment system
failure.
The active subsystems which could be impaired are containment isolation and
dousing. Isolation impairments include failure of the ventilation inlet or outlet dampers to close,
and failure of isolation logic which implies that both inlet and outlet dampers fail to close. Due
to separation of dousing into two subsystems in some CANDUs, a failure of both dousing
subsystems is highly unlikely but has been examined in certain cases. The personnel and airlock
door seals are normally inflated when the doors are closed. However, to account for the
possibility that the airlocks have been recently opened and closed and the seals have not been
re—inflated, deflated door seals are considered.
Therefore, the containment impairments considered for the dual failure analyses
are:
1. failure of an isolation damper,
2. failure of containment isolation logic,
3. failure of dousing, and
4. deflated airlock door seals.
The containment response to an accident is determined by: the containment
design (either multi-unit/vacuum building containment or single unit containment), the

334
magnitude of break discharge, containment heat sources and sinks, and the particular
containment impairment being considered. .
In addition to the phenomenological response, discussed below, having to meet
licensing requirements for dual failures has led to a significant emphasis on the reliability of
containment isolation. A programme of tests during plant operation is established, so that the
reliability of isolation on demand can be established at greater than 99.9%. Provision of test
logic and the arrangement of components in order to demonstrate the availability of active
containment subsystems are requirements of the conceptual design, and form an integrated part
of containment.

4.2.2.1 Multi-Unit Containment

Following a postulated large LOCA, operation of the multi-unit negative pressure
containment system would be as follows [Morison, 1984]. There is a large release of steam into
the Reactor Building which results in a rapid increase in containment pressure. The
self-actuated Pressure Relief Valves open automatically at 7 kPa(g). The steam enters the
Vacuum Building where the pressure increase actuates the dousing system. The resultant spray
condenses the steam, thereby reducing the pressure. A typical pressure transient is shown in Fig.
4.7. For the largest break size, the pressure peaks within the Reactor Building accident vault in 3
seconds, and returns to subatmospheric in about 60 seconds.
Assuming no containment impairments, the pressure slowly returns to
atmospheric pressure as a result of the small inleakage of air from outside, and because of the
consumption of instrument air by equipment located within the containment.
When containment pressure returns to atmospheric, the Emergency Filtered Air
Discharge System (EFADS) is brought into operation to control the pressure at slightly
sub-atmospheric. EFADS is equipped with paniculate filters and charcoal filters for iodine
removal, and radiation monitoring equipment to measure any radioactive releases from the
station.
Envelope impairments reduce the time scale of repressurization, but the
phenomena are basically similar. The vacuum containment is powerful enough to hold the
reactor building subatmospheric for significant periods of time even with an impairment.

4.2.2.2 Single Unit Containment

A typical single unit CANDU containment pressure response with an impaired
containment is shown in Fig. 4.8. The containment pressure increases due to the accident, then
falls due to the combination of:
* reduced break discharge rates as the coolant pressure falls;
* dousing in containment which acts to condense the steam; and
* leakage through the impairment itself.

4.2.3 Anticipated Transients Without Scram

As discussed in Section 3.5, a hypothetical untenninated accident in a
CANDU 6 would be an extremely improbable event, because many independent systems would
have to simultaneously fail, namely:
* failure of a normal control system,
* plus failure or incapability of stepback,
* plus failure of shutdown system #1
* plus failure of shutdown system #2.

335
 Such an accident has an estimated frequency of less than 1 in 10 million years per
reactor in CANDU 6 [Howieson, 1988], and, in common with world practice on very low
frequency events, requires no further design provision. Nevertheless the containment response
to such a sequence is discussed in Section 4.3.2.

4.3 SEVERE ACCIDENTS WHICH CHALLENGE DESIGN

4.3.1 Loss of the Moderator Emergency Heat Sink

4.3.1.1 Background
In Section 4.2, it was shown that the moderator can provide an emergency heat
sink for the fuel in the absence of normal coolant and emergency coolant injection. Studies for
the Atomic Energy Control Board have examined the more severe consequences that would
follow if even this emergency heat sink were to fail - namely, the effects of a loss of moderator
heat sink capability in a Bruce-A NGS unit occurring simultaneously with the dual-failure
accident of a large LOCA accompanied by complete unavailability of emergency coolant
injection (LOECI) ([Rogers, 1984 June], [Rogers, 1984 August], [Rogers, 1984 September]).
These studies were deterministic in nature in that they did not select the failure mode from a
probabilistic analysis. In addition, they concentrated on the calandria thermal/mechanical
response, rather than on the full spectrum of events accompanying such a severe accident - e.g.,
hydrogen production and transport. They nevertheless show instructive trends, as they reveal a
further inherent heat sink beyond the moderator.

4.3.1.2 Hypothetical Accident Sequence

The study focussed on a hypothetical accident sequence following a large
LOCA/LOECI in which the moderator cooling system fails, with the result that the moderator
heats up, begins boiling and is eventually expelled from the calandria. As fuel channels are
uncovered by moderator expulsion, they overheat and fall to the bottom of the calandria where
they are quenched by the remaining moderator. Eventually, all moderator is lost from the
calandria and the core debris heats up and melts. The study showed that the molten core material
would be contained in the calandria which, because of the separately cooled water-shield heat
sink, maintains its integrity throughout the accident sequence. This sequence is now described
in detail.

4.3.1.3 Analytical Approach

The behavior of core components under the extreme conditions of this accident
sequence is, in general, quite speculative since little experimental information is available. Thus,
the approach used required that the essential features of the behavior of core components and the
moderator be modelled on a physically sound basis; that sensitivity studies be undertaken; and
that bounding analyses be used in certain cases.

4.3.1.4 Results
Typical thermal behavior of the fuel in different rows of fuel channels in this
accident sequence is shown in Fig. 4.9, for a case where the mode of pressure tube deformation
is assumed to be by sagging onto the calandria tube. The first temperature peak for any fuel
channel row occurs while the channel is still covered by liquid moderator, while the second peak
is predicted after channel uncovering. Actually, the channels would be expected to fail before
the second peak is reached, when the pressure tube and calandria tube temperatures reach about
1750C. Fig. 4.9 shows that fuel in uncovered channels would be well below the UC«2 melting
point up to the times of channel failure.

336
 The amount of moderator remaining in the calandria, as a function of time, for the
reference conditions assumed, is shown in Fig. 4.10 [Rogers et al, 1984 August]. As bulk
boiling initiates and propagates downward through the calandria, at about 16 minutes, it is
predicted that more man half the moderator is expelled. The moderator would be expelled in
surges in this period but pressure peaks in the calandria are not severe (<220 kPa abs.) because
of the low steam qualities (<4%) in the relief ducts. Subsequent rapid expulsions of moderator
seen in Fig. 4.10 are caused by groups of fuel channels failing and dropping into the remaining
moderator. Clearly the simplification of the model is responsible for the fine structure - in
reality the pressure transient would be smoother. Pressure peaks during these subsequent flow
surges are again low (<470 kPa abs.) and the integrity of the calandria is not threatened. For the
reference conditions, Fig. 4.10 indicates that all the moderator is expelled from the calandria in
about 50 minutes.
The study also showed that just before the last of the moderator is expelled from
the calandria, almost all of the core debris in the bottom of the calandna is in the solid state and
has been quenched to quite low temperatures (about 150C).
Typical results of the analysis of the subsequent heat-up of the solid core debris
in the bottom of the calandna are given in Fig. 4.11. For a wide range of bed porosity, Fig. 4.11
shows the maximum and upper and lower surface temperatures of the bed as a function of time
after reheating starts, following the loss of moderator from the calandria. The maximum
temperature in the bed reaches the melting point for oxidized core material, about 2700C, about
80 minutes after the start of reheating, or about 130 minutes after the start of the accident The
upper and lower temperatures are well below the bed melting point at this time. The lower
surface temperature is also well below the melting temperature of the stainless steel calandria
wall and the lower surface heat flux into the shield-tank water, 15 W/cm2, is well below the
critical heat flux, about 280 W/cm2, at the tune that melting begins within the bed.
Fig. 4.11 shows that the thermal behavior of the debris bed is very insensitive to
bed porosity. Other analysis showed that the thermal behavior was also very insensitive to pore
size, material thermal conductivities and contact conductance between pieces of debris. It was
concluded that the integrity of the calandria would be maintained during this stage of the
accident sequence.
Once melting begins in the debris bed, some time will be required for the
transition to a completely molten pool. No attempt was made to develop an analytical model of
the debris bed for this transition stage. Instead, the time required for this period and the
accompanying heat source decay were ignored, so that the analysis predictions are conservative.
Results for the analysis of a molten pool were inconclusive as to whether the pool
would boil or not, depending on the property values used. Nevertheless, the maximum predicted
heat flux into the shield tank water for all conditions (about 20 W/cm2) is well below the critical
heat flux. The interaction of the molten pool with the calandria wall, as illustrated in Fig. 4.12,
indicates that there will be no melting of the calandna wall and that a solidified crust, over 2 cm.
thick, would form on the wall, thus providing a protective shield. Analysis also showed that the
heat flux into the wall would have to be about 100 W/cm2, about five times the maximum
predicted, before melting of the calandria wall would begin. Similarly, for conditions that would
result hi boiling of the molten pool, analysis showed that the calandria wall would be
well-removed from melting conditions and the heat flux hito the shield-tank water would be
well below critical heat flux under both the boiling pool and the condensing vapor film above the
pool.
These analyses indicate that the core material debris, whether solidified or
molten, will not jeopardize the integrity of the calandria vessel, irrespective of whether the
molten pool boils or not. Further calculations show that the molten pool would solidify at a time
between 10 and 50 hours, depending on property values. Thus, it is concluded that the entire
mass of core material would be retained within the calandria, as long as the shield-tank cooling

337
water system continues to function. The consequences of failure of heat removal from the
shield tank have also been assessed, as described in detail in [Howieson, 1988].
4.3.1.5 Conclusions
a. The moderator would be completely expelled from the calandria in about an hour.
b. No gross fuel melting would occur even when fuel channels are uncovered, and the core
debris would not begin to melt until more than 2 hours after the accident begins.
c. The calandria would retain its integrity provided that the shield-tank water cooling system
remains operational.
d. Core debris would be contained within the calandria and would begin to re-solidify in the
period of 10 to 50 hours after accident initiation.
e. The shield tank system provides an additional heat sink to stop the progression of a severe
core damage sequence.

4.3.2 Containment Response to Severe Accidents

The containment is designed for the challenges that could result from rupture of
the largest main primary cooling pipe. For the typical example of the CANDU 6 reactor, the
maximum pressure inside containment for this accident is predicted to be less than 70 kPa(g),
well below the design pressure.
Consequential failures in the containment structure could occur due to severe core
damage accidents which lead to addition of a large amount of energy to the containment
atmosphere. A key feature of the CANDU containment structure is that it is a pre-stressed
concrete building. Experiments at the University of Alberta ([Asmis, 1983], [MacGregor,
1980]) have demonstrated that at 330 kPa(g) internal pressure (2.3 times the proof test pressure),
cracks would penetrate through the wall. Leakage through cracks is negligible at pressures
below 345 kPa(g), and increases exponentially as the pressure is increased beyond that. At
pressures approaching but still below the predicted failure load of around 530 kPa(g), the
experiments suggest a leakage rate sufficiently high that the internal pressure is relieved; so it is
difficult to have a condition in which the containment fails due to internal pressure loading.
This has a significant advantage - the structure would be unlikely to fail in a
catastrophic way, and hence fission products would be largely retained inside a containment
structure. The "wet" atmosphere therein will immobilize them further.

5. SAFETY RESEARCH

5.1 PROGRAMME GOALS

The aim of the safety research programme is to ensure a firm technical
understanding of the .various phenomena that could occur during an accident. The work of the
safety program has covered both the loss-of-coolant accident, by now well understood, and,
more recently, the lower probability severe accident conditions.
There exists a large amount of interaction with the technical community, both
nationally and internationally. Much of the research in Canada is supported and coordinated by
the CANDU Owners Group (COG); most of the rest is performed by AECL-Research.
Internationally there is interaction through participation with formal agencies such as the
Organization for Economic Cooperation and Development Principal Working Groups and the
International Atomic Energy Agency, and also through various technical associations.

338
 The main focus of the research is on aspects that are unique to the CANDU
system. However, sufficient generic and underlying research is also performed to ensure
contribution to, and an ongoing interaction with, international programmes.

5.2 FUEL BEHAVIOUR

An ongoing research programme on high temperature fuel behaviour has provided
a solid database and verified codes to describe fuel behaviour under LOCA conditions. This has
been achieved by separate effects experiments to evaluate properties of the UÛ2 and cladding,
development of computer models to describe sheath deformation and gas release processes, and
in-reactor tests to provide all-effects verification of the behaviour of fuel and fission products.
Using this methodology, current work is extending the database and models to the high
temperatures associated with severe accidents. An advantage of the short (50 cm.) CANDU fuel
bundles is that full-scale tests are relatively easy to do.
Work on fuel oxidation and consequent fission product release is being performed
with both fresh and irradiated fuel. The oxidation kinetics of unirradiated UC>2 in air and steam
has been studied at temperatures up to 1650C in steam and up to 1200C in air ([Cox, 1986
September], [Cox, 1986 October]) and is being extended to higher temperatures. To date, an
extensive database [Iglesias, 1987] for oxidative release of fission products has been built from
60 experiments performed in the temperature range 400 to 1700C.
Severe fuel damage phenomena such as molten Zircaloy relocation, collapse of
individual fuel elements, bundle deformation and UO2~Zircaloy interaction are also being
studied in the laboratory. Much of the work is performed with horizontal fuel element
simulators.
The laboratory work to date has shown that the fuel cladding, oxidized by steam,
has sufficient structural strength to maintain a coolable horizontal geometry, even during very
high temperature transients. Other high temperature transient experiments with entire fuel
bundles heated in steam to temperatures in excess of 1900C [Wadsworth, 1986] have shown that
the relocation of molten un-oxidized Zircaloy to inter-element spaces, as discussed in Section
4.2.1.1, can lessen the effective oxidation rate by reducing the exposed surface area. Small-scale
experiments are in progress to quantify this relocation phenomenon [Wren, 1986].
The interaction between the Zircaloy fuel cladding and the UÛ2 fuel may be
affected by the presence of a very thin layer of a graphite-based lubricant (CANLUB"11) applied
to CANDU fuel elements during manufacture. Experiments have shown that CANLUB011
reduces the interaction at temperatures below 1500C (which is relatively slow), but above this
temperature it has no effect [Lim, 1986].

53 FUEL CHANNEL BEHAVIOUR

The horizontal pressure tube/calandria tube fuel channel has led to an extensive
research programme, which has been underway for a number of years, on fuel channel behaviour
during postulated loss of coolant accidents involving coincident loss of emergency coolant
injection. The work has established the conditions under which the residual heat in the fuel
channel can be transferred to the moderator radially while maintaining fuel channel integrity.
This heat removal may be accompanied by deformation of the pressure tube at high temperature,
as it can contact the calandria tube either by ballooning at a high coolant pressure, or by sagging
under its own weight when the coolant pressure is low.
Understanding the phenomena involved in the integrated tests on moderator heat
sink effectiveness requires understanding of various single effects and the capability of
modelling them. Such tests include studies of high temperature pressure tube sag and
ballooning, development of high temperature creep deformation models, studies of

339
Zircaloy-steam reactions, measurements of critical heat flux in horizontal tube banks, and
measurements of contact heat conductance and of high temperature Zircaloy emissivities.
Fig. 5.1 shows the results of a large number of integrated tests where the pressure
tubes ballooned into contact with the calandria tube ([Gillespie, 1981], [Gillespie, 1982]).
Shown are the boiling regimes on the outside surface of the calandria tube after contact with the
hot pressure tube. If the surface of the calandria tube can be maintained in nucleate boiling or
patchy dryout, it will be sufficiently cool that significant deformation will not occur. These data
are used in accident analyses to assess fuel channel integrity, as discussed in Section 4.
Current experiments and model development are focused on the effect of
temperature gradients on the deformation of pressure tubes, as discussed in Section 4.2.1.2.
These experiments measure the temperature gradients and pressure tube deformation under
various power, coolant pressure and coolant flow rate conditions.
5.4 SLOWDOWN TEST FACILITY
Single- and three-element in-reactor high-temperature fuel tests have been
performed at AECL-RC for many years. In-reactor blowdown tests on CANDU fuel, at
temperatures around 1000C, were performed in the U.S. Power Burst Facility reactor, and
confirmed models of fuel behaviour in LOCA.
Now, a series of in-reactor severe fuel damage tests are planned. These will be
performed in the new Blowdown Test Facility (BTF) ([Fehrenbach, 1987], [Wood, 1986]) in the
NRU reactor. The purpose is to confirm fission product release fractions and chemical
behaviour for overheated fuel, under depressurizing conditions. The focus will be on the release
of active species fission products from fuel operating at temperatures in the range of 1500 to
2500C, and the subsequent transport and deposition of fission products in the primary heat
transport system. The specific test objectives of this programme are:
- to measure the amount and timing of fission product activity release to the coolant during
depressurizing conditions, during high-temperature post-depressurization, and during
subsequent rewet, and to correlate the measured releases with the stages of fuel element
behaviour;
- to measure the rate of fission product transport and deposition in carbon steel and stainless
steel pipes, and determine the partition of fission product isotopes between liquid, solid, and
vapour phases, and the chemical form of fission product species in the blowdown tank;
- to demonstrate techniques and procedures for decontamination of system components
experiencing extensive fission product deposition and transport of irradiated fuel debris.
This programme will provide information on fission product behaviour that will
be used to assess and refine the predictive ability of accident analysis codes.
The Blowdown Test Facility is shown schematically in Fig. 5.2 and its main
design parameters are included in Table 5.1. The in-reactor test section of BTF is a vertical,
re-entrant, pressure tube arrangement which will accommodate assemblies of three fuel elements
plus a thermal shroud up to 70 mm in diameter and up to 3 m in length.

5.5 AEROSOL TRANSPORT

In contrast with other water reactors where there are substantial sources of aerosol
material due to the presence of borated water, stainless steel structural materials and
silver-cadmium control rods, CANDU aerosol source materials are limited to the Zircaloy fuel
cladding, the UC«2 fuel and the fission products-themselves. The smaller amount of
low-melting-point material results in much lower aerosol densities for severe accidents in a
CANDU. Currently the attenuation of these aerosol-borne fission products in the Primary Heat
Transport System is not credited in CANDU safety analyses.

340
 TABLE 5.1

NRU Slowdown Test Facüity (BTF) Design Parameters

Reactor and Test Section
Reactor power 130 MW
Cosine flux length 3.6 m
Mid-core (maximum) flux - thermal 1.7 x 1018 n.nr2^"1
at cell boundary - fast 0.3 x 1015 n.nv^.s"1
Maximum fission heat in BTF 2 MW with pressurized water cooling
200 kW with superheated steam cooling

Normal Operation
Coolant Conditions
Coolant type Recirculating pressurized water or
superheated steam
Pressure (maximum) 10.5 MPa
Temperature (maximum) water 300°C, steam 350°C
Flow (maximum) water 10 kg/s; steam 1 kg/s
Slowdown Conditions
Delay from loop isolation to reactor trip 0.1 - 60 s
Slowdown time to 1 MPa 10 - 300 s
0.3 MPa 30-500s
(Post-Blowdown Stagnation)
Coolant type Saturated steam or helium
Flow (steam) 2 - 20 g/s
(inert gas) variable
(Rewet)
Coolant 25°C water
Rewet flow 0.04 - 4.8 kg/s
(Post-Rewet)
Coolant Once-through de-ionized water
Pressure atmospheric
Temperature (inlet) 25°C
Flow 0.01 to 0.05 kg/s

The current focus of the research programme is to model the production and
transport of aerosols which may be created in the Primary Heat Transport System [Mulpuru,
1987]. The laboratory experiments will be augmented by results from in-reactor BTF
experiments. Development of a model coupling aerosol transport to thermohydraulics is also
underway. This code development effort is supported by theoretical analysis of the validity of
key assumptions which are used in aerosol physics models [McDonald, 1987 September a,b].
Key work on containment aerosols focuses on the two-phase jet at a break, in
order to characterize the water droplet aerosols and their size distribution, and to determine the
extent of fission product washout by the droplets.

341
5.6 FISSION PRODUCT CHEMISTRY

In parallel with the aerosol programme, there is a research programme to develop

a fundamental understanding of fission product chemistry. The main focus is the chemistry of
iodine in the containment-building, although the chemistry of iodine and other fission products
(Cs, Ru, Te) in the Primary Heat Transport System is also being addressed ([Wren, 1983],
[Garisto, 1986]). The behaviour of iodine in the containment building depends on parameters
such as pH, Eh, temperature, radiation fields, impurities in the sump water, and the presence of
chemical additives that could be added to suppress iodine volatility. The work shows that, at
equilibrium and at the low iodine concentrations (<10~5 mol.dm"3) of an accident, the dominant
forms of iodine would be I~(aq) and IU3~(aq) [Lemire, 1981].
The chemical kinetics data has been used in the formulation of the code LERIC
(Long—term Iodine Release Integrated Code) which predicts the iodine chemical forms and
distribution between the aqueous and gas phase in containment [Wren, 1985].
Integrated tests are starting in the Radioiodine Test Facility (RTF) to validate the
ORIC model. The RTF is an intermediate-scale facility designed to provide radiation fields and
chemical conditions appropriate to the reactor containment building conditions after an accident
[Kupferschmidt, 1986]. Shown in Fig. 5.3, the main reaction vessel is a 400 dm3 cylindrical
vessel capable of containing a Co-60 radiation source of variable strength (0-10 kGy.tr1) to
simulate radiation fields encountered in an accident. The inner surface lining of the vessel can
be altered to include painted and bare steel and concrete, and the temperature can be varied up to
80C. It includes extensive on-line instrumentation to monitor the various process variables and
sampling systems for off-line chemical analyses.

5.7 HYDROGEN COMBUSTION

A study of hydrogen combustion has been underway for a number of years. The
research addresses the hydrogen produced both by the Zircaloy/steam reaction and by the
radiolysis of water. The experimental programs use both bench-scale tests as well as tests on
intermediate scale vessels housed in the Containment Test Facility (CTF) [Kumar, 1984].
Important combustion phenomena which have been studied include flammability limits [Kumar,
1985], laminar burning velocities [Liu, 1983], and flame acceleration by venting [Kumar, 1987].
Also, the effectiveness of hot surface igniters, such as glow plugs, has been examined for both
lean and rich hydrogen-air-steam mixtures ([Tamm, 1985], [Tamm, 1987]) in a cooperative
program between AECL, COG and EPRI (Electric Power Research Institute).
Current programmes focus on hot surface ignition limits, flame acceleration
mechanisms, turbulent burning velocities, detonation limits, and transition from deflagration to
detonation, to provide the basic information needed to develop and verify models for localized
hydrogen combustion.

6. OPERATIONAL ASPECTS
Under the Canadian regulatory process, the licensee of a nuclear power plant is
responsible to ensure that the plant staff and the general public are adequately protected from the
consequences of plant accidents. Comprehensive studies are undertaken to ensure that,
following accidents, essential features of safe plant operation are maintained. These include:
* habitability of control room(s),
* means to ensure reactor subcriticality after shutdown
* containment integrity,
* assured heat sink, and
* monitoring of plant safety status.

342
 As part of this, operating procedures are developed, and staff trained, with the
focus on stabilizing the plant Critical Safety Parameters (CSPs). Contingency response
procedures are also developed to mitigate the consequences of an emergency and to provide
assurance that all reasonable measures are undertaken to ensure human safety and to minimize
property damage.
In the following, a fairly typical approach by a Canadian utility is described,
which ensures post-accident operational safety. The specific example is the Lepreau ICANDU
6 plant in New Brunswick, owned and operated by the New Brunswick Electric Power
Commission.
6.1 POST-ACCIDENT OPERATIONS REVIEW
All nuclear power plants are required to perform a plant-wide review of operation
following a worst case loss of coolant accident. A detailed review of the relevant safety
assessment documents, emergency plant operating procedures, and contingency plans is
conducted in order to identify operator actions required to maintain essential plant safety
functions. Each operator action is assessed for feasibility of execution based on its location,
duration, access and expected radiation field.
The methodology for performing a radiation field study is described in [Natalizio,
1983] and is based on an improbable accident sequence which involves a break in the primary
coolant circuit and a failure of a safety system (EG or containment). The estimated worst case
source term for a case of LOCA with impaired ECI is typically 10% halogens and noble gases
and 3% particulates (of total core inventory).
The CANDU 6 moderator and primary heat transport system components are
located inside containment, so the potentially hazardous high radiation fields following a LOCA
are limited to: parts of the Emergency Coolant Injection System located outside containment; the
reactor building ventilation; piping penetrations through the containment wall; and the airlocks.
To date, several post-LOCA operations reviews have been performed, covering
short-term procedures and long-term equipment reliability. Although these studies generally
confirmed the adequacy of the original design and operating procedures, a detailed assessment
led to several recommendations to improve access to specific locations, to address the need for
remote operability, and to confine contamination.
Examples of recommended changes included:
- Installation of additional shielding to improve control room habitability. At the Gentilly-2
CANDU 6 sister plant, a shielding wall was installed alongside the main airlock; and at Point
Lepreau, a shielding wall was installed beside the reactor building exhaust filters.
- Provision of remotely operated isolating Valves on instrument air lines to the reactor building
at Gentilly-2 and Point Lepreau.
- Relocation of the ECI pump switchgear from the vicinity of the ECI pump pit to an
accessible area, to permit operability and maintainability.
- Re-routing of the ECI system leakage to the reactor building to avoid excessive
contamination of active drainage.

6.2 EMERGENCY OPERATING PROCEDURES

The day-to-day operation of a Canadian nuclear generating station is governed

by the AECB-approved Station Operating Policies and Principles which define the envelope
within which that station must be operated.
Besides the system-specific operating manuals covering normal operation,
Emergency Operating Procedures (EOPs) are produced to cover abnormal or accident situations.

343
Where the cause of the upset can be recognized, an event specific EOF is produced. The ability
to predict the anticipated plant response is perceived as a major advantage of these procedures,
as they permit optimization of the corrective action. Typical event-specific EOPs include: dual
computer failure; loss of services such as instruments or cooling water supplies; loss of main
electrical power; loss of feedwater; LOCAs; and boiler tube failures. A generic EOF is also
produced to cater to situations where the upset cannot be clearly diagnosed or identified; or the
initial response by the operator proves inadequate; or the status of a Critical Safety Parameter is
unsatisfactory.
An unsatisfactory status of a Critical Safety Parameter (CSP) indicates a threat to
the integrity of the fuel sheath, or the Primary Heat Transport System, or the containment.
Typical CSPs include the primary coolant sub-cooling margin, primary coolant inventory,
reactor power, boiler pressure and level, containment pressure and radioactivity levels. Fig. 6.la
([Kelly, 1986], [Kelly, 1987]) shows a typical response strategy to a plant upset, and Fig. 6.1b
shows a guideline for controlling the CSPs.
• Each EOP is developed, or is being developed, to meet the requirements prepared
by a joint utilities task force [Kelly, 1987]. This document covers the complete life cycle of the
EOP program which include its generation, verification, validation, issuance, training
requirements and revision.
The operating staff are provided with comprehensive training to develop the
necessary knowledge and skills to identify and respond to a plant upset. Training methods are
normally a combination of classroom and field sessions, with the former providing the technical
and procedural understanding and the latter developing the operating skills. This training may
include control room training, plant walks-through or simulator training.

6.3 CONTINGENCY PLANNING

The starting point for all emergency plans that cope with severe radiation
contingencies is the assumption that an accident causing highly radioactive releases to the
environment can occur even if its occurrence is extremely unlikely. The emergency planning
and preparedness systems must define the necessary countermeasures required to mitigate the
consequences of severe accidents to protect public health and minimize damage to property. The
Atomic Energy Control Board [AECB, 1984] requires the licensee to:
- develop on-site contingency plans for coping with emergencies within the facility boundary,
and
- participate with federal, provincial and municipal governments to develop an off—site
contingency plan to deal with those events which result in release of radioactivity beyond the
station boundary.
Although detailed procedures differ in scope and methodology, the general
approach followed at all CANDU stations is to define two sets of complementary plans: a
general plan defining overall plant response strategy and a specific plan covering each category
of contingency, namely: Radiation, Medical, Chemical, Security and Fire contingencies [Weeks,
1987].
The severity and extent of any particular contingency will dictate the degree of
response required. Normally incidents are classified as Alerts or Emergencies. An Alert is
declared for localized events which can be controlled by station staff and on-site resources,
while an Emergency is declared when the contingency threatens more severe harm to site
personnel, public, or the continued safe operation of the plant.
The key to the success of any Contingency Plan is of course the organizational
framework, the efficiency of communications and level of expertise and training of the response

344
groups involved. Fig. 6.2 shows a typical organization chart for the purpose of contingency
planning. The Shift Supervisor on duty retains the overall responsibility for all response duties
as head of the Command Unit. The Response Team consists of a group of designated and
specially trained shift staff as part of the normal shift complement. The Assistance group is
assembled from the non-shift staff to provide senior-level technical and operational advice to
the Shift Supervisor in case of an emergency.
A comprehensive training program is developed to provide staff with the
necessary knowledge and skills to support the contingency-related activities, the extent of
training being commensurate with the individual's role in the overall plan. Thus the Response
Team members, because of their key function, receive extensive advanced training in a variety of
topics which include fire-fighting, first aid, chemical protection, and all the specific contingency
plans.

7. CONCLUSIONS
Inherent CANDU properties, namely:
- a moderator which acts as a dispersed emergency heat sink for fuel heat;
- the presence of a water-filled shield tank which can prevent melt-through of the calandria;
and
- a containment which exhibits forgiving behaviour under hypothetical overpressure
conditions;
all contribute to a design for which the probability of severe core damage is low, of the order of 5
x 10~7 per reactor-year, and the consequences of core damage are limited.
The licensing philosophy of examining dual failures as part of the design basis
set, has led to redundancy of shutdown which makes an unterminated accident a negligible
contribution to total risk, and to a design which will accommodate impairments in the
containment and emergency coolant injection systems.
Furthermore, these same characteristics mean that the plant response to
increasingly severe accidents is gradual - there is no sudden change in behaviour.
The design characteristics and the licensing approach have also resulted in:
- a research programme which supports models for the predicted behaviour of CANDU for
both loss of coolant and severe accidents, and
- a flexible approach to severe accident management on site.

1. [AECB, 1980]: Atomic Energy Control Board, "Requirements for the Safety Analysis of
CANDU Nuclear Power Plants", Consultative Document C-6, Proposed Regulatory Guide,
June 1980.
*„

2. [AECB, 1984]: .Atomic Energy Control Board, "Guidelines for Off-Site Contingency
Planning", Consultative Document C-45, April 1984.
3. [Akalin, 1982]: O. Akalin and J.H.K. Lau, "CHAN-H(MOD4) - A Model for Analysis of
Channel Thermal Response Under Steam Cooling Conditions", Ontario Hydro Report 82014,
Toronto, Canada, February 1982.

345
4. [Akalin, 1983 February]: O. Akalin and D.B. Reeves, "Effect of Fuel Channel Distortions
on the Distribution of Subchannel Coolant Flow", Ontario Hydro Report 83001, Toronto,
Canada, February 1983.
5. [Akalin, 1983 September]: O. Akalin, C. Blahnik, D.B. Reeves and J.H.K. Lau,
"Subchannel Flow Distributions in CANDU Fuel Channels Following Deformations",
CNS/ANS International Conference on Numerical Methods in Nuclear Engineering,
Montréal, Canada, September 1983.
6. [Akalin, 1985]: O. Akalin, C. Blahnik, E.G. Phan and F. Ranee, "Relocation of Molten
Zircaloy", Ontario Hydro Report 85313, Toronto, Canada, October 1985.
7. [Archinoff, 1983]: G.H. Archinoff, "CURIES-II - A Fission Product Distribution and
Release Code", Ontario Hydro Report 83057, Toronto, Canada, March 1983.
8. [Archinoff, 1984]: G.H. Archinoff and P.S. Kundurpi, "Pressure Tube Integrity During
Ballooning With a Non-Uniform Circumferential Temperature Distribution", Ontario Hydro
Report 84433, Toronto, Canada, November 1984.
9. [Archinoff, 1986]: G.H. Archinoff, P.D. Lowe, J.C. Luxat, K.E. Locke, A.P. Muzumdar,
C.B. So and R.G. Moyer, "Simulation Methodology for Pressure Tube Integrity Analysis
and Comparison With Experiments", Proceedings of the Second International Conference on
Simulation Methods in Nuclear Engineering, Montréal, Canada, October 1986.
10. [Asmis, 1983]: G.K.J. Asmis, "Behaviour of Concrete Containment Structures Under
Over-Pressure Conditions", Committee for the Safety of Nuclear Installations Specialist
Meeting on Water Reactor Containment Safety, Toronto, Canada, March 1983.
11. [Blahnik, 1984]: C. Blahnik, W.J. Dick and D.W. McKean, "Post Accident Hydrogen
Production and Control in Ontario Hydro CANDU Reactors", Fifth International Meeting on
Thermal Nuclear Reactor Safety, Karlsruhe, Germany, September 1984.
12. [Brown, 1984]: R.A. Brown, C. Blahnik and A.P. Muzumdar, "Degraded Cooling in a
CANDU Reactor", Nuc. Sei. & Eng., Vol. 88, p. 425, 1984.
13. [Chan, 1987]: E.M. Chan et al., "A Procedure for Integration of System Failure Logic
Models in Probabilistic Safety Studies", 14th Inter-RAM Conference, Toronto, Canada, May
1987.
14. [Cox, 1986 September]: D.S. Cox, F.C. Iglesias, C.E.L. Hunt, N.A. Keller and R.D.
Barrand, "Oxidation of UÛ2 in Air and Steam with Relevance to Fission Product Releases",
ACS 192nd National Meeting, Anaheim, California, September 1986.
15. [Cox, 1986 October]: D.S. Cox, F.C. Iglesias, C.E.L. Hunt, and R.F. O'Connor, "UO2
Oxidation Behaviour in Air and Steam with Relevance to Fission Product Releases", CNS
International Conference on CANDU Fuel, Chalk River, Ontario, Canada, October 1986.
16. [Dinnie, 1986]: K.S. Dinnie, "The Modelling of a Negative-Pressure, Filter-Vented
Containment System as Part of a Probabilistic Safety Evaluation", Third USNRC Workshop
on Containment Integrity, Washington D.C., May 1986.
17. [Fehrenbach, 1987]: P.J. Fehrenbach and J.C. Wood, "A Description of the Slowdown Test
Facility Program on In-Reactor Fission Product Release, Transport and Deposition Under
Severe Accident Conditions", Atomic Energy of Canada Limited publication, AECL-9343
(1987).
18. [Garisto, 1986]: F. Garisto, 'Thermodynamic Behaviour of Fission Products at High
Temperatures: Ruthenium and Tellurium", ACS Symposium on Chemical Phenomena
Associated with Radioactivity Releases During Severe Nuclear Plant Accidents, Anaheim,
California, September 1986.

346
19. [Gillespie, 1981]: G.E. Gillespie, "An Experimental Investigation of Heat Transfer From a
Reactor Fuel Channel to Surrounding Water", CNS Conference, Ottawa, Canada, June 1981.
20. [Gillespie, 1982]: G.E. Gillespie, R.G. Moyer and P.D. Thompson, "Moderator Boiling on
the External Surface of a Calandria Tube in a CANDU Reactor", International Meeting on
Thermal Nuclear Reactor Safety, Chicago, August 1982.
21. [Gordon, 1982]: C. Gordon and C. Blahnik, "The Emergency Core Cooling Function of the
Moderator System in CANDU Reactors", International Meeting on Thermal Nuclear Reactor
Safety, Chicago, August 1982.
22. [Gulshani, 1986]: P. Gulshani and C.B. So, "AMPTRACT: An Algebraic Model for
Computing Pressure Tube Circumferential and Steam Temperature Transients Under
Stratified Channel Coolant Conditions", Proceedings of the Second International Conference
on Simulation Methods in Nuclear Engineering, Vol. 2, p. 578; Montreal, Canada, October
1986.
23. [Gulshani, 1987a]: P. Gulshani, "Prediction of Pressure Tube Integrity for a Large LOCA
in CANDU", Transactions of the American Nuclear Society 1987 Winter Meeting, Vol. 55,
p. 459; Los Angeles, California, November 1987.
24. [Gulshani, 1987b]: P. Gulshani, "Prediction of Pressure Tube Integrity for a Small LOCA
and Total Loss of Emergency Coolant Injection in CANDU", Transactions of the American
Nuclear Society 1987 Winter Meeting, Vol. 55, p. 461; Los Angeles, California, November
1987.
25. [Gumley, 1985]: P. Gumley, "Safety Design Matrices (SDMs) as Used in Canada for
CANDU 600MW Licensing", International Atomic Energy Agency Workshop on Advances
in Reliability Analysis and Probabilistic Safety Assessment, Budapest, Hungary, October
1985.
26. [Hadaller, 1984 September]: G.I. Hadaller, R. Sawala, S. Wadsworth, G. Archinoff and E.
Kohn, "Experiments Investigating the Thermal-Mechanical Behaviour of CANDU Fuel
Under Severely Degraded Cooling", Fifth International Meeting on Thermal Nuclear Reactor
Safety, Karlsruhe, Germany, September 1984.
27. [Howieson, 1986]: J.Q. Howieson, "CANDU Moderator Heat Sink in Severe Accidents",
Second International Topical Meeting on Nuclear Power Plant Thermohydraulics and
Operations, Tokyo, Japan, 1986.
28. [Howieson, 1987]: J.Q. Howieson and V.G. Snell, "Chernobyl - A Canadian Technical
Perspective", Atomic Energy of Canada Limited publication AECL-9334, January 1987.
29. [Howieson, 1988]: J.Q. Howieson et al., "A PRA Study of CANDU-600", IAEA/OECD
International Symposium on Severe Accidents in Nuclear Power Plants, Sorrento, Italy,
March 1988.
30. [Hussein, 1985]: E. Hussein and J.C. Luxat, "Fuel Cooling Under Steam Venting
Conditions", 6th. Annual CNA/CNS Conference, Ottawa, Canada, June 1985.
31. [Hurst, 1953]: D.G. Hurst, 'The Accident to the NRX Reactor, Part II", Atomic Energy of
Canada Limited publication AECL-233, October 1953.
32. [Hurst, 1972]: D.G. Hurst and EC. Boyd, "Reactor Licensing and Safety Requirements",
Paper 72-CNA-102, presented to the 12th. Annual Conference of the Canadian Nuclear
Association, Ottawa, Canada, June 1972.
33. [Iglesias, 1987]: F.C. Iglesias, M.F. Osborne, R.A. Lorenz and C.E.L. Hunt, "The
Relevance of Chernobyl to PWR and PHWR Source Term Experimental Programs",
Proceedings of the Eighth Annual CNS Conference, Canadian Nuclear Society, Toronto,
Canada, 1987.

347
34. [Iwasa-Madge, 1985]: K.M. Iwasa-Madge and J.D. Beattie, "Preliminary Quantification
for Human Reliability Analysis", International ANS/ENS Topical Meeting on Probabilistic
Safety Methods and Applications, San Francisco, February 1985.
35. [Kelly, 1986]: R.J. Kelly, D. Boulay, E. Fenton, R. Johnson, G. McCormack, M. White,
"Canadian Task Group Study of Emergency Operating Procedures", IAEA International
Seminar on Operating Procedures for Abnormal Conditions in Nuclear Power Plants",
Munich, June 1986.
36. [Kelly, 1987]: R.J. Kelly, D. Boulay, E. Fenton, R. Johnson, G. McCormack, M. White,
"Emergency Operating Procedures Standards for Canadian Nuclear Utilities", prepared by
The Joint Utility Task Group, January 1987.
37. [King, 1987]: F.K. King, V.M. Raina, D.G.R. Anderson, E.M. Chan, P.C. Chow,
K.S. Dinnie, "System Modelling and Integration Techniques - Results and Insights from the
Darlington NPP PS A/PRA Evaluation Study", International Topical Conference on
Probabilistic Safety Assessment and Risk Management PS A '87, Swiss Federal Institute of
Technology, Zurich, August 1987.
38. [Kohn, 1985]: E. Kohn, G. Hadaller, R. Sawala, S. Wadsworth and G. Archinoff, "CANDU
Fuel Deformation During Degraded Cooling (Experimental Results)", 6th. CNA/CNS
Conference, Ottawa, Canada, June 1985.
39. [Kumar, 1984]: R.K. Kumar and H. Tamm, "Flame Acceleration Effects on the
Combustion of Hydrogen in Large Vessels", Trans. Am. Nucí. Soc., Vol. 46, p. 124, 1984.
40. [Kumar, 1985]: R.K. Kumar, "Flammability Limits of Hydrogen-Oxygen-Diluent
Mixtures", Journal of Fire Sciences Vol. 3, p. 245,1985.
41. [Kumar, 1987]: R.K. Kumar, W.A. Dewitand D.R. Grieg, "Vented Combustion of
Hydrogen-Air Mixtures", JSME/ASME Conference, Honolulu, Hawaii, March 1987.
42. [Kupferschmidt, 1986]: W.C.H. Kupferschmidt, "The Radioiodine Test Facility: A
Research Installation for Measurement of Iodine Partitioning Under Simulated Reactor
Accident Conditions", Fourth International BNES Conference on Water Chemistry of
Nuclear Reactor Systems, Bournemouth, United Kingdom, October 1986.
43. [Lau, 1981]: J.H.K. Lau, G.H. Archinoff and O. Akalin, "CHAN-H(MOD3) - A Code to
Assess the Transient Thermal Behaviour of CANDU Fuel Channels Under Steam Flow
Conditions", 8th Simulation Symposium on Reactor Dynamics and Plant Control, Toronto,
Canada, 1981.
44. [Lau, 1985]: J.H.K. Lau and F. Ranee, "Modelling Transient Fission Product Release From
UO2 Fuel", 6th CNS Conference, Ottawa, Canada, June 1985.
45. [Lau, 1986]: J.H.K. Lau, O. Akalin, D.B. Reeves, A.P. Muzumdar and C. Blahnik,
"Feedback Effects of Deformations on Fuel Temperatures During Degraded Cooling
Accidents in CANDUs", Res Mechanica, Vol. 18, p. 307, 1986.
46. [Lau, 1987]: J.H.K. Lau, C. Blahnik and O. Akalin, "CANDU Fuel Behaviour in Severe
Fuel Damage Conditions", International Atomic Energy Agency publication
IAEA-CN-48/70, Vienna, Austria, September 1987.
47. [Laurence, 1961]: G. C. Laurence, "Required Safety in Nuclear Reactors", Atomic Energy
of Canada Limited publication AECL-1923, 1961.
48. [Lemire, 1981]: R.J. Lemire, J. Paquette, D.F. Torgerson, D.J. Wren and J.W. Fletcher,
"Assessment of Iodine Behaviour in Reactor Containment Buildings from a Chemical
Perspective", Atomic Energy of Canada Limited publication AECL-6812 (1981).
49. [Lewis, 1953]: W.B. Lewis, 'The Accident to the NRX Reactor on December 12, 1952",
Atomic Energy of Canada Limited publication AECL-232, July 1953.

348
50. [Lim, 1986]: C.S. Lim, D.J. Wren and H.E. Rosinger, 'The Effect of CANLUB Graphite
and Siloxane Coatings on UC>2/Zircaloy-4 Interactions", CNS International Conference on
CANDU Fuel, Chalk River, Ontario, Canada, October 1986.
51. [Liu, 1983]: D.D.S. Liu and R. MacFarlane, "Laminar Burning Velocities of Hydrogen-Air
and Hydrogen-Air-Steam Flames", Combustion Flame Vol. 49, p. 59 (1983).
52. [Locke, 1985 April]: K.E. Locke, G.H. Archinoff and A.P. Muzumdar, "SMARTT : A
Computer Code to Predict Pressure Tube Circumferential Temperature Distributions Under
Asymmetric Coolant Conditions", CNS 11th Symposium on the Simulation of Reactor
Dynamics and Plant Control, Kingston, Canada, April 1985.
53. [Locke, 1985 June]: K.E. Locke, G.H. Archinoff and A.P. Muzumdar, "SMARTT - A
Computer Code to Predict Fuel and Pressure Tube Temperature Gradients Under
Asymmetric Coolant Conditions", 6th CNS Conference, Ottawa, Canada, June 1985.
54. [Locke, 1987 March]: K.E. Locke, "SMARTT : A Computer Code to Predict Transient
Fuel and Pressure Tube Temperature Gradients Under Asymmetric Coolant Conditions",
Ontario Hydro Report 86007, Toronto, Canada, March 1987.
55. [Locke, 1987 June]: K.E. Locke, A.P. Muzumdar, J.C. Luxat, C.B. So, R.G. Môyer and D.
Litke, "Progress on SMARTT Simulation of Pressure Tube Circumferential Temperature
Distribution Experiments - Test 1 to 4", 8th CNA/CNS Conference, St. John, Canada, June
1987.
56. [Lowe, 1986]: P.D. Lowe, G.H. Archinoff, J.C. Luxat, K.E. Locke, A.P. Muzumdar, C.B.
So and R.G. Moyer, "Comparison of Pressure Tube Delta-T Experimental Results With
SMARTT Code Predictions", CNS 12th Symposium on Simulation of Reactor Dynamics and
Plant Control, Hamilton, Canada, April 1986.
57. [Luxat, 1987]: J.C. Luxat et al., "Verification of a Thermalhydraulic Model of Channel
Cooling Degradation During a LOCA/LOECI Event", 8th. Annual CNA/CNS Conference,
St. John, Canada, June 1987.
58. [MacGregor, 1980]: J.G. MacGregor, D.W. Murray and F.H. Simmonds, "Behaviour of
Prestressed Concrete Containment Structures - A Summary of Findings", Atomic Energy
Control Board publication AECB-INFO-0031, May 1980.
59. [McDonald, 1987 September a]: B.H. McDonald, "Assessing Physical Models Used in
Nuclear Aerosol Transport Models", OECD/CEC Workshop on Aerosol Uncertainties,
Brussels, Belgium, September 1987.
60. [McDonald, 1987 September b]: B.H. McDonald, "Assessing Numerical Models Used in
Nuclear Aerosol Transport Models", OECD/CEC Workshop on Aerosol Uncertainties,
Brussels, Belgium, September 1987.
61. [Morison, 1984]: W.G. Morison et al., "Containment Systems Capability", Fifth
International Meeting on Thermal Nuclear Reactor Safety, Karlsruhe, Germany, September
1984.
62. [Mulpuru,1987]: S.R. Mulpuru, D.J. Wren and R.K. Rondeau, "Aerosol Material Release
Rate from Zircaloy-4 at Temperatures 2000-2200C", American Nuclear Society Winter
Meeting, Los Angeles, November 1987.
63. [Muzumdar, 1982]: A.P. Muzumdar, "A Model for Fission Product Distribution in CANDU
Fuel", in "Water Reactor Fuel Element Performance Computer Modelling", edited by J.
Gittus, Applied Science Publishers Ltd., Essex, England, 1982.
64. [Muzumdar, 1982 March]: A.P. Muzumdar, "Generic Aspects of Fuel Channel Integrity
During LOCA Scenarios", Ontario Hydro Report 82028, Toronto, Canada, March 1982.

349
65. [Muzumdar, 1983 January]: A.P. Muzumdar, C. Blahnik, J.H.K. Lau and G.H. Archinoff,
"Fuel Temperature Excursions During Accidents With Degraded Cooling in CANDU
Reactors", 2nd International Topical Meeting on Nuclear Reactor Thermalhydraulics, Santa
Barbara, California, January 1983.
66. [Muzumdar, 1983 May]: A.R Muzumdar, J.H.K. Lau, G.H. Archinoff, C. Blahnik, and
R.A. Brown, "Fuel Channel Behaviour During Accidents With Degraded Cooling in
CANDU Reactors", IAEA Specialists' Meeting on "Water Reactor Fuel Safety and Fission
Product Release in Off-Normal and Accident Conditions", Riso, Denmark, May 1983.
67. [Muzumdar, 1987]: A.P. Muzumdar and G.M. Frescura, "Consequences of
Pressure/Calandria Tube Failure in a CANDU Reactor Core During Full-Power Operation'',
8th CNS Conference, Saint John, New Brunswick, June 1987.
68. [Ontario Hydro, 1987]: Ontario Hydro, "The Darlington Probabilistic Safety Evaluation -
Main Report", December 1987.
69. [Natalizio, 1983]: A. Natalizio, J.G. Comeau, D.W. Black, "Post-LOC Accident
Management", Int. Symposium on Operational Safety of Nuclear Power Plants, May 1983.
70. [Raina, 1986]: V.M. Raina and P.V. Castaldo, "Programmable Controller Fault Tree Models
for use in Nuclear Power Plant Risk Assessments", Programmable Electronic Systems Safety
symposium, Guernsey, Channel Islands, United Kingdom, May 1986.
71. [Reeves, 1982]: D.B. Reeves, O. Akalin and J.H.K. Lau, "Current Developments in
CHAN-n and Their Applications to Accident Analysis", 9th Simulation Symposium on
Reactor Dynamics and Plant Control, Mississauga, Canada, 1982.
72. [Reeves, 1983]: D.B. Reeves, O. Akalin and J.H.K. Lau, "Calculation of Steam Flow and
Its Effect on CANDU Fuel Channels", CNS/ANS International Conference on Numerical
Methods in Nuclear Engineering, Montréal, Canada, 1983.
73. [Reeves, 1985]: D.B. Reeves, "MINI-SMARTT : A Computer Code for Analyzing Fuel
Element / Pressure Tube Contact", Ontario Hydro Report 85326, Toronto, Canada, December
1985.
74. [Rennick, 1987]: D.F. Rennick and V.G. Snell, "Enhancements in Safety Resulting from
Probabilistic Safety Assessments", American Power Conference, Chicago, March 1987.
75. [Rogers, 1984 June]: J.T. Rogers, 'Thermal and Hydraulic Behavior of CANDU Cores
Under Severe Accident Conditions - Final Report", Vols. 1 and 2, Report to the Atomic
Energy Control Board, DepL of Mechanical and Aeronautical Engineering, Carleton
University, Ottawa. AECB INFO-0136-2 & 3, June 1984.
76. [Rogers, 1984 August]: J.T. Rogers, 'Thermal and Hydraulic Behavior of CANDU Cores
Under Severe Accident Conditions. Executive Summary", Report to the Atomic Energy
Control Board, Dept. of Mechanical and Aeronautical Engineering, Carleton University,
Ottawa. AECB INFO-0136-4, August 1984.
77. [Rogers et al., 1984 August]: J.T. Rogers, J.C. Atkinson and R. Dick, "Analysis of
Moderator Expulsion from a CANDU Reactor Calandria Under Severe Accident
Conditions". ASME Paper 84-HT-16, August 1984.
78. [Rogers, 1984 September]: J.T. Rogers, "A Study of the Failure of the Moderator Cooling
System in a Severe Accident Sequence in a CANDU Reactor", Proc. Fifth International
Meeting on Thermal Nuclear Reactor Safety, Karlsruhe, Germany, September, 1984; Vol. 1,
p. 397, KfK 3880/1, December, 1984.
79. [Rosinger, 1985 June]: H.E. Rosinger, R.K. Rondeau and K. Demoline, "The Interaction
and Dissolution of Solid UO2 by Molten Zircaloy-4 Cladding in an Inert Atmosphere or
Steam", 6th CNS Conference, Ottawa, Canada, June 1985.

350
80. [Rosinger, 1984 September]: H.E. Rosinger et al., "UO2 Dissolution by Molten Zircaloy",
Fifth International Meeting on Thermal Nuclear Reactor Safety, Karlsruhe, Germany,
September 1984. .
81. [Ross-Ross, 1963]: R Ross-Ross, "Experiments on the Consequences of Bursting Pressure
Tubes in a Simulated NPD Reactor Arrangement", Atomic Energy of Canada Limited
publication AECL-1736, February 1963.
82. [Shapiro, 1986]: H. Shapiro and I.E. Smith, "Probabilistic Safety Assessments in Canada",
1986 Summer National Meeting of the American Institute of Chemical Engineers, Boston,
August 1986.
83. [Siddall, 1959]: E. Siddall, "Statistical Analysis of Reactor Safety Standards", Nucleonics
Week, Vol. 7, p. 64, 1959.
84. [Snell, 1985]: V.G. Snell, "Safety of CANDU Nuclear Power Stations", Atomic Energy of
Canada Limited publication AECL-6329; November 1978, September 1979, July 1980,
November 1985.
85. [Snell, 1986]: V.G. Snell, "Probabilistic Safety Assessment Goals in Canada", International
Atomic Energy Agency Technical Committee Meeting on Prospects for the Development of
Probabilistic Safety Criteria, Vienna 1986; Atomic Energy of Canada Limited publication
AECL-8761.
86. [Snell, 1986 December]: V.G. Snell and J.Q. Howieson, "Chernobyl - A Canadian
Perspective", Atomic Energy of Canada Limited publication PA-10, December 1986.
87. [Snell, 1987]: V.G. Snell and J.Q. Howieson, "Chernobyl - A Canadian Technical
Perspective - Executive Summary", Atomic Energy of Canada Limited publication
AECL-9334S, January 1987.
88. [Tamm, 1985]: H. Tamm, H. MacFarlene, and D.D.S. Liu, "Effectiveness of Thermal
Ignition Devices in Lean Hydrogen-Air-Steam Mixtures", EPRI Report NP-2956,
1985 March.
89. [Tamm, 1987]: H. Tamm, M. Ungurian and R.K. Kumar, "Effectiveness of Thermal
Ignition Devices in Rich Hydrogen-Air-Steam Mixtures", EPRI Report NP-5254 and
Atomic Energy of Canada Limited publication AECL-8363, 1987.
90. [Wadsworth, 1986]: S.L. Wadsworth, G.I. Hadaller, R.M. Sawala and E. Kohn,
"Experimental Investigation of CANDU Fuel Deformation During Severely Degraded
Cooling", Proceedings of the International ANS/ENS Topical Meeting on Thermal Reactor
Safety, American Nuclear Society, Chicago, 1986.
91. [Weeks, 1987]: D.F. Weeks, "On-Site Contingency Planning at Point Lepreau O.S.", Proc.
of 8th CNS International Conference, Saint John, New Brunswick, June 1987.
92. [Wood, 1986]: J.C. Wood, F.C. Iglesias, P.J. Fehrenbach and H.E. Sills, "Overview of
Canadian Programs on Fuel High Temperature Transient Behaviour", OECD Specialist
Meeting on Light Water Reactor Fuel Behaviour, Cadarache, France, September 1986.
93. [Wren, 1983]: D.J. Wren, "Kinetics of Iodine and Cesium Reaction in the CANDU Reactor
Primary Heat-Transport System Under Accident Conditions", Atomic Energy of Canada
Limited publication AECL-7781, 1983.
94. [Wren, 1985]: D.J. Wren and J. Paquette, "The Kinetics of Iodine Release from Aqueous
Solutions", Proceedings of the OECD Workshop on Iodine Chemistry in Reactor Safety,
;
H.M. Stationery Office, London, 1985.
95. [Wren, 1986]: D.J. Wren, R. Choubey, H.E. Rosinger, K. Demoline and A.E. Unger,
"Relocation of Molten Zircaloy in CANDU Fuel-Element Clusters under Severe Accident
Conditions", Proceedings of the International ANS/ENS Topical Meeting on Thermal
Reactor Safety, San Diego, 1986.

351
 LIST OF PARTICIPANTS

Ashurko, Yu. M. IPPE

249020 Bondarenko Square l
Obninsk
Kaluga Region, Russian Federation

Al-Mugrabi, M.A. Division of Nuclear Power

(Scientific Secretary) IAEA, Wagramerstrasse 5
P.O. Box 100
A-1400 Vienna, Austria

Barnert, H. Institute for Safety Research and Reactor Technology

Research Center Jülich GmbH
P.O. Box 1913
52425 Jülich, Germany

Board, J. Nuclear Electric Pic

Booths Hall
Chelford Road, Knutsford
Cheshire WAT6 8Q6
United Kingdom

Bonhomme, N. Nuclear Power International, NPI

6, Course michelet, Cedex 52
92064 Paris-la Defense
France

Brettschuh, W. SIEMENS/KWU
Berliner Str. 295-303
63067 Offenbach/Main
Germany

El-Kady, A. Nuclear Safety Department

Atomic Energy Authority
8 Ismail Kamal Street, Heliopolice
Cairo, Egypt

Elshehawy, I.A. Nuclear Power Plants Authority, NPPA

4 El-Naser Avenue, Nasr City
P.O. Box 108 Abbasia
Cairo, Egypt

Eriksson, T. Studsvik Eco Sufe

Studsvik Eco & Safety AB
S-611 82 Nyköping
Sweden

353
Hamid, S.B. Abdel Nuclear Power Plants Authority, NPPA
4 El-Nasr Avenue, Nasr City
P.O. Box 108, Abbasia
Cairo, Egypt

Hart, R.S. AECL CANDU

2251 Speakman Drive
Mississauga, Ontario
Canada L5K 1B2

Hayns, M.R. Business Development Director

European Institutions, M + S Division
AEA Technology
B329/9060, Harwell, Didcot
Oxfordshire, OX11 ORA
United Kingdom

Hicken, E.F. Forschungszentrum Jülich, ISR

P.O. Box 1913
D-52425 Jülich
Germany

Gremm, 0. Commission of the European Communities

200, rue de la Loi
DG XII/F-5
B-1049 Brussels
Belgium

Güntay, S. Paul Scherrer Institute, PSI

CH-5232 Villigen
Switzerland

Kim, S.-O. Korea Atomic Energy Research Institute

P.O.Box 105
Yuseong, Taejon, 305 353
Republic of Korea

Kupitz, J. IAEA, Division of Nuclear Power

Wagramerstrasse 5
P.O. Box 100
A-1400 Vienna, Austria

Lang, P. Office of Nuclear Energy

US Department of Energy
Mail Stop NE-42
Washington D.C. 20585
USA

354
 Leroy, P. TECHNICATOME
Service SEPS/CSF
B.P. 34000, 13791 Aix-en-Provence Cedex 03
France

Ludwig, W. P. H. NUCON Nuclear Technology

P.O. Box 58026
1040 HA Amsterdam
The Netherlands

Maqua, M. Gesellschaft fur Anlagen- und Reaktorsicherheit

Schwertnergasse l
D-50667 Köln
Germany

Marella, G. Engineer of Fission Systems Division

Italian National Agency for Environmental
Protection, A.N.P.A.
Via Vitaliano Brancati 48
00144 Rome
Italy

Masoni, P. ENEA
Viale Martin di Monte Sole No. 4
1-40129 Bologna
Italy

Masriera, N. INVAP S.E.

P.P. Moreno 1089
8400 S.C. de Bariloche
Argentina

Munther, R. University of Technology

P.B. 20 Fin 52851
Lappeenranta
Finland

Nicaise, J. TRACTEBEL
Energy Engineering
Avenue Ariane 7
B -1200 Brussels
Belgium

Niu, W. Nuclear Power Institute of China

P.O. Box 436/503 Chengdu
Sichuan, 610041 Chengdu
China

355
Ochiai, M. Nuclear Ship System Laboratory
Office of Nuclear Ship Research and Development
Japan Atomic Energy Research Institute
Tokai-mura, Ibaraki-ken, 319-11
Japan

Pahladsingh, R. GKN, Waalbandijk 112a

6669 MG Dodewaard^
The Netherlands

Palavecino, C. SIEMENS, Energieerzeugung (KWU)

Postfach 101063
63010 Offenbach a.M.
Germany

Parme, L. Systems Engineering

General Atomics CO
P.O. Box 85608
San Diego CA 92186 - 9784
USA

Py, J.P. FRAMATOME

Tour Fiat, 1, Place de la Coupole
92084 - La defense - Cedex 16
France

Salve, R. UNESA
Francisco Gervás, 3
28020 Madrid
Spain

Staat, M. KFA-ISR
Institut für Sicherheitsforschungs und Reaktortechnik
Forschungszentrum Jülich GmbH
D-52425 Jülich, Germany

Seebregts, A.J. Netherlands Energy Research Foundation, ECN

P.O.Box 1, 1755ZGPetten
Netherlands

Soplenkov, K.I. RINPO VNIIAES

Research Institute for NP Operation
Russia

Spinks, N. Passive Concepts, AECL Research

Chalk River Laboratories
Chalk River, Ontario
Canada, KOJ 1JO

356
 Süssenberger, J. Gesellschaft für Anlagen- und Reaktorsicherheit
Schwertnergasse l
D-50667 Köln
Germany

Syarip, M. Komplek BATAN,

Jl. Babarsari CU-28
Yogyakarta
Indonesia

Tanrikut, A. Turkish Atomic Energy Authority

Alacam Sok No.9, Cankaya
06690 Ankara
Turkey

Weißhäupl. H. SIEMENS/KWU
Fryeslebenstrasse - l
91058 Erlangen
Germany

Yoon, J. Advanced Reactor Development Department

KAERI
P.O. Box 105, Yuseong
Taejon, 305-600
Republic of Korea

357