You are on page 1of 42

MBE4105 – Nuclear Reactor Safety

Reactor Safety Systems

Jiyun Zhao
Associate Professor
Dept. of Mechanical and Biomedical Engr.
City University of Hong Kong

1
Part I: Reactor System Safety Characteristics

2
Reactor System Safety Characteristics

Reactors can differ greatly in design and detailed


engineering characteristics. However, basic design
safety principles are common to all, including the
multiple-barrier concept for fission-product
containment and its related defense-in-depth.

Consistent with the defense-in-depth approach to


reactor design, extensive engineered safety
systems are integrated into all reactors.

3
Reliability of Engineered Safety Systems

Because each protection and safety function must


be available at all times, reliability is highly valued.
Design principles and criteria have been developed
for this purpose. Several important ones are:

• Redundancy
• Diversity
• Physical separation

4
Redundancy
Redundancy provides more safety-system
components or subsystems than are needed to
meet minimum requirements. For example,
although a single emergency cooling pump might
be enough, two or three are provided as a hedge
against failure or unavailability during maintenance.
Systems that meet a single failure proof criterion
have sufficient redundancy to tolerate failure of any
single component and still continue to function as
intended.

5
Diversity
Diversity employs two or more systems based on
different design or functional principles for a
particular safety function. This is added protection
against common mode failures, in which redundant
systems are disabled at the same time for the
same reason. Control rods and boric-acid injection,
for example, constitute diverse LWR shutdown
systems. Electrically powered and steam-driven
pumps to supply auxiliary feedwater are another
example.

6
Physical separation
Physical separation of components and systems
intended to perform the same function also protects
against simultaneous loss, e.g., by fire or flood. The
primary means of accomplishing this are distance
and physical barriers.

Emergency electric power supply is an important


example of combining these three design safety
principles. Diesel generators, multiple ties to the off-
site electrical grid, and storage-battery systems are
configured with redundancy, diversity, and physical
separation to provide reliable power for safety
functions when the normal supplies are not available.
7
Part II: Reactor Safety System Functions

8
Safety System Functions
Engineered safety system functions for an LWR are:

• Reactor trip [RT] to provide positive and continued


shutdown of the nuclear chain reaction
• Emergency core cooling [ECC] to limit fuel melting
• Post-accident heat removal [PAHR] to prevent
containment overpressurization
• Post-accident radioactivity removal [PARR] to reduce the
radionuclide inventory available for release
• Containment integrity [CI] to limit radionuclide release

These five safety functions are substantially integrated with


each other in all reactors. Therefore, they are often called
collectively the emergency core cooling systems [ECCS].
9
Safety System Functions

10
PWR Safety Features
Basic engineered safety system for a pressurized-water reactor are shown in figure
below. They are designed to mitigate the consequences of design-basis and beyond-
design-basis LOCA and other accident sequences.

11
PWR Safety Features
Reactor Trip
The reactor trip function occurs by gravity insertion of the control
rods mounted above the core. The core protective system is
designed to induce the trip when operating limits are exceeded.

Normal PWR shutdown requires full controIl-rod insertion at


operating soluble boron concentrations. While a core-
uncovering LOCA produces its own shutdown through the
moderator feedback (i.e., loss of moderation), the negative
reactivity worth of the control rods is not sufficient by itself to
assure continued subcriticality as the core refloods. Thus,
borated water is used for emergency cooling. it is usual practice,
in fact, to provide a soluble boron concentration that is sufficient
by itself for full shutdown.
12
PWR Safety Features
Emergency Core Cooling
The emergency core cooling systems [ECCS] are available to
augment the normal heat removal systems. A PWR has
independent high-pressure injection, accumulator [core flood],
and low-pressure injection systems designed to reflood the
core with cooling water following a LOCA or other sequence.
Because an accident-initiating break could nullify the
effectiveness of certain injection locations, each of the three
systems consists of multiple loops with access points
distributed around the reactor vessel. Redundant and diverse
on- and off-site power supplies are also provided for the active
systems.

13
PWR Safety Features

Emergency Core Cooling (continuous)


The high-pressure injection systems [HPI] typically are
designed to operate when the primary-loop pressure falls from
its nominal 15.5 MPa [2250 psi] to about 12.5 MPa [1800 psi].
By pumping borated water from the refueling-water storage
tank to the vessel inlet, a reasonable coolant flow can be
maintained for a small-break LOCA. The flow can also provide
early cooling for a large, design-basis LOCA.

14
PWR Safety Features

Emergency Core Cooling (continuous)


The accumulators [core flood tanks] contain borated water
under nitrogen pressure. If the primary pressure drops below
12.5 MPa [1800 psi], the system is “armed” to allow coolant
injection when the pressure falls to 4-5.5 MPa [600-800 psi]. [It
may be noted that the vessel coolant inlet is actually above the
core, rather than below as shown in the previous figure on
slide #11]. The accumulators are sized to provide coolant
for about 30 s, enough time for blowdown to be complete and
for the low-pressure injection system to become effective.

15
PWR Safety Features

Emergency Core Cooling (continuous)


The low-pressure injection [LPI] systems use the residual-
heat-removal [RHR] pumps to provide post-LOCA cooling with
water from the refueling tank. (These same pumps are used
for decay-heat removal following normal shutdown). When the
tank is emptied, the system is reconfigured to draw water that
will have accumulated in the containment-building recirculation
sump (from condensation of the steam released during the
accident and ECCS water flowing out the break).

16
PWR Safety Features
Heat Removal
The first post-accident heat removal [PAHR] for large-break
LOCAs occurs when initially “cool” ECCS water is injected and
carries heat out when it leaves through the break. For small
breaks, heat removal may be accomplished with forced
circulation, single-phase natural circulation, or two-phase
natural circulation when the steam generators can be used as
a heatsink. Otherwise, a feed and bleed mode may be
required in which water from the HPI or LPI systems is fed into
the core and steam is discharged [bled off] through the
pressurizer’s pilot-operated-relief valve [PORV] or one of its
safety valves.

17
PWR Safety Features

Heat Removal (continuous)


The other PAHR mode uses containment water sprays that
are supplied initially from the refueling-water storage tank and
latter from the containment building sump. By condensing the
steam, the sprays lower the pressure and remove heat energy
from the containment.

18
PWR Safety Features

Heat Removal (continuous)


A complementary feature of the post-accident-heat-removal
function becomes important as the refueling water is
exhausted. The alternate supply-i.e., the sump
Water-is relatively hot and would become more so with
recirculation through the low-pressure-injection and spray
systems. Its ability to cool the core and containment
depends on removal of some of the heat energy. The heat
exchanger [HX] of the residual-heat-removal system serves
such a cooling function. It employs a heat sink located outside
of the containment building.

19
PWR Safety Features
Radioactivity Removal
Post-accident removal of radioactivity generally
takes several forms, including:
• charcoal adsorbers capable of fission-product
removal at high temperatures and humidities
• high-efficiency particulate air [HEPA] filters
• reactive coatings for passive removal of halide
fission products
• containment water sprays

20
PWR Safety Features
Radioactivity Removal (continuous)
Water sprays “wash” fission products from the
containment atmosphere. Additives for pH control,
such as sodium hydroxide [NaOH] or sodium
thiosulfate [Na2S2O3], can increase removal of
chemically reactive fission products from the
containment atmosphere. (Because the additives
also can cause damage to reactor systems, and
were of questionable value in the TMI-2 accident,
their use in future reactors is unresolved.)

21
PWR Safety Features
Radioactivity Removal (continuous)
The inert noble gases and organic halides are not
readily subject to removal from the containment
atmosphere- As with the other products, however,
assuring containment holdup (i.e., the “delay and
decay” approach) reduces their relative hazard.

22
PWR Safety Features

Containment
The initial requirement for containment integrity is the
operation of isolation valves to close off containment
penetrations. Such valves are designed to operate
automatically under overpressure conditions characteristic of
a large-break LOCA.

Ultimate long-term containment integrity for any structure


depends on prevention of overpressure and melt-through
failure. Proper operation of the other engineered safety
systems should assure continued containment. On the other
hand, once a meltdown occurs the containment may be
breached by overpressure or melt-through.
23
PWR Safety Features

A PWR containment arrangement representative of currently


operating plants is shown in next slide. It consists of an inner
leak-tight steel liner surrounded by a reinforced concrete shell.
The figure includes the relative positons of the reactor vessel,
coolant pumps, and steam generators, as well as the
accumulators and containment sprays that are described in the
preceding slide.

24
25
PWR Safety Features
(Integrated Accident Response)

26
PWR Safety Features
(Integrated Accident Response)

The design-basis accident (Fig. 14-5, path 1) includes rapid


coolant blowdown accompanied by containment pressurization
within a few seconds. If all engineered safety systems function
as intended, pressure reduction begins in minutes and
approaches atmospheric levels within about half hour.
Continued operation of the sump-recirculation and heat-removal
systems assures long-term stability.

27
PWR Safety Features
(Integrated Accident Response)

If the low pressure-injection system fails to draw sump water


after the refueling tank is empty, meltdown ensues after the
water in the vessel boils off. The containment sprays
(assumed to draw adequately from the sump) prevent
excessive pressurization, although some buildup occurs (Fig.
14-5, path 2) due to zirconium-steam and fuel-concrete
interactions. Containment failure ultimately occurs by melt-
through.

28
PWR Safety Features
(Integrated Accident Response)

If the spray rather than low-pressure injection fails to


draw from the sump, there is no effective steam
condensation. Containment pressurization then occurs
as the hot core boils off coolant (Fig. 14-5, path 3). The
pressure eventually builds to breach the containment.

29
PWR Safety Features
(Integrated Accident Response)
Failure of both the spray and injection systems to draw water
from the sump results in the complex behavior shown by Fig.
14-5, path 4. The lack of any core cooling results in rapid boiloff,
zirconium-steam reactions, and hydrogen generation. The
pressure increase is unimpeded due to the spray failure. As
soon as all vessel water has boiled away, natural condensation
allows some pressure decrease. Vessel melt-through results in
concrete interactions, evolution of steam and CO2 , and
renewed pressure increases. Overpressure failure would be
possible at this point. Otherwise, as the concrete reactions slow,
natural condensation may again reduce the pressure until
containment melt-through finally leads to an equilibrium level.

30
BWR Safety Features
The major features of the engineered safety systems for an early
boiling-water reactor design are shown below. The principles also
apply to newer systems.

31
BWR Safety Features

Reactor Trip
The reactor trip function is accomplished by mechanical
insertion of the cruciform control rods mounted below the core.
The core protection system is designed to initiate the trip when
operating limits are exceeded.

Injection of soluble boron with the emergency cooling water


provides a backup to assure subcriticality. The LOCA itself
produces neutronic shutdown from lack of moderation. The
presence of the rods and/or the soluble boron are of most
importance as the core refloods.

32
BWR Safety Features

Emergency Core Cooling


The BWR system employs three different emergency core
cooling systems [ECCS]. Each system, in turn, consists of
multiple loops, all of which need not be operable to provide
the required cooling capacity. Redundant off-site and on-site
power sources enhance reliability.

33
BWR Safety Features

Emergency Core Cooling


The high-pressure coolant-injection enters the reactor vessel
through a feed-water line (actually located above the core). It
is capable of providing cooling water immediately after LOCA
initiation at essentially any system pressure. Pumps from the
residual-heat-removal [RHR] systems are used in conjunction
initially with the water in the condensate storage tank and later
with the water that collects in the pressure-suppression pool.

34
BWR Safety Features

Emergency Core Cooling


The low-pressure core spray and low-pressure injection
system are available after the system pressure is reduced by
the LOCA. Each relies on pumping water from the
suppression pool for discharge to the core. The spray line is
connected to a sparge ring that distributes the flow among the
core fuel assemblies. The low-pressure injection system
employs the residual-heat-removal system components to
provide additional coolant.

The ECCS for newer BWR designs employ separate high-


pressure sprays rather than using injection on the feedwater
line. The two low-pressure cooling functions are similar.

35
BWR Safety Features

Heat and Radioactivity Removal


Initial post-accident heat removal is accomplished by
venting the LOCA-produced steam from the drywell
to the pressure-suppression pool. Condensation of
the steam reduces the temperature and pressure of
the drywell atmosphere.

36
BWR Safety Features

Heat and Radioactivity Removal


Continuing heat removal is accomplished by use of
sprays in the drywell and pressure-suppression pool.
The RHR heat exchanger with its heat sink outside
of the containment is employed to reduce the
temperature of the water feeding the low-pressure
injection and containment spray systems.

37
BWR Safety Features

38
BWR Safety Features

A newer BWR containment


design is similar in
concept. Steam from the
drywell condenses as it
vents to the suppression
pool. There are no
containment sprays in the
drywell, but sprays are
employed in the annular
region above the
suppression pool.

39
BWR Safety Features

Heat and Radioactivity Removal


The BWR radioactivity removal systems are similar
to those of the PWR. Spray additives, reactive
coatings, and adsorber-filter systems help reduce
the concentrations or chemically reactive fission
products.

40
BWR Safety Features

Containment
The BWR containment employs a light-bulb-shaped
steel-lined drywell connected by vent pipes to the
surrounding toroidal (doughnut-shaped) pressure-
suppression pool. As was true for the PWR design,
isolation valves and the pressure-reduction systems
are the primary means of maintaining system
integrity against air-borne release of fission
products. Prevention of core meltdown avoids
containment melt-through failure.

41
BWR Safety Features

Containment
Some of the more recent BWR designs accomplish
the same functions through a multiple containment
consisting of a drywell, steel containment shell,
and concrete shield building. The drywell and the
annular pressure-suppression pool are connected
by horizontal vents separated from the drywell by a
weir wall.

42

You might also like