probabilistic analysis of some safety aspects of a swimmingpool reactor
TRANSCRIPT
Rehabihty Engmeering 13 (1985) 23-31
Probabilistic Analysis of Some Safety Aspects of a Swimmingpooi Reactor
K. L ieber and T. N ico l e scu
Swiss Federal Institute for Reactor Research, 5303 Wtirenhngen, Switzerland
(Received: 5 December 1984)
A B S T R A C T
A probabilistic risk analysis o f some safety aspects, not including radioactwity release, has been performed for the IO M W (thermal) swtmmingpool research reactor S A P H I R . Thts study concentrates on seven international inittatmg events found to be relevant with respect to accident sequences that could result wtth core melt due to the loss of coolant or overcrtticality. The results are given as core melt frequencies for the accident sequences It could be demonstrated that the core melt hazard of the reactor is extremely low
1 I N T R O D U C T I O N
The power increase of the swimmingpool research reactor S A P H I R from 5 to 1 0 M W (thermal) required some changes in existing design, Therefore, a new safety analysis report had to be prepared in order to obtain the operating license. Part of this report was a probabilistic analysis of some safety aspects of the reactor.1
One objective of this analysis was to identify the most dangerous accident sequences that could lead to the release of radioactivity and to
A version of tlus paper was presented at the 8th Advances In Rehabihty Technology Syrnposmrn--ARTS' 84, 25-27 Aprd 1984, Umverslty of Bradford, UK, and is reproduced by kind perrmsslon of the orgamsers
23 Rehab,hty Engineering 0143-8174/85/$03,30 © Elsexaer Apphed Science Publishers Ltd, England, 1985 Printed m Great Britain
24 A Lleber, T Ntcolescu
calculate the frequenoes of their occurrence. A second objective was to discover the weak points of the safety systems and to recommend improvements. The study was carried out m three steps as follows-
(l) establishing the circuit diagrams of the reactor and of the control and safety systems:
(2) identification of initiating events and selecnon of the relevant internal initiating events,
(3) probabihsnc analysis of the accident sequences following these imtiatmg events
No new investigations, w~th regard to the physical behaviour of the reactor in the event of accidents, have been performed. Instead, only existing knowledge or conservative assumptions have been used. The study was limited to the assessment of the core melt frequencies, no release categories were determined
2 M E T H O D O L O G Y
The probabihstlc method used was based on that of the 'Reactor Safety Study' WASH-1400. 2 Event tree techmques were used to identify the possible accident sequences.The failure probabilities of the systems revolved in the accident sequence were calculated using a fault tree techmque.
All minimal cut-sets that could lead from the failure of single components up to the failure of the respected system were identified. Common mode failures were considered both in terms of event trees, taking into account mutual dependencies of systems, and in terms of fault trees, takmg into account failures of ldenncal components.
The failure rates of the components were considered to be constant between successive inspections The main source of failure data was the data bank of the 'Systems Rehabllity Service'/GB The GRS-Report on failure data 3 and the 'Reactor Safety Study '2 were also used.
3 REACTOR C O N T R O L A N D SAFETY SYSTEM
Figure 1 shows the layout of the sw~mmingpool reactor and the bridge that carries the control rods. The core is placed m a basin, about 7 m below the water surface The water IS the most important safety barner
Probabthstic analysis o] safety aspects oJ swtmmmgpool reactor 25
Fig. 1. Swlmmingpool research reactor SAPHIR m operation. Cerenkov radiation is visible below
26 K Lteber, T Nwolescu
because it allows the removal of residual heat by natural convection alone.
The scheme of the important circm ts is shown in Figure 2. During power operation the core is cooled by a primary cooling circuit; this circuit ~s coupled with auxiliary circuits for the detection of water actiwty and for water cleaning.
The heat of the primary cooling c~rcuits is transferred wa a heat exchanger into the secondary circuit which is connected to a river. The make up water is taken from the ground water. The electric power is supphed by the regional grid.
The primary circuit and the level of the basra water (Fig. 2) are monitored by the following two systems'
(1) command system--it informs the operator about the operation state of the water circmts and allows appropriate control actions,
(2) scram execution system--it releases the reactor scram auto- matically or by operator action (SLOW SCRAM).
The other three safety systems to be considered are as follows:
(1) reactor control and safety system--it supervises the reactor operation and releases the reactor scram (FAST SCRAM) in emergencies;
(2) electric power supply system--it provides three sources--the regional grid, the two diesel generators and the battery system
(3) hydraulic closing system (HD, Fig. 2)--with this system the seven radiation channels can be closed individually (SR, Fig. 2)
4 DESCRIPTION OF THE RELEVANT INTERNAL INITIATING EVENTS
The detailed investigation of the reactor m operation led to the identification of a large number of internal events which could imtiate an accident. These events were classified according to their influence on reactor operation.
Finally, seven events, which are considered to be the most dangerous because they can initiate a rapidly developmg accident with the melt of fuel elements, were chosen. The selection of these initiating events was carried out in close cooperation with the reactor experts.
In the following sections the selected events and their intervening safety systems are briefly considered.
CLE
AN
ING
C
iRC
UiT
CO
MM
AN
D
/ "
- S
YS
TE
M
* "
AL
AR
M
~7
LO
I~5 &
l
Fig.
2.
Con
trol
sys
tem
of
the
reactor
cool
ing
circ
uits
UNIT
28 K Lwber, T Nwole.~cu
4.1 Large pipe break in the primary cooling circuit
In the event of a large pipe break in the primary circuit, reactor cooling is interrupted because there is no water flow into the basra, A special venting pipe prevents a total loss of basin water by the syphon effect through the funnel (TC, Fig 2)
In order to prevent a core melt the reactor scram is necessary The scram can be released by the reactor control and safety system or directly from the water level measuring equipment (NV, Fig. 2) Residual heat removal can be maintained by the basin water through natural convection as long as the water covers the core
The safety systems considered in the event tree were: electric power supply system and reactor control and safety system
4.2 Break of a radiation channel
The radiation channel consists of two coaxial pipes. They are placed at the level of the reactor core (SR, Fig 2)
A complete break of the d ou ble wall of a radiation channel can cause a loss of basin water up to the level of the broken radiation channel. In this case the core becomes only partly covered with water and this could lead to a core melt. To prevent a core melt a scram is necessary and the broken radiation channel must be closed tight.
The safety systems considered In the event tree were electric power supply system, operator command system, scram execution system and hydrauhc closure system for the radiation channel.
4.3 Large partial covering of the core
Large partial covering of the core can o c c u r if, for example, a large transparent plastic sheet falls into the open basin. The flux of water passes the reactor core from above to the ground (TC, Fig.2). By this the plastic sheet can be transported to several cooling channels of the core. These channels will then become covered and the water flux will be interrupted The covering of cooling channels causes local overheating of fuel elements: this could lead to partial core melt
For this initiating event it was assumed that the overheated area generates vapour bubbles that are numerous enough to cause a d~sturbance of reactivity which is detectable by the control instrumen- tation. This enables the control and safety system or the operators to prevent a further development of the accident
Probabtlzsttc analysts of safety aspects of swlmmmgpool reactor 29
The safety systems considered in the event tree were: electric power supply system and reactor control and safety system.
4.4 Little partial covering of the core
Little partial covering of the core can occur If, for example, a small plastic sheet falls into the open reactor basin. The flux of water passes the reactor core from above to the ground and therefore can transport the plastic sheet to some cooling channels This could lead to a melt of fuel elements
For this initmting event it was assumed that the covering ~s not
sufficiently large to be indicated by the local disturbance of reactivity caused by the production of vapour bubbles due to overheating of one fuel element In this case only engagement of the operator is possible
The safety systems considered in the event tree were: electric power supply and reactor control and safety system.
4.5 Loading accident
During a loading operation at the reactor the insertion of a central element into the subcritical reactor could cause, in extreme cases, overcrlticahty which makes the scram necessary. If no scram is made, a core melt could occur
In order to investigate the influence of subsystems of the reactor control and safety system, three variants were analysed for this initmtlng event. For variant 1 the automatic engagement of the control and safety system by the system operations REVERSE and FAST SCRAM (Fig 2) as well as the operator action necessary for SLOW SCRAM (Fig. 2) were considered.
For variant 2 only one automatic engagement mode, FAST SCRAM, and for variant 3 two automatic engagement modes, FAST SCRAM and REVERSE, were assumed.
The safety systems considered in the event tree were electric power supply system and reactor control and safety system
4.6 Starting accident
During the start operation of the reactor it could happen that the control rods are pulled out continuously. This is possible only if the periodic signals of the fission counters fail to appear or are not processed further. In this case core melt could occur. In order to investigate the influence of
31) h LwbeJ, 1 /Vwole~cu
subsystems of the reactor control and safety system, four variants were considered:
Variant 1 assumes automatic engagement of the reactor control and safety system, and the operator actions 'scram' and 'boric poisoning'. Variant 2 assumes automatic engagement and the operator action scram Variant 3 assumes only automatic engagement Variant 4 assumes the operator actions scram and boric poisoning but no automatic engagement
The safety systems considered in the event tree were: electric power supply system and reactor control and safety system
4.7 Loss of external electric power supply
If the electric power supply falls, the cooling pump wdl be shut down and will not be restarted even if the emergency electric power supply comes into operation. The reactor will then remain without forced coohng and a core melt could occur if there was no reactor shut down Also, if the emergency electric power supply falls, the reactor must be shut down Therefore, in both cases, reactor scram should occur m order to avoid core melt
If the automatic scram fails, the operator still has the chance of enforcing the shutdown either by hand scram or by boric poisoning In order to initiate operator action emergency electric power must be available
The safety systems considered in the event tree were. emergency electric power supply by diesel generators, emergency power supply by batteries and the reactor control and safety system
5 RESULTS
Table 1 gives a survey of the results of the study. For each of the seven internal initiating events the consequences 'core melt' or 'partml core melt', with the corespondmg frequency values of the accident sequences, are given As can be seen from Table 1 the sum of the frequencies of all accident sequences leading to core melt has a very low value, i.e. < 1 0 × lO-6year
Two types of initiating events can cause accident sequences with only
Probablhstw analysts of safety aspects of swtmmmgpool reactor 31
T A B L E 1
Expected Frequencies of the Accident Sequences with the Consequences (Core or Partial Core Melt) Gxven for the Relevant Internal Initiating Events
lnlllatlng event Consequences Frequency of the (core behavtour) acctdent sequences
(year- 1)
Large pipe break m the primary cooling circuit
Break of a radlaUon pipe Large partial covering of the core Little partial covering of the core Loading accident core melt Starting accident core melt Loss of external electric power
supply core melt
The accident sequences w~th consequences core melt partial core melt
core melt 14 x 10 - 9
core melt 80 x 10 -~° partial core melt 49 x 10 - 4
partial core melt 39 x 10 -~ 19x10 -7 13x10 -7
14x10 -s
3 4 x 1 0 -7 44 x 10 -3
par t ia l core melt . The f r equency sum o f these acc ident sequences is a b o u t 4.4 × 10 _3 y e a r - 1 . This va lue results f r o m the fact tha t the de tec t ton o f
par t i a l cove r ing o f the core in the exist ing safe ty design was no t efficient. By our p r o p o s a l an i m p r o v e m e n t o f the de tec t ion sys tem was deve loped
tha t reduces the to ta l f r equency for pa r tml core mel t by two orders o f
m a g n i t u d e T a k i n g into accoun t this i m p r o v e m e n t it can be said tha t , for the seven
inves t iga ted m t e rna l in i t ia t ing events , the to ta l f r equency o f all acc ident sequences resul t ing m core mel t or pa r t m l core mel t is still a low value.
R E F E R E N C E S
1 Rlskostudie S AP HIR Probabdistlsche Analyse Clinger Slcherheitsaspekte des Schwlmmbadreaktor SAPHIR, EIR, Wurenhngen, Switzerland, 1980
2 Reactor Safety S tudy- -An assessment of accident risks xn US commeroa l nuclear power plants, WASH-1400 (NUREG-75/014), Washington, DC, USA, 1975
3 Balfans, H P Ausfallratensammlung, IRS-W-8, Gesellschaft fur Reakto- slcherheit, Koln, Germany, 1975