safety approach, safety issues and provisions technical workshop to review safety and design aspects...

Safety Approach, Safety Issues and Provisions

Technical Workshop to Review Safety and Design Aspects ofEuropean LFR Demonstrator (ALFRED),

European LFR Industrial Plant (ELFR), andEuropean Lead Cooled Training Reactor (ELECTRA)Joint Research Centre, Institute for Energy and Transport,

Petten, the Netherlands, 27–28 February 2013

Luigi Mansani

[email protected]

Technical Workshop; Joint Research Centre, Petten, the Netherlands, 27–28 February 2013

ALFRED

SAFETY APPROACH


Safety Approach

Gen II & III Safety• Safety Level that has been attained by the currently operating Gen II NPPs is

already very good• Quantitative safety objectives applicable to Gen III NPPs are very ambitious and

guarantee an improved level of protection reducing the level of risk in a demonstrable way

Gen IV Safety Goals• Excel in operational safety and reliability • Have a very low likelihood and degree of reactor core damage• Eliminate the need for offsite emergency responses in case of severe accidentsFundamental Safety Objectives• General nuclear safety objective: To protect individuals, society and the

environment by establishing and maintaining in NPPs an effective defence against radiological hazard

• Radiation protection objective: To ensure in normal operation that radiation exposure within the plant and due to any release of radioactive material from the plant is As Low As Reasonably Achievable (ALARA)

• Technical safety objective: To prevent with high confidence accidents in NPPs; to ensure radiological consequences, if any, would be minor, even for accident of very low probability; and to ensure that the likelihood of severe accidents with serious radiological consequences is extremely small


Safety level of GEN III plants (e.g. AP1000 and EPR) is the reference for future reactors adoption of quantitative safety objectives recommended by EUR

Safety improvement for Gen IV systems is possible through progress in knowledge and technologies and the application of a cohesive safety philosophy early in the design process safety is to be “built-in” to the fundamental design rather than “added on” full implementation of the Defence in Depth principles

• Exhaustive: complete identification of initiating events• Progressive: no major consequences from short sequences• Tolerant: no “cliff edge effects”• Forgiving: sufficient grace period and recover possible during

accidental situations• Well-balanced: no sequence contributes in an excessive way to

damaged plant states “risk-informed” approach deterministic approach complemented with a

probabilistic one

Safety Approach


Defence in Depth main principlecompensate for potential human and mechanical failures with several levels of protection, including successive barriers, preventing the release of radioactive material to the environment

Defence in Depth strategy prevent accidentsif prevention fails, limit potential

consequences of accidents and prevent their evolution to more serious conditions

WENRA structure of DID levelsSeveral beyond design basis

scenario are now included in the design basis (multiple failures accidents)

Consideration of practically eliminated situations (at level 4) since the design stage

Safety Approach


Basic Safety Function1. Control of the reactivity (reactor power)2. Removal of heat from the core (cooling

the fuel without exceeding decay heat plus heat losses)

3. Confinement of radioactive materials (within the appropriate barriers) and control of operational discharges, as well as limitation of accidental releases

Barrier and Level of Defence4. Fuel matrix;5. Fuel cladding;6. Primary coolant boundary;7. Confinement (containment system)

Safety Approach


Design for Safety

To enhance systems reliability and to protect against common cause failures :

Redundancy: use of more than the minimum number of sets of equipment to fulfill the safety function

Diversity: systems or components performing the same safety function differ for principle of operation, physical variables or manufacturer

Independency: the independence among redundant safety systems or systems belonging to different safety classes can be accomplished through functional isolation or physical separation


Used References

EUR Chapter 2.1 “Safety Requirements”

“Basis for the Safety Approach for Design & Assessment of Generation IV Nuclear Systems” by RSWG

Safety Objectives for New Power Reactors (WENRA Reactor Harmonization Working Group)

IAEA safety reports, e.g. INSAG-10: Defense in Depth in Nuclear Safety NS-R-1: Safety of Nuclear Power Plants: Design INSAG-3: Basic Safety Principles for Nuclear Power Plants


Safety Demonstration

• Gen III plants : – Deterministic approach (conservative code and assumptions) applied

to Design Basis Conditions– Probabilistic approach (realistic conditions and BE data), generally

applied for Safety assessment of Beyond Design Basis conditions (Design Extended Conditions)

• Gen IV plants:– Complementary use of deterministic and probabilistic approaches, to

be used in an iterative manner since the conceptual stage of design

Integrated Safety Assessment Methodology (ISAM)Objective Provision Trees (OPT)


Identification of initiating events for LFR

In the ALFRED design process the Objective Provision Tree (OPT) is adoptedFor each level of DiD (normally level 1 to 5) and for each safety objective/function

identification of:

• the possible challenges to the safety functions,• the plausible mechanisms which can materialize these challenges,• the provided provision(s) to prevent, control or mitigate the consequences

The IE for both ALFRED and ELFR identified through the application of the MLD (top -down approach):

The analysis starts with three main pathways challenges to the three physical barriers

• Fuel Cladding Challenges• RCS Boundary Challenges• Containment Challenges


ALFRED Fuel Cladding Challenges

[1.1]REACTIVITY and POWER

DISTRIBUTION ANOMALIES

[1.1.3]CORE

COMPACTION

[1.1.5]FUEL

ASSEMBLIES LOADING ERROR

[1.1.2]STEAM/GAS

ENTRAINMENT INTO PRIMARY

COOLANT

[1.1.4]FAILURE in

CORE SUPPORT FUNCTIONS

Level 4

[1.1.1] SHUTDOWN

SYSTEMS FAILURE or MALFUNCTION

1.1.2.1SG tube rupture

[1.2]DECREASE OF FUEL ASSEMBLY

HEAT REMOVAL

1.2.1FUEL

ASSEMBLY PARTIAL

BLOCKAGE

1.2.2FUEL

ASSEMBLY MECHANICAL

LOCK FAILURE

[1]FUEL CLADDING CHALLENGES

Level 1

Level 2

Level 3

1.1.1.1INADVERTENT CONTROL ROD

ASSEMBLY WITHDRAWAL

1.1.1.2CONTROL ROD

ASSEMBLY EJECTION

1.1.1.3CONTROL ROD

ASSEMBLY DROP

1.2.3DECREASE

of RCS HEAT

REMOVAL

See Barrier 2

1.1.2.2Fuel Rod Damage with release of fission gas


ALFRED RCS Boundary Challenges

[2.1]RCS TEMPERATURE

VARIATION

2.1.2DECREASE in

HEAT REMOVAL

2.1.3 DECREASE of PRIMARY

FLOWRATE

2.1.4DECREASE OF PRIMARY

LEAD INVENTORY

2.1.1INCREASE in

HEAT REMOVAL

2.1.1.1Increase of SG heat removal capability

Level 2

Level 3

2.1.1.1.1Reduction in

feedwater temperature

2.1.1.1.2Increase in feedwater

flow

2.1.1.1.3Excessive increase in

secondary steam flow

2.1.1.1.4Inadvertent

opening of SS safety valve

Level 4

Level 5

2.1.1.2Inadvertent actuation of

DHR systems

2.1.1.1.xSG secondary side

mulfunctions

2.1.2.1.2Turbine trip

2.1.2.1Increase of secondary

temperature

2.1.2.2Decrease of secondary

flow

2.1.2.1.1SG Feedwater

malfunction

2.1.2.1.3Steam flow decrease

Level 4

Level 52.1.2.2.1

Loss of AC power

2.1.2.2.2FW Pump failure or

malfunction

2.1.2.2.3SG flow blockage

2.1.3.1Primary pump failure

or malfunction

2.1.3.2Primary coolant flow blockage

2.1.3.1.1 Loss Of Electric

Power

2.1.3.1.2Loss Of Ac Power To

Plant Auxiliaries

2.1.3.1.3Pump Shaft

Break

2.1.3.1.4Pump Shaft

Seizure

2.1.4.1Vessel leakage or

break

[2.1]RCS TEMPERATURE

VARIATION

2.1.2DECREASE in

HEAT REMOVAL

2.1.3 DECREASE of PRIMARY

FLOWRATE

2.1.4DECREASE OF PRIMARY

LEAD INVENTORY

2.1.1INCREASE in

HEAT REMOVAL

2.1.1.1Increase of SG heat removal capability

Level 2

Level 3

2.1.1.1.1Reduction in

feedwater temperature

2.1.1.1.2Increase in feedwater

flow

2.1.1.1.3Excessive increase in

secondary steam flow

2.1.1.1.4Inadvertent

opening of SS safety valve

Level 4

Level 5

2.1.2.1.2Turbine trip

2.1.2.1Increase of secondary

temperature

2.1.2.2Decrease of secondary

flow

2.1.2.1.1SG

Feedwater malfunction

2.1.2.1.3Steam

flow decrease

Level 4

Level 52.1.2.2.1Loss of

AC power

2.1.2.2.2FW Pump failure or

malfunction

2.1.2.2.3SG flow blockage

2.1.3.1Primary pump failure

or malfunction

2.1.3.2Primary coolant flow blockage

2.1.3.1.1 Loss Of

Electric Power

2.1.3.1.2Loss Of Ac Power To

Plant Auxiliaries

2.1.3.1.3Pump Shaft

Break

2.1.3.1.4Pump Shaft

Seizure

2.1.4.1Vessel leakage or

break

2.1.1.1.5Main steam line break

2.1.2.2.4Inadvertent actuation of

IC

2.1.2.2.5SG tubes rupture

[2]RCS BOUNDARY CHALLENGES

Level 1


ALFRED Containment Challenges

3. CONTAINMENT

CHALLENGES

3.1. CONTAINMENT PRESSURE/

TEMPERATURE TRANSIENT

3.2. RADIOACTIVE RELEASES INSIDE

CONTAINMENT

Level 1

Level 2

3.1.1. LEAKAGES FROM HIGH ENERGY

SYSTEMS INSIDE CONTAINMENT

Level 3 3.1.2. REACTOR CONTAINMENT

PRESSURE TESTS

3.2.1. LOW ENERGY RADIOACTIVE FLUID SYSTEMS FAILURE

INSIDE CONTAINMENT

3.2.2. FUEL HANDLING ACCIDENT

3.1.1.1. STEAM SYSTEM PIPING

BREAK

3.1.1.2. FEEDWATER SYSTEM PIPING

BREAKLevel 4

3.2.1.2. LEAKAGE FROM MAIN

REACTOR VESSEL

3.2.1.1. COVER GAS PIPING BREAK

3.2.1.3. LEAKAGE FROM LIQUID AND

GAS WASTE SYSTEM

3.2.1.2.1. LEAKAGE FROM VESSEL TOP

CLOSURE

Level 5


Resulting list of events

• Reactivity and power distribution anomalies

– Inadvertent control rod assembly withdrawal

– Control rod assembly drop– Changes in core geometry due to

earthquake – Fuel assembly loaded in an incorrect

position– Fuel assembly loaded with incorrect

composition– SG tube rupture– Fuel rod damage

• Increase in heat removal from primary system

– Reduction in feedwater temperature– Increase in feedwater flow– Excessive increase in secondary steam flow– Inadvertent opening of SG SS safety valve

• Decrease in heat removal by Secondary System

– Inadvertent actuation of Isolation Condenser

– SG feedwater system line break– Loss of normal feed – Turbine trip

– Inadvertent closure of main steam isolation valves

– Loss of load– Loss of AC power– FW pump failure or malfunction– SG Flow blockage– FW line break

• Decrease in Primary Coolant System Flow Rate

– Fuel Assembly Partial Blockage – Flow by-pass from Inner vessel (break in

the pumps inlet ducts) – Mechanical or an electrical failure of a

primary pump (Partial loss of flow)– loss of electrical supplies to primary

pumps (Complete loss of Flow)– Pump Shaft Break– Pump Shaft Seizure

• Decrease in Primary Coolant Inventory– Loss of coolant accident resulting from

Main vessel leakage or break• Challenges to reactor Building

– Steam line break– Feed line break– Cover Gas line break– Leakage from Vessel Top Closure


Categorization According to Frequency of Occurrence

EUR approach:• DBC1 Design Basis Category 1 Conditions (Normal Operation)

• DBC2 Design Basis Category 2 Conditions (Incident Conditions): Conditions which may occur once or more in the life of the plant (f >10-2).

• DBC3 Design Basis Category 3 Conditions (Accident Conditions): Conditions which may occur very infrequently (10-2 > f >10-4).

• DBC4 Design Basis Category 4 Conditions (Accident Conditions): Conditions which are not expected to take place (10-4 > f > 10-6), but are postulated because their consequences would include the potential release of significant amounts of radioactive material.


Events classified by frequencies

• Design Basis Category 2 Conditions– Inadvertent control rod assembly

withdrawal– Control rod assembly drop– Inadvertent actuation of DHR systems– Reduction in feedwater temperature– Increase in feedwater flow– Excessive increase in secondary steam

flow– Inadvertent opening of SG SS safety

valve– Loss of normal feed – Turbine trip– Inadvertent closure of main steam

isolation valves – Loss of load– Loss of AC power– Mechanical or an electrical failure of a

primary pump (Partial loss of flow)

• Design Basis Category 3 Conditions− Fuel assembly loaded in an incorrect

position− Fuel assembly loaded with incorrect

composition− Loss of electrical supplies to primary

pumps (Complete loss of Flow)− Steam generator tube rupture

• Design Basis Category 4 Conditions – Pump Shaft Break– Pump Shaft Seizure– SG feedwater system line break, – Fuel Assembly Partial Blockage – SG flow Partial Blockage– Steam line break– Cover Gas line break– Feed line break


Beyond Design Basis Conditions

• Single initiating events should be "dealt with" or "excluded" :

– “dealt with” events: proof that the plant can deal with design extension conditions is achieved with specific rules (e.g. best estimate);

– a limited number of initiators, sequences or situations are “practically eliminated” by showing, with a robust demonstration that, through the implementation of specific provisions, the corresponding risk is made acceptable initiators rejected within the Residual Risk (RR)


Design Extension Conditions (DEC)

• DEC are a specific set of accident sequences that goes beyond Accident Conditions – Complex Sequences: certain unlikely sequences which go beyond

those in the deterministic design basis in terms of failure of equipment or operator errors and have the potential to lead to significant releases but do not involve core damage

– Severe Accidents: certain unlikely event sequences beyond Accident Conditions involving significant Core Damage which have the potential to lead to significant releases


DEC Approach

• Design Extension Conditions are addressed to identify the need for implementation of measures (upgraded or additional equipment or accident management procedures) for Complex Sequences (decreasing their probability) and Severe Accidents (to prevent early and delayed containment failure and to minimise releases for the remaining conditions)

• General rules to be applied (DBC assessment Rules do not necessarily apply):– Possible operator actions and needed grace delay time (EUR state that

Operator action shall not be credited before 30 minutes)– Qualification of provisions: required demonstration of capability of

performing required actions and survivability – independency of provision needed to mitigate a DEC versus those provided

to fulfil DBC requirements– Possible role of low safety classified or non-classified provisions, including

the possible use of some provision beyond their initially intended DBC capability, to bring the plant to a controlled state or to mitigate the consequences of a severe accident


ALFRED

SAFETY ISSUES AND PROVISIONS


Structural erosion and corrosion

Safety issue: molten lead interacts with structural materials through corrosion at high-temperature and erosion

Design provisions to improve the compatibility of lead and steels Material selection: austenitic low-carbon steels (AISI 316L) for components at

low temperatures and low irradiation flux (e.g. reactor vessel), T91 for the Inner Vessel and Fuel Assembly structures, 15/15 Ti stabilised steels for fuel cladding and spacer grids

Operate at low temperature range (400 °C - 480°C) and maintain a controlled amount of oxygen dissolved in the coolant to build-up a protective corrosion barrier

Utilize surface coatings: the corrosion resistance of structural materials can be enhanced by FeAl alloy coatings with ad-hoc techniques (aluminization or GESA technology)

Limit coolant flow velocity: the lead flow velocity is limited to a value that cause a negligible erosion (typically 2 – 3 m/s)

R&D activities: Suitable materials, e.g. Maxthal ceramics for pump impeller or ODS steel for

structures Coating processes (e.g. tantalum) already used in conventional plants Lead chemistry (corrosion inhibitors)


Steam Generator Tube Rupture

Safety issues: water interaction with lead in case of SGTR can potentially pose several concerns:

formation and propagation of pressure waves due to dynamic interactions between the discharged jet flow and molten lead

formation and expansion of the mixing zone leading to pool sloshing pre-mixture entering a coolant-coolant interactions (CCI) regime leading to a

steam explosion water evaporation results in Reactor Vessel pressurization steam transport toward the reactor core with potential reactivity insertion

experimental findings from Beznosov (assessment of Brest reactor) show that high-pressure discharge of water into molten lead forms a disperse phase of small-diameter steam bubbles that are, in general, stable, since thick vapour film prevents the effective liquid-liquid contact. When the small bubbles coalesce and form a large steam bubble, the water has readily evaporated no potential for steam explosion

Available results (experiments & analyses) Rupture induced pressure wave poses no significant threat to in-vessel

structures, except very few adjacent tubes (no sudden water vaporization) Sloshing-related fluid motion is well bounded in a domain beyond the SG


Design provisions to prevent or mitigate over-pressurization and steam/water entrainment in the core

adoption of double wall bayonet tube in the Steam Generator: in case of one out of two wall tube break, primary lead does not interact with the secondary water and the tube break is detected monitoring the Helium gap pressure

in case of simultaneous rupture of both tube walls:• rupture disks are installed in the reactor roof to relief the resulting over-pressure • to reduce the potential of steam transport to the core, a mechanical device at the

steam generator tube outlet promotes the separation between lead and steam• minimizing flow rate from the break (orifices water side; low SG water inventory)

R&D activities: Preliminary experimental activities performed at Enea Brasimone (LIFUS

facility) aimed to explore the phenomenology and code qualification Planned (short term) activities for one full scale SG double wall bayonet tube Further experimental and computational investigations on a SG mock up are

planned in the ATHENA facility at Enea Brasimone (construction planned) Suitable experimental and computational program to verify the effectiveness

of the above design provisions

Steam Generator Tube Rupture


Coolant flow blockage

Safety issue: excessive amount of lead oxides and other impurities in the lead coolant could result in circuit fouling and slugging with reduction of flow cross sections, potentially causing coolant flow blockages

Design provisions control of coolant parameters and quality, control of concentration of dissolved oxygen in the coolant removal of lead oxide and other impurities from coolant (e.g. using

hydrogen or coolant filtration) purification and control of cover gas sudden and complete flow blockage prevented by the FAs design solution

consisting of multiple inlet openings. Gradual blockage caused by deposition of material can be monitored by

detection of each FA outlet temperature increase (possible due to the adopted wrapped Hexagonal FAs)

R&D activities: detailed design of the purification and control systems for ALFRED are

currently under study


Coolant freezing

Safety issue: the high melting point (327°C) can pose concerns related to the possibility of lead freezing/solidification: is this a safety issue or an investment protection issue?

Design provisions Feed Water Temperature Control (FWTC) to assure a feedwater temperature

not lower than 335 ºC Design of DHR actuation logic to exclude the simultaneous operation of both

DHRs systems Auxiliary heating system to ensure the minimum temperature of the lead by

transmitting heat from the secondary system during long outages Preheating of surfaces having contact with the liquid lead during

commissioning of the plant (without fuel assembly)

R&D activities: Dedicated experimental and computational analyses aimed to demonstrate

the possibility of lead re-melting severe fuel damage Design changes to DHRs are under investigation in the MAXSIMA project in

order to make the grace time infinite, avoiding freezing (eliminating the need of operator action)

The commissioning & start up procedures for ALFRED is under investigation


Core compaction following earthquakes

Safety issue: the rearrangement of fuel assemblies into a geometrically more compact configuration induced by earthquakes might lead to positive reactivity insertions

Design provisions 2D seismic isolators under the primary building * Wrapped hexagonal Fuel Assemblies in contact and laterally restrained

at bottom core structures designed to ensure that the maximum elastic

deformation following a DBE does not lead to reactivity insertion greater than 1 $

* This design provision faces also the issue : Large specific weight of lead and its quantities in the primary pool might, in case of external excitations, challenge structural integrity or functionality of components


Chemical and radio toxicity

Safety issues:polonium formation interaction with fission products in case of clad failures chemical toxicity of lead

Intrinsic lead features Po production rate in Pb is low and its volatility is depressed through the

lead retention properties o for ALFRED the calculated total Po production in the 3400 tons commercial

lead (C1) is 0.4 g, and o Po volatized fraction in the cover gas at 480°C and 800 °C is 2.0 10-10 and

3.0 10-7 respectively Lead has good retention properties of FPs (e.g. I, Cs, Sr) and only a small

fraction is expected to be vaporized into the cover gas system o I volatilized fraction in Lead at 480°C and 800 °C is 9.0 10-8 and 3.0 10-5

respectivelyo Cs volatilized fraction in Lead at 480°C and 800 °C is 2.4 10-7 and 4.9 10-6

respectivelyo Sr volatilized fraction in Lead is very small (< 10-15)


Chemical and radio toxicity

Safety issues: polonium formation interaction with fission products in case of clad failures chemical toxicity of Lead

Intrinsic lead features Due to the low vapour pressure of Pb (2.8 10-5 Pa at 400 °C), its

concentration inside the containment during refuelling or ISI operation (with vessel open) is reasonably low a conservative evaluation (value above the Pb free surface) gives about 2 μg/m3 o Considering mixing the ALFRED cover gas volume (80 m3) with the

reactor hall volume (24000 m3) the Lead concentration would be reduced of a factor 103

Lead chemical toxicity thresholds in air for workers is 150 μg/m3 (by Council Directive 1998/24/EC and by HSE EH40/99 Occupational exposure limits - 1999)

Lead chemical toxicity thresholds in air for general population is 0.5 μg/m3 (by Council Directive 1999/30/EC) or 0.5-1 μg/m3 (by WHO Environmental Health Criteria 165 -1995)


ALFRED

Thank yo

u for y

our att

ention

safety approach, safety issues and provisions technical workshop to review safety and design aspects...

Documents

safety safety level

safety approach gen

operational safety

safety issues

safety level of gen

alfred safety approach

design process safety

safety goals excel