Chapter 2 - Design Basis Accidents - nuceng.ca 2 - Design Basis Accidents.pdf · 21/09/2009 Chapter...

21/09/2009 Chapter 2 - Design Basis Accidents Rev. 5 1

Lecture 2 - Design Basis Accidents

Dr. V.G. SnellNuclear Reactor Safety Course

McMaster University


Where We Are?

Probabilistic RequirementsDeterministic Requirements

Design BasisAccidents

Plant safetyas operated

Safety GoalsExperience

CredibleAccidents

Plant safetyas designed

Safety CultureGood Operating

Practice

MitigatingSystems

ProbabilisticSafety Analysis

SafetyAnalysis

Chapter 2

Chapter 3

Chapter 1

Chapter 2

Chapter 4

Chapter 5

Chapter 6

Chapters 7 & 8

Chapter 9


How do you get them all?

Whose job is it to make the list?Deterministic AnalysisProbabilistic AnalysisRule or standard

Pressure vessels?

Use them all!


Defence-in-Depth – One View

Off-site emergency responseMitigation of radiological consequences of significant releases of radioactive materials

Level 5

Complementary measures and accident management

Control of severe plant conditions, including prevention of accident progression and mitigation of the consequences of severe accidents

Level 4

Engineered safety features and accident procedures

Control of accidents within the design basis Level 3

Control, limiting and protection systems and other surveillance features

Control of abnormal operation and detection of failures

Level 2

Conservative design and high quality in construction andoperation

Prevention of abnormal operation and failures

Level 1

Essential meansObjectiveLevel


Defence in Depth – One View

Prevention

Control

Protection

Containment & Accident Management

Offsite Emergency Response


Physical Barriers – Another View

Fuel Coolant System Containment

BuildingClad

Exclusion area


Design Approaches to D-in-D

Remote facilityInherently

Safe?

CANDU?

Emphasis

Pre

ven

tion

Pro

tect

ion

Con

trol

Con

tain

,M

anag

e

Off

-Sit

eM

easu

res


Accidents Lists - Top Down

Use principle of immediate causeStart from what you want to avoid


Reactor - Top Down

R e l e a s e o f r a d i o n u c l i d e s

A c c i d e n t s i n v o l v i n g t h e

r e a c t o r c o r e

A c c i d e n t s n o t i n v o l v i n g t h e

r e a c t o r c o r e

R e l e a s e o f t r i t i u m

R e l e a s e o f f i s s i o n

p r o d u c t s

M o d e r a t o r s y s t e m

p r e s s u r e b o u n d a r y

f a i l u r e

R u p t u r e o f c a l a n d r i a

r u p t u r e d i s k d u e t o

o v e r h e a t i n g

M e c h a n i c a l d a m a g e t o f u e l

D a m a g e c a u s e d b y r e f u e l l i n g

p r o c e s s

O v e r h e a t i n g o f t h e f u e l

F u e l d a m a g e c a u s e d b y l o s s

o f c a l a n d r i a s t r u c t u r a l

i n t e g r i t y

I n c r e a s e d r a t e o f e n e r g y

p r o d u c t i o n

F l o w i m p a i r m e n t

L o s s o f h e a t s i n k

O v e r h e a t i n g

L o s s o f c o o l a n t

L o s s o f r e g u l a t i o n ( + v e )

P u m p f a i l u r e s

F l o w b l o c k a g e

L o s s o f p r e s s u r e

b o u n d a r y

L o s s o f P I C

L O C A i n s i d e c o n t a i n m e n t

L O C A o u t s i d e c o n t a i n m e n t

H T S p i p e / h e a d e r f a i l u r e

S i n g l e c h a n n e l f a i l u r e

F a i l i r e o f F / M b o u n d a r y

S D C p i p e r u p t u r e

S G t u b e r u p t u r e

I n s t r u m e n t t u b e f a i l u r e

P u m p g l a n d s e a l f a i l u r e

P u m p g l a n d s u p p l y f a i l u r e

S D C H X t u b e f a i i l u r e

F e e d / B l e e d p i p e f a i l u r e

L o s s o f f e e d w a t e r f l o w

L o s s o f S G s t e a m r e j e c t i o n

S t e a m l i n e f a i l u r e

F e e d w a t e r l i n e f a i l u r e

L o s s o f c o o l i n g w a t e r t o S D C

L o s s o f m o d e r a t o r h e a t

r e m o v a l

L o s s o f e n d s h i e l d h e a t

r e m o v a l

Zoom in to viewFill in some missing steps


Accidents Lists - Bottom Up

Look at failure of each component or system in turn


Reactor – Bottom Up ExampleFMEA – just one level. Why is this of little use?How could dousing fail in this model design?

Channel a Electricvalve

PneumaticvalveChannel b

Fromdousingtank

Channel cSpray


External Hazards

Fire, flood, earthquake, tsunamiExplosionsCan affect more than one system at a timeSite dependentSabotage, terrorism, war

To what extent can the plant be protected?


Canadian Safety Philosophy

NRX – need robust & independent shutdown systemsSiddall – 1959

Nuclear 5 x safer than coalCatastrophic accident versus miningTarget: < 0.2 deaths/year on average


Siddall’s Safety Goals

LOSS OF COOLANT One in 50 years

LOSS OF POWER CONTROL One in 16 to one in 160 years, dependingon severity

SHUTDOWN SYSTEM One in 500 triesUNAVAILABILITY


Laurence (1961)

Safety goal: 10-2 deaths per year from nuclear power plant accidentsDisastrous accident < 1000 early deathsFrequency of disasters < 10-5 / yrFailure of process system

+ Unavailability of shutdown+ Failure of containment


Laurence’s Design Targets

Process failures One in 10 years

Protective System Unavailability One in 100 demands Containment System Unavailability One in 100 demands


Douglas Point Safety Goal

Risk of death to individual member of public < 10-6 per yearRisk of injury to individual member of public < 10-5 per yearEffects of an accident on workers


Single-dual Failure (1967)Single failures = failure of any one process system in the plantDual failures = single failure coupled with the unavailability of either the shutdown system, or containment, or the emergency core cooling system

Special safety systemsPopulation dose limits to deal with siting of Pickering A


Dose Limits (Siting Guide)

ACCIDENT MAXIMUM FREQUENCY INDIVIDUAL POPULATION DOSE LIMIT DOSE LIMIT

Single 1 per 3 years 0.005 Sv 102 SvFailure 0.03 Sv thyroid. 102 Sv thyroid Dual 1 per 3000 years 0.25 Sv 104 SvFailure 2.5 Sv thyroid 104 Sv thyroid

DOSE LIMIT DOSE LIMIT

Single 1 per 3 years 0.005 Sv 102 SvFailure 0.03 Sv thyroid. 102 Sv thyroid Dual 1 per 3000 years 0.25 Sv 104 SvFailure 2.5 Sv thyroid 104 Sv thyroid


Figure 2-3 Consequence Plot of Canadian Safety CriteriaFigure 2-3 Consequence Plot of Canadian Safety Criteria

Consequence Plot of Various Canadian Safety Criteria


Limitations of Siting Guide

Multiple process failuresUnrealistic frequenciesConservative assumptionsSimplified treatment of safety system failuresLong-term reliability


Consultative Document C-6

DOSE/FREQUENCY LIMITS FROM C-6

REFERENCE DOSE LIMIT, Sv

EVENT CLASS WHOLE BODY THYROID

1 0.0005 0.0052 0.005 0.053 0.03 0.34 0.1 15 0.25 2.5

EVENT CLASS WHOLE BODY THYROID


Figure 2-4 Consultative Document C-6 LimitsFigure 2-4 Consultative Document C-6 Limits

C-6 on CANDUPseudo-RiskPlot


RD-337AECL developing the Advanced CANDU Reactor (ACR-1000™; others have modern LWR designsNuclear industry more international and more competitivePressure to align Canadian rules with international practice – although latter not really neutralCNSC “Design of New Nuclear Power Plants”, RD-337, sets new rules for new build and refurbishmentLess emphasis on purity of separation between process and safety systems, more on severe accidents, more design rules etc.


RD-337 Dose Limits

0.020 Sv0.0005 Sv

DBAsAOOs

Class discussion – what does this change emphasize?


Exercise – Critical Experiment

U-235U-235

Support Support

Critical Experiment

Screwdriver

Neutron Detector

neutrons, gamma rays

neutrons, gamma rays


QuestionsDevelop a safety approach using the concept of design basis accidents as follows:

Use both ‘top down’ and ‘bottom up’ approaches to define a set of accidents. Specifically: What is the “top event’ that is to be avoided? What could cause the accidents?How fast do they occur (i.e. what physical process determines the time-scale)? What inherently limits the consequences (i.e., you don’t get a nuclear bomb - why)?Compare the nature of the hazard to the scientists with that to the public?How could the consequence of an accident be prevented or mitigated:

Without any further equipment - i.e., just after it has occurred?With equipment installed beforehand?


Exercise – Zero Power Reactor


Characteristicspool reactor, natural circulation, atmospheric pressurenominal zero energy (a few watts), no engineered heat removal systemslow fuel temperatures, very little fission products in the fuelfuel rods suspended from hangars, can be arranged manually to different lattice pitches and geometries. Fuel rods are stored beside the pool.capability to use fuel with a large range of enrichment (but not highly irradiated fuel)provision for insertion of a few channels consisting of fuel inside a pressure tube containing electrically-heated coolant at high pressure and high temperature, inside a calandria tube (but still nominally ~zero nuclear power)control via moderator level (pump-up and drain), pump-up speed limited by pump capacitymanual start-up and shutdownthree redundant dump valves open to trigger a heavy-water dump on high neutron power or high log-rateno emergency core cooling system, no containment. A cover provides shielding of operators when the reactor is critical.


QuestionsDevelop a set of design basis accidents for this reactor. It is important that you show how you did this, not whether you get the same answer as AECL did. Start from a large list developed using at least two of the techniques discussed in this Chapter and then suggest which accidents you would consider too rare to design against, and why. Provide details -e.g., it is not enough to say “increase in power” - list all the ways this could occur.If you wanted to reduce the risk from this reactor (based on your list of design basis accidents and a judgement about probability), what design changes would you do first?What elements of defence in depth are present in this design? What are missing?


Exercise – District Heating


Safety CharacteristicsSmall reactor for urban district heating

pool reactor, natural circulation, atmospheric pressuredouble-walled pool (350,000 litres) with a purification system (small pump and ion exchange resins, outside the pool)10 MW(th) outputforced-flow secondary side, heat exchanger immersed in the pooltertiary heat exchanger connected to heating gridnegative reactivity feedback from fuel temperature, coolant temperature, coolant voidactive reactor control devices (rods) with limits on rate (a few mk/hour) and depth (no rod in excess of a couple of mk)


Safety Characteristics – cont’dlow fuel temperatures - no free fission products in the fuel two shutdown systems - one active (drops the control rods) and one passive (rods within the core which are thermally activated: the absorber material inside the rods, normally above the core, melts and fall into the core on high temperature)a confinement boundary (not shown in the figure) covering the pool top, but the building is conventionalno Emergency Core Cooling Systema licensed operator is not required to be in the control room. Any upset sounds an alarm which notifies a local attendant (who can shut the reactor down, but not restart it). Licensed operators can remotely monitor the reactor but not control it.


Questions

Develop a set of design basis accidents for this reactor. Are they consistent with an urban location? If not, what could be done?Discuss defence in depth. What does it have? Is it OK even if some aspects are missing?


Homework

Chapter 2, questions 1,2,3,4


ProjectSelect a project from the list given or (even better) propose an equivalent one. Form teams of 2 people (3 if you make the project more difficult).Develop a scope where you outline the problem you are going to solve, e.g.:

ObjectiveMethodology, level of detail & limitationsDevelopment or research neededEffortMilestones

We’ll discuss informally next week. The following week you have to present the scope in detail, for credit.

Date post:	06-Feb-2018
Category:	Documents
Upload:	lynhan
View:	219 times
Download:	1 times

Chapter 2 - Design Basis Accidents - nuceng.ca 2 - Design Basis Accidents.pdf · 21/09/2009 Chapter...

Documents