candu® safety basis: limiting & compensating for positive ... · pdf file•...

›- Copyright -

›CANDU® Safety Basis: Limiting & Compensating for Positive Reactivity Insertion Albert Lee PhD IX International School on Nuclear Power, November 14-17, 2017

A world leader Founded in 1911, SNC-Lavalin is one of the leading engineering and construction groups in the world and a major player in the ownership of infrastructure. From offices in over 50 countries, SNC-Lavalin’s employees provide EPC and EPCM services to clients in a variety of industry sectors, including mining and metallurgy, oil and gas, environment and water, infrastructure and clean power. SNC-Lavalin can also combine these services with its financing and operations and maintenance capabilities to provide complete end-to-end project solutions.

© [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 2

Safety First Remember that all SNC-Lavalin meetings begin with a Health & Safety moment. Safety doesn’t happen by accident. SAFETY FIRST


Outline

• Definition of nuclear safety • CANDU overview

• Means of Shutdown • Reactor inherent protection: Canadian and international regulatory requirements

for reactor protection • CANDU Safety Basis: Limiting & Compensating for Positive Reactivity

Insertion • Inherent and Passive Safety Features

• Relevance of PCR and CVR to Licensing • CNSC Position • Compliance of CANDU to IAEA SSR 2/1

• Summary


Supplementary Information


• Canadian vs Poland Terminology • Enhanced CANDU 6 Health and Safety Objectives • Fundamental Safety Functions • CANDU overview

• Hierarchy of Plant States • Defence-in-Depth • Two-Group Separation Philosophy

• Power Coefficient of Reactivity • Coolant Density (or Void) Coefficient

• Void Formation • Neutron Kinetics • CANDU and CNSC Guidance on Nuclear Design for New

Designs (US NRC GDC-11)

Definition of Nuclear Safety

Definition of Nuclear Safety


› IAEA definition of nuclear safety: Safety is the achievement of proper operating conditions, prevention of accidents and mitigation of accident consequences, resulting in protection of workers, the public and the environment from undue radiation hazards.

› For positive reactivity insertion events, safety is achieved when:

There is no resultant failure of the pressure boundary

Pressure increase due to power increase is limited to less than the failure limit of the pressure boundary

Ability to cool the fuel is maintained, and Energy deposited in the fuel due to power increase does not cause fuel to lose coolable geometry

Significant core damage is prevented Meeting above two criteria prevents significant core damage

CANDU® Reactor Overview

CANDU First Design Principles


•Use heavy water as moderator and coolant: › Benefit: Maximizes neutron economy

› Benefit: Allows the use of natural uranium

› Safety Benefit: Long prompt neutron lifetime (10-3 seconds)

•Circulate coolant in pressure tubes: › Benefit: Allows low-pressure calandria, no need for a large

pressure vessel


CANDU Reactor Assembly

•Fuel channels: › Arranged in a lattice

geometry horizontally through the heavy water moderator

•High pressure and temperature primary coolant in pressure tubes •Separate low pressure moderator •Calandria Vessel is immersed within a large volume of water in a Calandria vault › Provides radiation shielding › Provides a heat sink

CANDU First Design Principles


•Make use of on-power refuelling: › Benefit: Enables use of natural uranium

› Benefit: Maximizes capacity factor

› Safety Benefit: Minimizes available core excess reactivity

•Use a simple, economical fuel bundle design: › Benefit: Minimizes costs and makes it easy to localize fuel

fabrication

› Benefit: Supports ease of fuel handling and flexibility of core management

CANDU Fuel Channel Concept


CANDU Core Physics


Optimized spacing of fuel channels • increases the probability of

fission neutrons being slowed down in the moderator volume between the fuel channels

• increases the probability of neutrons interacting with the fuel.

This is a basic parameter of CANDU design, with the lattice size being very near the value which maximizes reactivity • The value is slightly larger than

the value for maximum reactivity, due to concerns in the early design days regarding the feasibility of construction with channels more closely spaced

Candu 6 Positive Reactivity


› CANDU 6 design basis is for near-zero Power Coefficient of Reactivity (PCR) › The sign is not significant to operation or safety: only the near-zero nature

› CANDU 6 reactors have a positive Coolant Void Reactivity (CVR) › The most significant reactivity insertion event at <1 $ is Large Loss of Coolant

Accident › Inherent nuclear & reactor characteristics limit, or compensate for, the range of

possible reactivity insertions › The long reactor period is a prompt inherent nuclear feedback characteristic that

tends to compensate for a rapid increase in reactivity (and power)


Means of Shutdown › Shutdown systems SDS1 and SDS2 are fully independent

› Execute their function in the low-pressure moderator, not in the high-pressure Heat Transport System

› Rod ejection not possible

› SDS1 and SDS2 each are fully capable to render the reactor sub-critical for normal operation, all AOOs and all DBAs (Also capable for DECs)

› Either SDS1 or SDS2 remains poised during Guaranteed Shutdown State

› SDS1 uses mechanical shutoff rods › Dedicated instrumentation detect events › A trip de-energizes the clutches that hold the shutoff rods › The rods drop into the core by gravity, assisted by springs

(passive safety feature)

› SDS2 injects a neutron-absorbing poison into the moderator. › Dedicated instrumentation detect events › A trip de-energizes solenoids that hold fast-acting valves

closed › Liquid poison injected into the moderator by high-pressure

helium (passive safety feature)

› Reactor controls are separate from shutdown systems


Barriers for Prevention of Radioactive Releases ›EC6 design incorporates major physical barriers to the release of radioactive materials from the reactor core to the environment: Normal Operation Anticipated Operational Occurrences

Fuel matrix Fuel sheath Heat Transport System Design Basis Accidents

Containment Beyond Design Basis Accidents

Design Extension Conditions LCDA Calandria tubes

Calandria Vessel SCDA

Conditions Practically Eliminated Calandria vault

Legend LCDA: Limited Core Damage Accident SCDA: Severe Core Damage Accident

CANDU Safety Basis


› CANDU 6, like all thermal water reactors, ensures sufficient defense-in-depth for the safety case by using a combination of: › Engineered safety systems and › Inherent reactor characteristics to address accidents (including

reactivity insertion events)

› This safety case, particularly the values of CVR and PCR, complies with all relevant regulatory requirements, including requirements set by IAEA SSR 2/1 & Canadian Nuclear Safety Commission

›- Copyright -

›Reactor Inherent Protection

› Regulatory expectations

Inherent Nuclear Feedback Characteristics


› Inherent nuclear feedback characteristics are (see IAEA NS-G-1.12): › Reactivity coefficients (fuel T, coolant T, moderator T, coolant density) › Delayed neutron fraction (β) › Prompt neutron lifetime (Λ) › Reactivity effects of power redistribution (e.g. Xe efficiency, moderator density)

› The nature of the inherent reactor characteristics, in particular nuclear feedback

characteristics, are unique for each reactor design › Each reactor technology has different engineered safety features to compensate

for specific characteristics

› These characteristics must be considered in the context of the overall safety characteristics of the plant

Reactor Neutronic Feedback


•These reactivity responses are involved in most of the reactor neutronic feedback:

› Fuel temperature coefficient › Coolant temperature coefficient › Moderator temperature coefficient › Coolant density coefficient › Moderator/Coolant isotopic purity coefficient › Moderator poison coefficient

•Recall that inherent nuclear feedback characteristics also include the prompt neutron lifetime (Λ) and the delayed neutron fraction (β), so consideration must be given to more than just the coefficients

•Note: reactivity (ρ) is generally expressed in mk, but occasionally in $.

› The reactivity of a system is $1 if ρ = β. › In a PWR, this is between ~7.3 mk (BOC) & ~4.4 mk (EOC). › In a CANDU 6 during normal operation, β is ~5.4 mk.

Power Coefficient of Reactivity (PCR)

Power Coefficient of Reactivity (PCR)


Inherent Reactor Characteristics: Limits to the net effect of Reactivity Feedback •CANDU’s prompt neutron lifetime, Λp, is 30-45 times longer than that for a PWR › This inherent CANDU safety benefit means that the net effect (i.e., the power transient )

for accidents with significant reactivity insertion tends to be compensated, although differently than it is in a PWR

•When a PWR exceeds the prompt critical threshold in certain accidents, the period decreases sharply and so the resulting power transient is very fast › in CANDU the decrease in period would be much less › However, CANDU 6 does not exceed prompt critical in its limiting accident

•Therefore, the prompt inherent nuclear feedback characteristic of a long neutron lifetime keeps the reactor period for CANDU in the order of seconds, slowing down the power transient such that shutdown system action can be effective in providing the “control” safety function. › Note that all CANDU safety analysis results credit shutdown by the least effective of the

two independent fast acting shutdown systems, and on the 2nd back-up trip (i.e., the fourth trip overall is credited).


Reactor Period vs. Reactivity for CANDU and PWR

›- Copyright -

›CANDU Safety Basis ›Limiting & Compensating for Positive Reactivity Insertion


Limiting & Compensating for Positive Reactivity Insertion

Underlying safety concern:

› CANDU reactors inject positive reactivity during loss of coolant accidents (i.e., positive CVR)

› Reactivity excursions should not cause failure of the reactor pressure boundary, should maintain cooling capability, and avoid significant damage to the reactor core

Safety criterion:

› Maintain fuel enthalpy and coolable geometry during reactivity insertion accidents to less than value needed for fuel melting

› Avoid failure of the reactor pressure boundary

CANDU Safety Design Basis


Inherent safety: Long prompt neutron lifetime

Use of D2O for neutron moderation results in neutron lifetimes (~900 µs) more than an order of magnitude longer than that of LWRs • reactor control and shutdown are inherently easier to perform Inverse reactor period representative of speed of power increase versus speed of insertion of shutdown rods (or other poison injection): (𝝆 − 𝜷)/𝚲

Inherent safety: Minimal excess reactivity

On-line refuelling reduces the excess reactivity level needed for reactor operation • Reactor characteristics are constant • Additional reactivity control measures not typically needed for

refueling Peak reactivity in any design basis accident is less than β

Engineered safety: Rod-ejection events not possible

Reactivity control devices cannot be ejected by high pressure because they are in the low-pressure moderator and do not penetrate the reactor coolant pressure boundary (Hence, “practically eliminated”)

Engineered Safety: Two independent passive shutdown systems

• SDS1 inserts mechanical absorber rods via gravity with spring assisted acceleration

• SDS2 injects liquid poison into the moderator via pressurized accumulator tanks

Failure to shut down is practically eliminated


› › +v

e R

eact

ivity

→|Λ|←

PWR Limiting Reactivity Insertion CANDU Limiting Reactivity Insertion

|← τ →|

-ve PCR Engineered Shutdown

Eve

nt

-ve Reactivity

-ve R

eactivity

Eve

nt

+ve

→|τ|←

|← Λ →|

Engineered Shutdown

-ve Reactivity

Event: +8$ S/D: -6$ PCR: -2$ Λ: 18.4 𝜇s 𝛽: 0.0044

Event: +<1$ S/D 1: -8$ S/D 2: ->30$ Λ: 900 𝜇s 𝛽: 0.0054

Limiting & Compensating for Positive Reactivity Insertion


Fuel Melting Region

Prompt Criticality Region

AP-1000 Rod Ejection

AP-1000 Low Power Rod Ejection

TMI MSLB

ESBWR Turbine Trip

EC6 (NU) LOCA

CANDU 6 LOCA

EPR Main Steam Line Break

0.0

0.2

0.4

0.6

0.8

1.0

1.2

0.0 0.5 1.0 1.5 2.0

Considerations of PCR and CVR for Licensing


CNSC Position on CVR and PCR •Canadian Nuclear Safety Commission (CNSC) Technical Note on “Positive coolant void reactivity feedback phenomenon in currently operating CANDU reactors” issued in July 14, 2009: › Notes design provisions of inherent safety features (long neutron lifetime) and

engineered safety features such as shutdown systems, multiple barriers to release and the Emergency Core Cooling system.

•CNSC “Mythbusters” statement on PCR: “The power coefficient of reactivity of CANDU reactors does not pose a significant risk. Consistent with Canadian nuclear safety requirements, nuclear power plants must have an appropriate combination of inherent and engineered safety features incorporated into the design of the reactor safety and control systems. A reactor design that has a positive power coefficient of reactivity is quite acceptable provided that the reactor is stable against power fluctuations, and that the probability and consequences of any potential accidents that would be aggravated by a positive reactivity feedback are maintained within CNSC-prescribed limits. These are known safety issues that have long been addressed by the CNSC’s regulatory and safety regime.”

•CNSC REGDOC 2.5.2 on Design of Reactor Facilities: Nuclear Power Plants › No specific requirements on sign or magnitude of PCR. Design must demonstrate

acceptable control, stability and safety. Designs with positive PCR are required to ensure a bounding value is used in these demonstrations.


Compliance of CANDU to IAEA SSR 2/1 Clause 6.6 ›Clause 6.6: “The maximum degree of positive reactivity and its rate of increase by insertion in operational states and accident conditions not involving degradation of the reactor core shall be limited or compensated for to prevent any resultant failure of the pressure boundary of the reactor coolant systems, to maintain the capability for cooling and to prevent any significant damage to the reactor core.” •This is met in all reactor designs through a mix of inherent characteristics and engineered safety systems, including shutdown systems. › In LWR, the inherent negative Doppler coefficient limits and compensates

for the effects of short reactor period and the relatively fast and/or large possible positive reactivity insertion so that engineered shutdown and other safety systems can act to prevent damage to the reactor.

› In CANDU, the inherent long reactor period and relatively slow and small possible positive reactivity insertion combine to limit and compensate for the effects of positive reactivity coefficients so that engineered shutdown and other safety systems can act to prevent damage to the reactor.


LWR Protection Against Reactivity Insertion

›Threat •Potential for escalation in power levels that could threaten the core due to very short prompt neutron lifetime and large size of reactivity coefficients

•Inherent reactor design characteristic includes rod ejection

→Some events (e.g. rod ejection, MSLB) result in very large and/or very fast reactivity insertion

›Protection •Inherent reactor design limits rate and delays timing of reactivity insertion for MSLB

•Large negative PCR tends to compensate for large reactivity insertion even at rod ejection timeframes, limiting the magnitude of the power transient

•Engineered safety systems (including shutdown system) are able to act effectively

Result: no resultant failure of the pressure boundary, ability to cool maintained, prevention of significant core damage


CANDU Protection Against Reactivity Insertion

›Threat •Potential for escalation in power levels that could threaten the core due to positive coolant void reactivity feedback

→Some events (e.g. Large LOCA, Loss of Regulation) result in void formation and hence reactivity insertion

›Protection •Inherent reactor design limits rate and magnitude of reactivity insertion

•Long prompt neutron lifetime tends to compensate for increased reactivity by maintaining a slow time constant for the event, limiting the magnitude of the power transient

•Engineered safety systems (including shutdown systems) are able to act effectively

Result: no resultant failure of the pressure boundary, ability to cool maintained, prevention of significant core damage

CANDU safety design basis for positive reactivity insertion events:

› CANDU design basis is for near-zero PCR near full power › The sign is not significant to operation or safety

› CANDU has a positive void coefficient › The most significant reactivity event is thus Large LOCA

› Has a combination of inherent and passive safety features and engineered safety systems


Inherent safety characteristic

Long prompt neutron lifetime leading to long reactor period during positive reactivity insertion accidents

Passive Safety features

SDS1 rods drop into core by gravity, assisted by springs SDS2 liquid poison injected into moderator by high-pressure helium

Engineered safety features

SDS1 uses dedicated instrumentation to detect events and trip de-energizes the clutches that hold the shutoff rods SDS2 uses dedicated instrumentation to detect events and trip de-energizes solenoids that hold fast-acting valves closed

Summary


Summary

CANDU safety design basis for positive reactivity insertion events: • Safety is achieved by:

There is no resultant

failure of the pressure boundary

Shutdown systems act to limit power increase such that pressure increase is much less than the failure limit of the pressure boundary

Ability to cool the fuel is maintained, and

Shutdown systems act to limit energy deposited in the fuel due to power increase such that fuel maintains coolable geometry Heat removal systems maintain fuel cooling

Significant core damage is prevented

Shutdown systems and heat removal systems maintain reactor in a long term safe shutdown condition

35

DISCUSSION


CANDU® RELATED PUBLICATIONS and

CONTACTS

For CANDU related publications and selected past presentations please refer to SCN Lavalin Nuclear URL site dedicated to IX

International School of Nuclear Power: www.snclavalin.com/en/media/events/2017/school-of-nuclear.aspx If you have any additional questions please feel free to contact: Albert Lee Phd at [email protected] (English) or Jerzy Parkitny at [email protected] (English and

Polish)

›- Copyright -

›Supplementary Information

›- Copyright -

›Canadian vs Polish Terminology


Canadian vs Polish Safety Classification Terminology

Safety-Related Systems

Safety Systems (includes detection, initiation & protection)

Safety Support Systems

Other SSCs whose failure may lead to safety concerns

Complementary design features

Canadian approach

Systems Important to Safety

Safety Systems

Protection System

Safety actuation system

Safety system support features

Enhanced CANDU 6 Health and Safety Objectives


Protect the Public Against Radioactive Releases ›The following Safety and Health Objectives provide a basis for the EC6 reactor design:

•Individual Early Fatality › Risk should be less than 1 in 1,000,000 years per station for the

average member of critical group most at risk.

•Individual Delayed Fatality › Risk should be less than 1 in 100,000 years per station for the

average member of critical group most at risk.

•Quantitative Health Objectives › Incremental contribution to public health risk from nuclear

accidents should be less than 1% of background cancer risk.


Protect the Public Against Radioactive Releases ›Based on the Safety and Health Objectives, quantitative safety goals are used to assess the EC6 design: • Small Release Frequency: The sum of frequencies of all event

sequences that can lead to a release to the environment of more than 1015 Bq of iodine-131 is less than 10-5 per reactor year. A greater release may require temporary evacuation of the local population.

• Large Release Frequency : The sum of frequencies of all event sequences that can lead to a release to the environment of more than 1014 Bq of cesium-137 (i.e., the LRF threshold) is less than 10-6 per reactor year. A greater release may require long term relocation of the local population.

• These safety goals measure the accident mitigation capabilities and the risk to society and the environment from plant operation

›- Copyright -

›CANDU Overview ›Additional Information

CANDU: A Proven Technology


› 48 CANDU and CANDU-type reactors operable worldwide › Excellent, long operational safety record › On time and on budget international project delivery › The EC6 is an incremental development of the CANDU 6, which is

a reliable, long lifetime, high output reactor › EC6 is a Generation III reactor that has completed Canadian Pre-

licensing Design Review and is ready for deployment


EC6 Generic 2 Unit Site Layout

CANDU 6 Major Features


•A CANDU 6 reactor is a horizontal pressure-tube reactor, D2O-moderated and D2O-cooled using natural uranium fuel. •Key CANDU Features: › Modular horizontal fuel channels › Simple, economical fuel bundle

design › Separate, low temperature, low

pressure heavy water moderator › Safety features:

› Two independent passively-driven safety shutdown systems

› Water-filled reactor vault › On-power fuelling › Reactor building access for on-

power maintenance

CANDU 37-Element Fuel Bundle


› 380 channels x 12 bundles = 4560 bundles

› Each bundle stays in the core for ~1 year on average

› Average energy generated by each bundle = 4000 MW·h

CANDU Reactor Assembly • Fuel channels are arranged in a

lattice geometry and run horizontally through the heavy water moderator.

• High pressure and temperature primary coolant is separated from the cool, low pressure moderator by two concentric tubes; a pressure tube inside a calandria tube, with the inter-space filled by CO2 for thermal isolation.

• The Calandria Vessel is suspended within a large volume of water in a Calandria vault, which normally acts as a biological shield, and is normally circulated and actively cooled to remove the generated heat.

- Copyright- © [2017] SNC-Lavalin Inc. and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 48

CANDU Reactor Assembly

49

- Copyright- © [2017] SNC-Lavalin Inc. and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited.

CANDU Performance


› The true measure of a reactor’s efficiency is uranium utilization – the amount of uranium “from the ground” needed to produce a certain amount of energy.

› The use of heavy water as coolant and moderator, together with the selected lattice geometry, give CANDU reactors a high uranium utilization.

› High uranium utilization, no need to enrich, and simple fuel bundle result in a small refueling cost component.

› A typical PWR using 4.7 wt% enriched fuel and achieving an average exit burnup of 51 MW·d/kg(U) is achieving a uranium utilization of ~4.75 MW·d/kg(NU) (0.3 wt% tails)

› A standard CANDU 6 achieves ~7.5 MW·d/kg(U) = 7.5 MW·d/kg(NU), ~60% better than the PWR number

› This will vary for different fuel types.

CANDU 6 On-Line Fuelling


Twelve fuel bundles are installed in each of the 380 fuel channels in a CANDU 6 reactor. During normal operation heavy water coolant flows through each channel and through the fuel bundles to remove nuclear heat which is carried to the steam generator. During refuelling, two fuelling machines connect to opposite ends of a fuel channel; one machine delivers new fuel, the machine at the opposite end receives the spent fuel. During the refuelling process, flow through the fuel channel is uninterrupted, allowing the refuelling process to be performed at power. The capability to perform refueling at power is a unique feature of the CANDU reactor.

Refuelling Schemes


•For efficient utilization of the uranium, each fuel bundle is replaced when the uranium it contains has been “burned up” to an optimum value. •Since the rate of uranium burn-up varies, depending on the location of each bundle in the reactor, a few bundles are replaced each day as they reach their optimum burn-up, instead of replacing all the fuel bundles in one batch (as in a PWR). •In the reference CANDU 6, eight bundles from the selected channel are replaced at a time, and approximately 14 channels are fuelled per week. •The frequency of fuel changing and the number of fuel bundles to be replaced at a time will differ for varying fuel compositions. •Channels are not refuelled in a rigorously defined sequence, but are selected for refuelling based on instantaneous, daily information about the core power and irradiation distributions. •Refuelling is thus a means of controlling the reactor power shape over time as well as of managing core reactivity

Fundamental Safety Functions


Fundamental Safety Functions Enhanced CANDU 6 Systems

Other Systems Important to Safety Safety Systems Complementary Design

Features

Control of reactivity Reactor Regulating System Moderator Poison System

Shutdown System 1 Shutdown System 2

Removal of heat from the fuel

Core

Heat Transport System Emergency Core Cooling System Severe Accident Recovery

Heat Removal System Mobile water make-up

Feedwater System Auxilliary Feedwater System Shutdown Cooling System

Emergency Heat Removal System

Spent Fuel Bay Spent Fuel Bay Cooling System Spent Fuel Bay make-up Mobile water make-up

Confinement of radioactive material

All process systems containing radioactive substances

Containment Containment Igniters and PARs

Shielding against radiation Reactor Building Service Building Spent Fuel Bay Pool

Containment Containment Spent Fuel Bay Pool

Control of operational discharges and hazardous substances, as well as limitation of accidental releases

All process systems containing radioactive substances

Containment Emergency Containment Filtered Venting System

Monitoring of safety-critical parameters to guide operator actions

Reactor Regulating System Safety Monitoring System Main Control Room Technical Support Centre Secondary Control Room Emergency Response Centre

Shutdown System 1 Shutdown System 2

Safety Monitoring System Secondary Control Room Emergency Response Centre Mobile power supplies Portable instruments


Defence-in-Depth Level Plant State

Event Freq. (yr-1) Objective Essential Means

1 Normal

Operation 1

Prevent deviations from normal operation, and to prevent failures of structures, systems, and components

• Conservative design • High quality in construction

and operation • Process & control systems

2 AOO >10-2

Intercept deviations from normal operation in order to prevent AOOs from escalating to accident conditions, and to return the plant to a state of normal operation

• Reactor Regulating System setback and stepback functions

3 DBA 10-2 - 10-5

Minimize the consequences of accidents by providing inherent safety features, fail-safe design, additional equipment, and mitigating procedures

• Safety Systems • Emergency Operating

Procedures

4 DEC

(LCDA) <10-5

Prevent accident progression and ensure that radioactive release caused by severe accidents are kept as low as practicable

• Complementary Design Features

• SAMGs

5 DEC

(SCDA) <10-6

Mitigate the radiological consequences of potential releases of radioactive materials that may result from accident conditions

• Off-site emergency response

Hierarchy of Plant States for EC6



Two-Group Separation Philosophy • Used in all CANDU 6 reactors

• Ensures a high degree of independence between normally operating process systems, safety systems and safety support systems • Includes physical separation, functional independence, and

redundancy in how fundamental safety functions are provided • Redundancy and separation is also provided within each

group • Allocating systems to Group 1 or Group 2 is based on the various

event sequences and the overall plant responses to these events • Creates two functionally and physically independent pathways

for providing the fundamental safety functions • Failure of a safety function in one group can be mitigated by

the other group • Enhances defence-in-depth • Contributes to achieving nuclear safety objectives


Two-Group Separation Philosophy

Group 1 • Normally operating process systems

(e.g., HTS, Moderator System, RRS, etc.)

• Safety Systems SDS1, ECCS • Safety Support Systems (e.g., Class

IV and Class III power, Main Control Room, etc.)

• See Note

Group 2 • Safety Systems SDS2, EHRS,

Containment • Safety Support Systems (e.g.,

EPS, Secondary Control Room, etc.)

• SARHRS

*Note: Examples of interconnection between Groups a) Group 1 Support Services to Group 2 during Normal Operation

(and AOOs) b) Group 2 Support Services to Group 1 during Accident Conditions c) Group 1 Support Services to Group 2 during Accident Conditions

Power Coefficient of Reactivity


Power Coefficient

•Power Coefficient of Reactivity (PCR) -- Overall parameter expressing the combined effect of all short-term reactivity changes as reactor power is varied around an operating point. Not a prompt feedback.

› Defined as change in reactivity per unit increase in reactor power with a fixed core configuration

› Expressed in mk/%FP (or pcm/%FP: 1 mk/%FP = 100 pcm/%FP) › Dependent on operating conditions such as fuel burnup, fuel and coolant temperatures,

extent of coolant boiling / subcooling etc. › Dependent on reactor power level

•In CANDU, the moderator temperature coefficient has a negligible contribution, so PCR is driven by fuel, coolant temperature & coolant density feedbacks:

𝑃𝑃𝑃 =𝜕𝜕𝜕𝑃

=𝜕𝜕𝜕𝑇𝐹

∆𝑇𝐹∆𝑃

+𝜕𝜕𝜕𝑇𝐶

∆𝑇𝐶∆𝑃

+𝜕𝜕𝜕𝐷𝐶

∆𝐷𝐶∆𝑃


Power Coefficient ›In CANDU 6 reactors, the design basis is for a near-zero PCR value: › Sign is not a part of that basis › The following table gives values of PCR calculated with the current physics toolset, not

including bias or uncertainty:

›Note that PCR is so small that the design uses Liquid Zone Controllers alone to make small and continuous adjustments to maintain a constant power

› No need to use absorber rods or soluble poison to manage daily reactivity changes

Reactor Power (%FP)

PCR (mk/%FP)

95 +0.0154 105 +0.0204 115 +0.0517 125 +0.0856

Coolant Density (or Void) Coefficient of Reactivity


Coolant Density (or Void) Coefficient

•Coolant Density Coefficient (CDC):

› Defined as change in reactivity due to change in coolant density › Expressed in mk/(g/cm3)

› when stated as a void coefficient for saturated coolant, mk/%void › Dependent on operating conditions such as fuel burnup, fuel and coolant temperatures,

extent of coolant boiling /subcooling etc.

•In CANDU, coolant void coefficient is positive at about 0.13 mk/%void at equilibrium conditions.

•The coolant density coefficient is slower than the fuel temperature coefficient, with the timescale being set by heat transfer to the coolant (seconds – relevant to Loss of Regulation) or by depressurization (tenths of seconds – relevant to Large LOCA).


Design of Core and Coolant Systems

•The design of the core and associated coolant systems is important in the context of understanding the implication of reactivity coefficients as it establishes inherent characteristics important to the overall behaviour.

•In LWR reactors, the design of the core and coolant systems is such that it is possible to have a large increase in reactivity (rod ejection or main steam line break), sometimes very quickly (rod ejection).

•In CANDU reactors, the design of the core and coolant systems is such that the largest reactivity increase (Large LOCA) is slower and smaller in magnitude.


Coolant Void Reactivity

•Coolant Void Reactivity (CVR) is a figure of merit related to the potential effect of the negative coolant density coefficient:

› Defined as the change in reactivity due to change from normal operation to a hypothetical state of 100% coolant voiding.

› Expressed in mk (or $)

› Dependent on operating conditions such as fuel burnup

•In CANDU, CVR is positive and ~15 mk (or ~3 $) at equilibrium conditions. As discussed in the next slide, actual reactivity insertion in Large LOCA is significantly less than this. An analogy to this for a PWR might be a “Moderator Temperature Reactivity” which would be the change in reactivity due to a change from normal coolant temperature to 40°C (-0.6 mk/°C * -265°C ≈ +160 mk).

•Similar to rod ejection or MSLB in a PWR, a Large LOCA is the limiting positive reactivity transient in a CANDU. In order to ensure that a Large LOCA does not result in core damage, the resulting power transient must be limited or compensated for sufficiently by inherent reactor characteristics that engineered safety systems can fulfil their function.


Inherent Reactor Characteristics: Limits to the rate & magnitude of Void Formation •The rate of void formation is limited by the inertia of the fluid in the fuel channels, by break size and by break opening time.

› Note that in safety analysis, break sizes up to 100% guillotine rupture of the largest pipe or header and instantaneous break opening times are conservatively assumed.

•For most CANDUs, including CANDU 6, the Heat Transport System (HTS) is divided into two independent loops, connected through the common pressurizer. Therefore:

› Only one loop can lose significant amounts of coolant rapidly. › Only the channels downstream of the break can void quickly (figure-of-eight circuit). › Hence ~¼ of the core voids rapidly.

•Void reactivity insertion is < 1$ for the limiting accident in a CANDU 6 (Large LOCA), even in the conservative safety analysis.


Two-Loop Figure-of-Eight HTS

CANDU and CNSC Guidance on Nuclear Design for New Designs (also US NRC GDC-11)


CNSC REGDOC-2.5.2

›The CNSC has published REGDOC-2.5.2, “Design of Reactor Facilities: Nuclear Power Plants” •Provides requirements and guidance for new licence applications for NPPs

›In the section on design of the reactor core, the CNSC provided guidance on nuclear design as follows: •The design of the reactor core and associated coolant and fuel systems should take into account all practical means so that, in the power operating range, the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity and power. The consequences of those accidents that would be aggravated by a positive reactivity feedback should be either acceptable, or be satisfactorily mitigated by other design features.

› This is aligned with IAEA SSR-2/1 Requirement 45 clause 6.6

›The CNSC guidance is a close adaptation of one of the US NRC’s General Design Criteria: GDC 11 •Criterion 11—Reactor inherent protection. The reactor core and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity.


Some Background on US NRC GDC 11

•The US NRC developed a suite of General Design Criteria over the period 1965 to 1971.

› Based on NRC experience in licensing LWRs in the US › However, they are “considered to be generally applicable to other types of nuclear

power units and are intended to provide guidance in establishing the principal design criteria for such other units.”

› Still, “there may be water-cooled nuclear power units for which fulfillment of some of the General Design Criteria may not be necessary or appropriate.”

•One of these criteria, GDC 11, “is considered to be satisfied in light water reactors (LWRs) by the existence of the Doppler and negative power coefficients.” (NUREG-0800).

•The US NRC has never said how PHWRs (such as CANDU) might satisfy this criterion, as the US NRC has never considered a CANDU licence application.

› However, there is an indication that CANDU’s positive CVR would not be a regulatory barrier from a US NRC review performed in the early 1990’s: this is documented in SECY-93-092, discussed later


Implications of & Compliance with GDC 11

›GDC 11: “Reactor inherent protection. The reactor core and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity.” •This requirement calls for incorporation of some degree (“…tends to compensate…”) of protection from inherent nuclear feedback characteristics, but existing reactor designs all require engineered safety systems in addition to this.

•In LWR, the negative Doppler coefficient is the inherent nuclear feedback characteristic that tends to compensate for the net effect of the short reactor period and the relatively fast and/or large possible positive reactivity injection so that engineered shutdown & other safety systems can act to prevent damage to the reactor.

•In CANDU, the long reactor period is the inherent nuclear feedback characteristic that tends to compensate for the net effect of the relatively slow and small possible positive reactivity injection so that engineered shutdown & other safety systems can act to prevent damage to the reactor.


LWR Inherent Protection in Overall Response

›Threat •Potential for escalation in power levels that could threaten the core due to very short prompt neutron lifetime and large size of reactivity coefficients

•Inherent reactor design characteristic includes rod ejection

→Some events (e.g. rod ejection, MSLB) result in very large and/or very fast reactivity insertion

›Protection •Inherent reactor design limits rate of reactivity insertion for MSLB

•Large negative PCR tends to compensate for large reactivity insertion even at rod ejection timeframes, limiting the magnitude of the power transient

•Engineered safety systems (including shutdown system) are able to act effectively

Result: inherent protection contributes to resultant protection of the pressure boundary, maintenance of ability to cool, and prevention of significant core damage


CANDU Inherent Protection in Overall Response

›Threat •Potential for escalation in power levels that could threaten the core due to positive coolant void reactivity feedback

→Some events (e.g. Large LOCA, Loss of Regulation) result in void formation and hence reactivity insertion

›Protection •Inherent reactor design limits rate and magnitude of reactivity insertion

•Long prompt neutron lifetime tends to compensate for increased reactivity by maintaining a slow time constant for the event, limiting the magnitude of the power transient

•Engineered safety systems (including shutdown systems) are able to act effectively

Result: inherent protection contributes to resultant protection of the pressure boundary, maintenance of ability to cool, and prevention of significant core damage


SECY-93-092

•In 1993, SECY-93-092 was issued, in which NRC gave preliminary consideration to the licensability of a CANDU-type reactor with positive CVR.

•This report stated that “a positive void coefficient should not necessarily disqualify a reactor design.”

•The document indicated a license application in the US should include analysis “of events (such as ATWS, unscrammed LOCAs, delayed scrams and transients affecting reactivity control) that could lead to core damage as a result of the positive void coefficients”, such analysis to take into account “the overall risk perspective of the designs.”

•This could imply a regulatory expectation that safety analysis in support of a license application include the following:

› Consideration of AOO events (& perhaps also of DBAs) without scram (i.e. in which one shutdown system does not operate)

› Including void reactivity feedback in LOPR & Large LOCA events

› Consideration in PSA of event sequences involving failure to trip on both shutdown systems, subject to probability-based screening

•The safety case for CANDU reactors already includes all of the above and demonstrates acceptable consequences

Our values keep us anchored and on track. They speak to how we run our business, how we express ourselves as a group, and how we engage with our stakeholders and inspire their trust.

Teamwork & excellence We’re innovative, collaborative, competent and visionary.

Customer focus Our business exists to serve and add long-term value to our customers’ organizations.

Strong investor return We seek to reward our investors’ trust by delivering competitive returns.

Health & safety, security and environment We have a responsibility to protect everyone who comes into contact with our organization and the environment we work in.

Ethics & compliance We’re committed to ethical business.

Respect Our actions consistently demonstrate respect toward our stakeholders.

Values that guide us

- Copyright - © [2017] SNC-Lavalin Group and its member companies. All rights reserved. Unauthorized use or reproduction is prohibited. 74

candu® safety basis: limiting & compensating for positive ... · pdf file•...

Documents