preliminary safety analysis report for the general atomic ... specific/gt-mhr/papers/200… ·...
TRANSCRIPT
Preliminary Safety Analysis Report for the General Atomic Gas-Turbine Modular Helium Reactor
Ed Blandford Ali Moheet Jeff Seifried
Evan Thomas
NE 167/267 Final Report May 14th, 2007
1.1 Introduction
The purpose of the report is to demonstrate that the Gas-Turbine Modular Helium
Reactor (GT-MHR) meets the goals laid out by the Staff as described in the Policy
Statement on Regulation of Advanced Nuclear Power Plants and can be licensed as
designed. The development of an actual Preliminary Safety Analysis Report (PSAR)
requires several years and hundreds of experienced engineers coupled with a rigorous
R&D program. This report represents a culmination of associated GT-MHR-related
research publications and a preliminary conceptual design report issued by General
Atomics (1999) which are appropriately cited.
The NRC has over 30 years of experience with licensing and regulating light
water reactors (LWR). The original Rasmussen reactor safety study (WASH-1400),
followed up by the NUREG-1150 report, really provided the foundation for assessing the
associated safety risks of the current fleet of LWRs and contributed greatly to the
development of Probabilistic Risk Assessment (PRA) methods. The NUREG-1150 report
represented one element of the NRCs effort to close the book on severe accident issues
associated with the set of currently operating U.S. nuclear power plants and provided the
results of the estimated plant risks for five commercial nuclear power plants of different
design. This work, coupled with a successful operating history, has led to a familiarity in
licensing and regulating which is evident by a host of recent LWR plant uprates.
With the increasing demand of emission-free power generation, a nuclear power
renaissance is becoming more realistic. Innovative reactor designs are being pushed by
both industry and academia. The latest report issued by the DOE has indicated a desire to
demonstrate large-scale hydrogen production using a nuclear plant. The project, Next
Generation Nuclear Plant (NGNP) demonstration, calls for the use of a high-temperature
gas reactor to produce hydrogen using high temperature process heat or electricity. The
GT-MHR is a prime candidate for the NGNP nuclear plant and presents several licensing
issues to the NRC. Advanced reactors, such as the GT-MHR, are unique to the current
fleet of LWRs and proposed Gen III+ designs and create several challenges to the
regulator.
1.2 Overall Licensing Approach of GT-MHR
Developing a licensing strategy for the GT-MHR requires an extensive
understanding of the NRCs current stance on advanced reactors. The Advanced Reactor
Policy Statement was issued some years ago and the NRC, along with NEI, has done
extensive work since then to help advanced plant designers with developing licensing
strategies. The purpose of this section is to discuss these latest developments and how
they may impact the licensing of the GT-MHR.
The current NRC approach for licensing advanced reactors consists of a four part
process (Figure 1-1) which will results in an overall technology-neutral regulatory
structure with technology-specific regulatory guidance. The NRC is required to take this
approach due to the extreme diversity of the advanced reactors proposed. For example,
fast sodium cooled reactors have unique neutronic characteristics such as a positive void
coefficient that gas-cooled reactors and current LWRs are not concerned with. Therefore
the proposed framework uses the reactor Safety Goal Policy quantified health objectives
(QHO) in the Commission’s Reactor Safety Goal Policy to ensure that design,
construction, and operations are consistent with the performance goals for all proposed
reactor types.
Figure 1-1 Framework for Regulatory Structure for New Plant Licensing
In addition to meeting the QHO objectives, the Policy Statement on Regulation of
Advanced Nuclear Power Plants also mandated that advanced reactors will make larger
safety margins. The NRC has developed generic frequency-consequence curves that are
consistent with the overall safety goal objective and are applicable to all reactor concepts.
The approach utilized by the staff combines both probabilistic risk criteria and design-
basis criteria. The risk criteria portion deals with preventing accidents and ultimately the
development of mitigation criteria while the probabilistic criteria are used to select
appropriate design basis accidents (DBA) and the overall safety classification of the
reactors systems, structures and components (SSC). Design basis criteria are used to
determine fixed acceptance criteria for events that are used for comparison to siting
requirements. A frequency-consequence curve (Figure 2-2) was developed by the NRC to
determine an acceptable region for advanced reactors based on offsite dose guidelines
laid out in 10CFR100 and 10CFR50.34
Figure 1-2 Frequency-consequence curve for public health and safety
In Chapter 3, a set of design basis accidents are considered and shown to fall
within the acceptable region as defined by Figure 2-2. The curve as a whole is meant to
provide guidance on the frequency and consequence of accidents and to be reasonably
consistent with the QHOs of the Commission’s Safety Goal Policy Statement. The QHOs
limit the total risk of all accidents to the “average” individual within specified distances
of the exclusion area boundary.
2.1 Plant Description
Each GT-MHR plant consists of four reactor modules. The primary components
for each module are contained within a steel vessel system, which includes a reactor
vessel and a power conversion vessel, connected by a cross vessel. The vessel system is
located inside an underground concrete silo 25.9m in diameter by 42.7m deep, which
serves as the containment structure. The reactor vessel is made of high strength 9Cr-1Mo-
V alloy steel and is approximately 8.4m in diameter and about 31.2m high. It contains the
reactor core, the reactor internals, control rod drives, refueling access penetrations, and
the shutdown cooling system. The reactor vessel is surrounded by a Reactor Cavity
Cooling System
Figure 2-1 GT-MHR module arrangement
which provides totally passive safety related decay heat removal by natural draft air
circulation. The shutdown cooling system located at the bottom of the reactor vessel
provides forced helium circulators for decay heat removal for refueling and maintenance
activities (General Atomic).
Power conversion vessel is also made of modified 9Cr-1Mo-V alloy steel and is
approximately 8.5m flange outside diameter and about 35.4m high. This vessel houses
the turbo machine, a plate-fin recuperator, and a helical tube water-cooled intercooler and
precooler. The turbomachine includes a generator, a turbine, and 2 compressor sections
all mounted on a single shaft supported by magnetic bearings.
2.2 Module Description
The standard reactor module, which is the basic building block of the reference GT-
MHR, consists of a reactor core and power conversion equipment.
Figure 2-2 GT-MHR simplified schematic flow diagram
The reactor core and power conversion equipment are housed in separate welded
steel vessels that are connected by a cross vessel. The same helium that flows through the
reactor is the working fluid in the power conversion portion of the module (Figure 2.2).
The single standard reactor module, which is the building block of the MHR,
contains the nuclear heat source and all the power conversion equipment required to
generate electricity within the primary pressure boundary. This equipment includes the
turbo-compressor-generator set, plate-fin recuperator modules, precooler, intercooler and
the interconnecting flow ducting (General Atomic).
2.3 Plant Systems
The gas turbine plant includes the following key systems:
Reactor System, which includes the reactor core, core supports, internal structures,
reactivity control assemblies, and hot duct.
Vessel System, which includes the reactor vessel, power conversion vessel, cross
vessel, vessel supports, and lateral restrains.
Power Conversion System, which includes the turbomachine, recuperator modules,
precooler, intercooler, internal supports, shrouds, and seals. This system also includes
the equipment and handling casks necessary for the removal and replacement of PCS
components.
Shutdown Cooling System, an independent forced convection cooling system for
backup decay heat removal, which includes the shutdown circulator, shutdown heat
exchanger, and shutdown cooling control.
Reactor Cavity Cooling System, a safety-related passive air cooling system for
backup decay heat removal, which includes structures for inlet/outlet of atmospheric
air, a set of cooling panels surrounding the reactor vessel, and the hot/cold duct work
for transporting the air.
Fuel Handling System, which handles fuel and reflector elements, and transports
them between the receiving facility, the reactor core, and the fuel packaging and
shipping facility.
Figure 2-3 Helium flow path in power conversion module.
Helium Services System, which includes the helium purification system and the
helium transfer and storage system.
Reactor Protection System, which performs automatic safety-related plant protection
functions.
Investment Protection Systems, which performs automatic non safety intersystem
investment-related protection functions.
Plant Control, Data and Instrumentation System, which monitors plant parameters,
automatically regulates plant conditions, provides information to the operator, and
accepts and executes manual control commands from the operator.
2.4 Vessel System
The principal functions of the Vessel System (VS) are to contain the primary
coolant inventory and to maintain primary coolant boundary integrity. In addition, the VS
provides structural support and alignment for the Reactor System components and
Shutdown Cooling System components that are housed within the reactor vessel and all
power Conversion System components that are housed within the power conversion
vessel.
The radionuclide control function of the VS are to transfer decay heat from the
reactor core to the reactor cavity cooling system (RCCS) during conduction cooldown
events, to maintain the geometry of the reactor core with respect to the neutron control
assemblies (NCAs) to control heat generation, and to prevent air ingress and consequent
core oxidation (General Atomics).
The Vessel System is located below grade, enclosed and supported in a reinforced
concrete silo. The reactor vessel and power conversion vessel are places side-by-side
with the power conversion vessel at a lower elevation than the reactor vessel. This
arrangement provides for thermal isolation and protection of the power conversion
components from the high temperature core during conduction cooldown events.
2.5 Shutdown Cooling System
A Shutdown Cooling System (SCS) provides reactor cooling when the Power
Conversion System is non-operational. The SCS consist of the shutdown circular and
shutoff valve, the shutdown heat exchanger, and shutdown cooling control. Also included
as part of the SCS are the shutdown circular and shutdown heat exchanger service
equipment.
The SCS consist of a single loop with shutdown heat exchanger in series with the
shutdown circular and shutdown loop shutoff valve assembly, all located at the bottom of
the reactor vessel. Hot helium from the core outlet plenum flows through multiple
parallel openings (pips) in the center of the core support structure and into the shutdown
heat exchanger. Once cooled, the helium continues downward through the shutdown loop
shutoff valve to the shutdown circulator where it is compressed and discharged into the
reactor vessel bottom heat cavity. The loop is completed as the helium flows down
through the reactor core. Heat is rejected from the shutdown cooling water to the
atmosphere through the air cooled heat exchanger (General Atomics).
2.6 Reactor Cavity Cooling System
The Reactor Cavity Cooling System (RCCS) performs 2 safety functions. It
provides a passive means of transporting core residual heat from the reactor cavity when
neither the Power Conversion System nor the Shutdown Cooling System is available,
thereby preventing the reactor vessel from exceeding design temperature limits. It also
protects the concrete walls of the reactor cavity from exceeding design temperature limits
for all modes of operation. The RCCS removes heat by conduction through the graphite
reflector and by radiation and natural convection from the uninsulated vessel. The
system, which receives the heat transferred from the vessel, includes a cooling panel
placed around the reactor vessel. Heat is removed from the reactor cavity by natural
circulation of outside air through the cooling panel.
The natural draft air cooling concept is shown in Figure 2.4. The design has no
pumps, circulators, valves, or any other active components. The surface of the cooling
panel serves to separate the outside atmosphere from the reactor cavity atmosphere. This
minimizes the site boundary dose due to release of air activated in the cavity. The system
has multiple inlet/outlet ports and interconnected parallel flow paths to ensure continued
cooling in the event of blockage of any single duct or opening.
The system is required to operate continuously in all modes of plant operation to
support normal operations, and, if forced cooling is lost, it functions to remove decay
heat to ensure investment and safety protection. Since the RCCS is relied upon to meet
10CFR100 requirements, the system is classified as “safety-related” (General Atomics).
Figure 2-4 Shutdown cooling water flow system.
2.7 Safety Features
Health and safety of workers and of the public is a fundamental consideration in
GT-MHR plant design. A defense in depth approach to safety was used in the design of
the GT-MHR. Implementation of defense-in-depth results in the provision of multiple
barriers to the release of fission products and systems which limit the challenges to and
protect those barriers. Furthermore, these systems are capable of functioning despite
credible failures, by being redundant, independent, and divers.
The fundamental, inherent characteristics of the GT-MHR are listed below. These
characteristics tend to dominate the safety characteristics of the plant as a whole and
serve to prevent and mitigate accidents.
Coated Fuel Particles; Coated Fuel Particles can withstand extremely high temperature
without losing their ability to retain radio nuclides. Core temperature can remain at
1600C for several hundred hours without losing particle coating integrity. For design
basis events, peak expected fuel temperatures do not exceed 1460oC.
Graphite Moderator; Graphite can withstand even higher temperatures than the fuel and
without structural damage, which complements the fuel’s high temperature capability.
The graphite also holds up certain fission products, further reducing potential
radioactivity releases. Massive graphite structures in the core provide extremely large
heat capacity. Even under extreme conditions, reactor heat up is slow, so that days are
available for the operators to respond to an unusual event, such as loss of all AC powers.
Helium Reactor Coolant; Helium is chemically inert and neutronically transparent,
meaning it will not aggravate an accident by participating in any chemical or nuclear
reaction. Helium will not change phase in the reactor; therefore, it is impossible to have
problems of 2 phase flow within the reactor, such as steam bubbles which affect
reactivity and temperature control. Pump cavitation can not occur. The use of helium
minimizes the problems of primary system corrosion and greatly reduces the resultant
buildup of radioactive by-products associated with water-cooled reactors.
Negative Temperature Coefficient of Reactivity; The GT-MHR reactor core is
designed to have a negative temperature coefficient of reactivity. This characteristic
means that as the reactor gets hotter, the change in temperature alone tends to reduce
reactor power. For all credible reactivity addition events, the negative temperature
coefficient is sufficient to control reactor power (General Atomics).
3.1 Accidents Scenarios
In accordance with guidance laid out by the NRCs Technology Neutral Framework,
three classifications of events have been defined as a function of the event frequency:
1. Frequent Events (Anticipated Operational Occurrences)
2. Infrequent Events (Design Basis Accidents)
3. Rare (Beyond Design Basis Accidents)
Associated does releases for each event category are defined by the NRC based on
10CFR100 and 10CFR50.34 criteria (see Figure 2-2). DBA offsite dose guideline is 25
Rem as defined in 10 CFR 50.34. All postulated events for the GT-MHR are expected to
fall within the acceptable region. Potential pathways for radionuclide release are shown
in Figure 3-1.
The accident classifications used are consistent with what is defined in the GT-
MHR design conceptual report and the classification levels described above. Work
performed by Oak Ridge National Laboratory (ORNL) analyzed the fuel response under
various accident conditions. The main concern under accident conditions is whether the
fuel temperature exceeds the failure limit of 1600°C and a code developed by ORNL was
used to calculate these values over the evolution of an accident. The Graphite Reactor
Severe Accident Code (GRSAC) was developed to study a wide spectrum of core
transient and heatup accident scenarios for both the PBMR and the GT-MHR design. A
detailed 3-D thermal-hydraulics model was implemented and models were used to
characterize the SCS and RCCS.
Figure 3-1 Radionuclide Containment System
3.2 Safety-related Systems, Structures and Components (SSC)
The safety-related Systems, Structures and Components identified by the GA conceptual
design report include:
• Reactor System including neutron control assemblies, ex-vessel neutron detectors,
the reactor internals, reactor core, and fuel.
• Vessel System including the ASME Section III vessels and pressure relief
• Reactor Cavity Cooling System including the entire system as required for
removal of residual heat
• Reactor Protection System including all sensors, control logic, and housings
supporting safety reactor trips
• Fuel storage pools and wells which are part of the Reactor Service Building
• Essential AC and DC power systems
The SSCs are relied upon to perform one or more of the safety features in the event of an
accident and ensure dose releases do not exceed off-site dose limits at the exclusion
boundary.
3.3 Anticipate Operational Occurrences
Frequent events or AOOs typically occur at a frequency of around 10-2 to 10-3 per
reactor year and should not exceed does releases of 0.1 Rem. Typical AOOs considered
for LWRs include turbine trips, steam generator tube rupture. The DBAs analyzed in the
next section envelope all anticipated operational occurrences hence an analysis is not
necessary.
3.4 Design Basis Accidents
Design Basis Accidents considered for the GT-MHR include:
• Pressurized Loss of Forced Convection (P-LOFC) accident
• Depressurized Loss of Forced Convection (D-LOFC) accident
There are other DBAs that could be considered but these two events are expected
to encompass all other postulated DBAs. It should be noted that R&D efforts
investigating fuel failures and refining accident models are currently ongoing and much
work remains to fully qualify the DBA envelope. Conduction cooldown events occur
when both the PCS and the SCS have failed to perform their respective safety functions
as defined in Chapter 2. Decay heat is then removed passively by the RCCS via
conduction and convection heat transfer from the core (Figure 3-2).
Figure 3-2 Various Cooling Paths for Different Accidents Classes
3.4.1 P-LOFC Accident
The P-LOFC accident is typically initiated by a loss of offsite power and/or a turbine trip
in addition to the SCS failing to start. The assumption is a flow coastdown and scram at
the starting time of the initiating event, with only the passive RCCS operational for the
duration. The natural circulation of the pressurized helium coolant within the core tends
to make core temperatures more uniform, therefore lowering the peak temperatures, than
would be the case for a depressurized core, where the buoyancy forces would not
establish significant recirculation flows. Due to chimney effects of the RCCS, P-LOFC
events tend to make the core (and vessel) temperatures higher near the top. Reinforced
insulation is used near the top of the reactor vessel just for this purpose. High temperature
alloys such as Alloy 800H/Hastelloy X, which have high material strength, are proposed
to be used for the core barrel to allow for head room in that area. Results from the
GRSAC code are displayed below in Figure 3-3. A peak fuel temperature of 1290C
occurs at approximately 24 h, with the maximum vessel temperature of 509C at 72 h. For
the P-LOFC case, we are not concerned about the peak fuel temperature (typical nominal
“limit” for low-burnup TRISO fuel being 1600C) but rather the concern is more likely to
be a shift in peak heat load at the top of the core and the maximum vessel temperature.
This results in the axial distribution of maximum fuel temperature peaking towards the
inlet (Figure 3-4). The major failure mechanism associated with the reactor pressure
vessel failure mechanism is creep. In the presence of impurities, the creep rupture rate
can be affected negatively. The parameter most likely to affect the overall success of P-
LOFC outcomes, assuming that the RCCS is functioning properly, is the emissivity
controlling the radiation heat transfer between the vessel and RCCS. The GRSAC code
assumes a uniform emissivity of 0.8 between the reactor pressure vessel and the RCCS
over the full range of accident scenarios considered. ORNL performed some calculations
assuming a 25% decrease in the emissivities for both surfaces and found the peak vessel
temperature raises 37C. The difference in peak fuel temperatures is very small small (on
the order of 7C). This discrepancy between the peak fuel temperature and the vessel
temperature indicate how these two phenomena are not directly coupled.
Figure 3-3 P-LOFC Fuel and Pressure Vessel Response
Figure 3-4 P-LOFC Maximum Fuel Temperature Axial Profiles
3.4.2 D-LOFC Accident The D-LOFC accident is assumed to be initiated by a small primary coolant leak. The
source of the leak is not considered. The reactor trips automatically based on a decrease
in pressure and subsequently the control rods are dropped. The next assumption is the
primary heat sink fails immediately and the SCS fails to start on demand. Just like the P-
LOFC, the RCCS is the only system used to remove heat from the core. The D-LOFC
reference case assumes a rapid depressurization along with a flow coastdown and
SCRAM at the time of the initiating event. It also assumes that the depressurized coolant
is helium with no air ingress after the accident. This event has been characterized in other
literature as a Low Pressure Conduction Cooldown (LPCC), since the core effective
conductivity is the dominant mechanism for the transfer of afterheat from the fuel to the
vessel. In the reference case, the maximum fuel temperature peaks at 1494C 53 h into the
transient, and the maximum vessel temperature of 555C occurs at time = 81 h (Fig 3-5).
For the D-LOFC event, the peak fuel (and vessel) temperatures occur near the middle of
the core (Figure 3-6), rather than near the top as in the P-LOFC. This is due to the fact
that forced and natural convection effects for atmospheric pressure helium are
insignificant. There are several parameter variations of interest for this accident, which is
generally considered to be the defining accident for determining the “reference case
accident peak fuel temperature”. These variations are: effective core graphite
conductivity (which is a function of irradiation history, temperature, orientation, and
annealing effects), afterheat power versus time after shutdown; and power peaking factor
distribution in the core after shutdown. If maximum vessel temperatures are of concern,
emissivity effects should be considered. ORNL performed a sensitivity study for various
parameter changes as indicated below:
• Twenty percent decrease in core conductivity (with annealing): a 124C increase in
peak fuel temperature.
• Fifteen percent increase in afterheat: a 120C increase in peak fuel temperature.
• Twenty percent increase in maximum radial peaking factor: a 30C increase in
peak fuel temperature.
As in the case of the P-LOFC, the emissivities figure in most prominently in the
estimation of the maximum vessel temperatures. An assumed 25% decrease in vessel and
RCCS opposing surface emissivities resulted in an increase in maximum vessel
temperature of 54C, while the increase in peak fuel temperature was only 14C.
Figure 3-5 D-LOFC Fuel and Pressure Vessel Response
4.1 Beyond Design Basis Events
The pressurized and depressurized loss of forced convection with anticipated
transient without SCRAM (P-LOFC with ATWS and D-LOFC with ATWS) are
postulated beyond design basis events. Without the ATWS, the P-LOFC and D-LOFC
are considered design basis events and heat removal is expected to be completely
mitigated by active and/or passive cooling systems (Ball).
The GT-MHR employs two diverse and independent “active” systems to
shutdown the reactor: control rods and reserve material. These systems are considered
active when compared to the completely passive intrinsic negative Doppler reactivity
feedback. Xenon poison buildup as the decay daughter of Iodine as a fission product also
becomes important if the event extends over many hours. In an ATWS, it is assumed that
neither the control rods nor the reserve material can be utilized and the only mechanisms
available for reactivity control are Doppler feedback and Xenon poisoning. This
summary will not discuss the initiating events but rather will describe the responses of the
reactor (General Atomics).
The LOFC, whether it be pressurized or depressurized, eliminates the primary
heat removal mechanism from the core. Thermal relaxation occurs and flattens out the
core temperature, reducing the peak-to-average temperature ratio. Heat transfer to the
vessel wall either has significant natural convection or is dominated by radiation and
conduction, depending on whether the RPV is pressurized or not. The reactivity and
power are initially decreased by the temperature feedback, but recover slightly due to
reduced equilibrium Xenon concentration from reduced neutron flux.
The core and vessel wall slowly increase, as initially, heat removal via the RCCS
is insufficient. As the vessel wall temperature increases, the RCCS becomes more
effective with enhanced buoyancy effects. Eventually, equilibrium is reached when heat
transfers equalize, bringing flux and temperature to equilibrium values, where
temperature and Xenon feedbacks equalize. Since the equilibrium temperatures are
within safety margins, the reactor can sit at equilibrium for a long time. The only
parameter that can affect the power at this point is the burnup of the core (assuming all
other things remain constant) and the timescale for this effect is on the order of months.
When the reactor is in this high-temperature, low power condition, it is important
to respond to criticality before heat transfer. Initiation of a heat removal system, such as
the SCS or PCS serve to only lower the equilibrium temperature and thus increase
reactivity and power. If the overcooling is abrupt and significant the reactivity insertion
will be large and large damped power oscillations can occur. If coolant flow rates are
small, flow regimes are laminar and viscous forces dominate momentum within cooling
channels.
Viscosity of gases increases with temperature, so there is positive feedback.
Hotter channels create more viscous coolant, which starves the channels of flow, which
makes the channels hotter. This phenomenon is called “selective undercooling” and can
increase the maximum temperature within the core even though the average temperature
is decreased from increased heat removal. These hotspots can lead to failure of TRISO
particles in regions of the core. If the coolant flow rate is large, selective undercooling
can be avoided, all negative temperature reactivity can be removed, but the power can
overshoot the nominal power since Xe poison concentrations are low (Ball).
The first step in controlling these BDBEs is to shut down the nuclear reaction.
Fortunately, timescales for maximum temperature are on the order of hours and days, so
human factors can be effectively utilized. It is reasonable to assume that either the
control rods drive mechanisms or the reserve material systems can be fixed and the
nuclear reaction can be shut down. Perhaps the event that initiated the LOFC in the first
place can be remedied and the power can slowly be raised so as to not overshoot due to
diminished Xenon concentrations.
5.1 Risk Assessments, Risk Management, and Safety Goals
In accordance with NRC policy and goals, any risk to the inherent and
surrounding population of our reactor must be quantitatively assessed. Strategies for
continual management and minimization of this risk according to the NRC Policy on
Safety goals are critical to ensuring harmonious operation of the reactor with the local
environment and population.
Therefore, the GT-MHR has been designed with the overarching philosophy that has
guided and continues to guide the design of new reactors. In its simplest essence, that
philosophy can be broken down as follows:
Design and construct a reactor that safely and economically meets the
simultaneous requirements of the NRC and the needs of the consumer and user by
providing defense-in-depth according to four guidelines:
“1. Maintain Plant Operation
Reliably maintain the functions necessary for normal plant operation
including the plant states of energy production, shutdown, refueling, and
startup/shutdown operations.
2. Maintain Plant Protection
Assume that despite the care taken to maintain plant operation failures will
occur and provide additional design features or systems to prevent plant
damage.
3. Maintain Control of Radionuclide Release
Provide additional design features to ensure containment of radionuclides in
the event that normal operating conditions cannot be maintained and/or plant
protection is not assured.
4. Maintain Emergency Preparedness
Maintain adequate emergency preparedness to protect the health and safety of
the public in the event of that control of radionuclide release is not
accomplished.” (General Atomics)
However, because of the inherent dissimilarities between the GT-MHR and
currently operational light water reactors in how these principles manifest themselves, the
necessity of the traditional PRA is called into serious question.
5.2 Probabilistic Risk Assessment Relevance
In 1975, the Reactor Safety Study was undertaken in order to evaluate the safety
of currently operational light water reactors. Thus was born the probabilistic risk
assessment (PRA). Initially the scope of the first PRAs focused solely on internal events
that occurred under full power operation. As the utility of the PRA became apparent in
quantifying known risk factors of reactor operation, the applicability of the PRA was
expanded to encompass a full array of plant hazards, internal and external, as wells as
low power operational and shutdown modes (Fleming).
Several thousand reactor years now support the vast majority of PRAs through
pre-cursor insights, failure statistics, and event occurrence probabilities. Because of this,
many PRA conclusions have been validated and/or modified for accuracy and relevance
(Fleming). However, numerous challenges become apparent upon the application of the
PRA to a new reactor such as the GT-MHR. Some of these include but are not limited to:
• “Lack of design and operational details for reactors that are still in the pre-
conceptual or conceptual design state,
• Lack of relevant service experience from which to derive a PRA database, and
• Increased emphasis on the use of passive systems to perform safety functions in
advanced reactors
• Need to address events and event sequences within and beyond the design basis
• Inapplicability of risk metrics such as core damage frequency to reactors with
inherent reactor characteristics that are fundamentally different than those of
LWRs
• Lack of experience by reviewers and regulators who are familiar with PRA as it
has been applied to HTGRs” (Fleming, 1121)
Additionally, many of the themes espoused by regulators have origins within
LWR technology inapplicable to the GT-MHR. Many of these themes, although still
possibly useful, have to be somewhat redefined to maximize their utility within the scope
of new and fundamentally different reactors like the GT-MHR. Indeed, distinguishing
which themes are universally applicable to all nuclear reactors and which are pertinent
solely to LWRs is a significant challenge to both the regulatory community and those
involved in the design of new reactors. For instance, estimate of core damage frequency
is at the very heart of most PRAs, but CDF is not a relevant metric for the GT-MHR or
any of several other next generation reactors.
However, despite the challenges associated with employing PRAs with
unconventional reactors, several opportunities arise for improving not only the concept of
the PRA, but also the reactor design process as well. By integrating the PRA into the
design process, reactor architects can more completely assess the significant risk
sequences by being forced to determine more comprehensively initiating events and
event sequences. This allows a more accurate reckoning of appropriate licensing basis
events. Additionally, utilization of the PRA during the design process allows
incorporation of risk insights into various design options such as systems, structures, and
components. Finally, early employment and analysis of the PRA allows more efficient
allocation of monetary and safety analysis resources to areas yielding the greatest benefit
to public and occupational health, safety, and protection (Fleming).
A simple cost-benefit analysis of the merits of employing a PRA for the GT-MHR
are initially inconclusive as the challenges and new opportunities presented seem to
nullify each other. Critics of the PRA for new reactors cite uncertainty as a primary
factor in their argument; however, uncertainly is actually the greatest a reason a PRA
should still be performed for new reactors, albeit in a different manner and with a
different objective. By not employing a PRA in a new reactor design, one immediately
loses a tremendous amount of insight into the inherent uncertainty presented by various
aspects of any unfamiliar reactor. An initial, cursory analysis unveils and illuminates
many uncertain aspects of the preliminary design and allows the fixable aspects to be
improved upon greatly before the design is actually certified and sent out for
construction. Therefore we submit that the standard CDF-based PRA is summarily
insignificant to the preliminary safety analysis of our reactor but is still a very useful tool
in the design process of our reactor and of invaluable assistance in identification of
licensing basis events.
5.3 Risk Management
One of the most appealing features of the GT-MHR reactor is that the most
significant risks are managed naturally and inherently through the reactor’s passive safety
features and inherently stable fuel configuration. Even though the reactor was designed
with a defense-in-depth approach that minimizes the risk of accidental occurrences, it is
still assumed that these accidents will happen for the sake of ensuring that the design
responses are absolutely completely adequate to mitigate all foreseeable accident
consequences.
Therefore, if all goals of the reactor design are met, then plant operation will have
a negligible effect on public health and safety under an all-encompassing array of both
expected and postulated scenarios. The theme of redundancy and diversity in safety
system design has permeated reactor design in the past and is certainly employed
extensively in the GT-MHR. Safety to the public and occupational sector is ensured by
an arrangement of multiple, independent provisions, none of which are relied upon
singularly enough to allow any one failure to unnecessarily jeopardize any safety
considerations. If (according to the predicted probability) fission products are still
released into the environment, precautions are in place to ensure their immediate and
innocuous remediation.
During a design basis accident scenario, the prevalence of passive safety features
minimizes the chance of operator error and allows operator training and protocol to be
more aptly focused on the smaller number of variables available to them to work with.
Because the GT-MHR’s passive safety features are so important to the
management of risk associated with anticipated operational occurrences and design basis
accidents, the critical ones will be recapitulated. The single greatest barrier to fission
product release is the structure of the fuel, i.e. the TRISO coated fuel particles. Because
the particles can remain exposed to temperatures as high as 1600°C for several hundred
hours at no cost in structural integrity, the peak expected event temperature of
approximately 1460°C is rendered a relatively minor concern. With the exception of a
few very specific fission nuclides (most notably Pd and Ag) all radionuclides are totally
retained within the fuel particles. Due to processing variability, there will always be a
small portion of already defective particles and it is predominantly these particles that are
responsible for any releases.
The next barrier is the prismatic graphite core itself. Graphite’s high temperature
stability is remarkable, to an even greater extent than the fuel. In the event of
radionuclide release, the graphite provides yet an additional barrier to escaped fission
products. The helium coolant is the next integrative safety design characteristic. It is
chemically inert at all temperatures to all species present in the reactor environment. Its
neutronic absorption properties are so insignificant that it contributes virtually no
reactivity. It cannot present complicated two-phase flow problems that yield
unpredictability into reactivity and temperature moderation. It cannot induce pump
cavitation. All of these properties make it an ideal contributor to the overall safety of this
reactor.
As with all contemporarily designed reactors, the GT-MHR exhibits negative
temperature coefficient of reactivity. For all postulated reactivity additions, this property
alone keeps reactor power within mitigable circumstances. Finally, the size and shape of
the core, along with its low power rating and density allow the natural, passive processes
of heat transfer, radiation, conduction, and convection, to dissipate enough heat such that
the fuel particles are kept below design threshold temperatures.
5.4 Emergency Planning
In the event that an accident constituting emergency conditions does occur,
regulatory and procedural framework is in place to ensure a minimum of risk the
surrounding public and environment. Because of the inherent similarities between the
GT-MHR and its older design counterpart, the MHGTR, the emergency planning
conditions for that reactor will be presented.
“For purposes of emergency planning, EPA-520/1-75-100 provides Protective
Action Guides (PAGs) for exposure to airborne radioactive materials, contaminated
foodstuff or water, and contaminated property or equipment. (Ref. 6) The NRC has
provided implementation requirements in 10CFR50 Section 50.47 and Appendix E for
emergency planning. Therein, it is noted that, generally, a plume exposure pathway
Emergency Planning Zone (EPZ) of 10 miles in radius and an ingestion pathway EPZ of
80 kilometers (50 miles) in radius provide an adequate planning basis. The technical
basis for the selection of these EPZ distances is given in NUREG-0396, wherein it is
found for LWRs that, for all but the most improbable events, the PAGs would not be
expected to be exceeded 10CFR50 Appendix E further states beyond these distances.
(Ref. 7) However, that "the size of the EPZs also may be determined on a case-by-case
basis for gas-cooled nuclear reactors and for reactors with an authorized power level less
than 250 MW thermal." For the FSV-HTGR plant, smaller EPZ radii have been selected
for planning purposes. (Ref. 8) Therefore, while the PAGs provide numerical
guidelines for emergency planning purposes which are appropriate as top-level
regulatory criteria, alternative implementing bases for determining appropriate EPZ
distances can and have been developed for the Standard MHTGR (see Sections 1.2 and
13.1).” (Preliminary Safety Information Document for the Standard MHGTR)
5.5 Safety Goals
It is the expressly declared policy of the NRC to maintain a policy requiring an
acceptable level of radiological risk due to nuclear power plant operation to the general
public for all facilities. In 1986, the President’s Commission on the Accident at Three
Mile Island issued a recommendation to the NRC which was adopted into a policy
statement:
Individual members of the public should be provided a level of protection from
the consequences of nuclear power plant operation such that individuals bear no
significant additional risk to life and health.
Societal risks to life and health from nuclear power plant operation should be
comparable to or less than the risks of generating electricity by viable competing
technologies and should not be a significant addition to other societal risks.
The statement above has come to be known as the Safety Goal Policy Statement.
Two primary quantitative objectives are used as a metric of achievement for the goal:
The risk to an average individual in the vicinity of a nuclear power plant of
prompt fatalities that might result from reactor accidents should not exceed one-
tenth of one percent (0.1 percent) of the sum of prompt fatality risks resulting
from other accidents to which members of the U.S. population are generally
exposed.
The risk to the population in the area near a nuclear power plant of cancer
fatalities that might result from nuclear power plant operation should not exceed
one-tenth of one percent (0.1 percent) of the sum of cancer fatality risks resulting
from all other causes.
These statements are not intended as actual regulatory statutes, but as guidelines
for safety design and mitigation planning. Other themes have been proposed as additions
to the policy statement and many of these themes have become a de facto part of the
current policy and safety design paradigms.
In accordance with the policy goal statement, dose release predictions have been
assessed and are currently being modeled for a variety of design basis and beyond design
basis scenarios. Because radionuclide release from a depressurized conduction cooldown
scenario is the most likely candidate for offsite exposure, GA’s preliminary benchmark
calculations are focused on this event. Because of the nature of the radionuclide release
mechanisms from the fuel, the release is a slow, gradual process whose parameters
largely depend on the magnitude of the leak. At first glance, a large leak like a bypass
line failure might seem like a greater concern, but a small leak is actually a more
effective vehicle for fission product carriage due to its ability to transport radioactivity
hours after depressurization initiation.
In any case, the point estimate offsite doses at the 425 meter site exclusion area
boundary are significantly less than the lower Protective Action Guide limits for
sheltering. The table below shows the preliminary estimates.
Figure 5-1 Depressurized Conduction Cooldown Offsite Doses from GA Conceptual Design Report
As the table indicates, in both cases the thyroid dose is a more limiting concern
than the total effective dose equivalent, with margins of about a factor of only 100,
compared to 200 with respect to the PAG. Although this is only an initial and extremely
cursory analysis based on GA’s first GT-MHR design, one can safely conclude that these
estimates will not very greatly from similar estimates made for the more current design
we are investigating. It should be noted that meeting the 10 CFR 100 guidelines for
release is not even really a question; however, conservatisms required by the NRC are not
fully taken into account here and will later be accounted for pending application of much
more thorough and robust dose release models.
Given recent advances in monitoring technology, much more accurate reactor
condition monitoring is now possible allowing much more accurate burn-up history
assessment. From an accurate burn-up history, a radionuclide inventory appraisal can be
used to more concretely assess probable dose release consequences in the event of an
accident scenario.
5.6 Risk Assessment and Management Conclusions
The GT-MHR utilizes its probabilistic risk assessment in a fundamentally
different manner than do standard operating LWRs. Rather than having a PRA retrofitted
onto the already operational reactor, the PRA should be thought of as invaluable tool in
the design process for identifying and assessing the likelihood of design basis events and
anticipated operational occurrences. Quantifying logical event trees associated with
accidents into core damage frequencies that have no relevant analogue in reactors such as
the GT-MHR is anachronistic and should not have a bearing on the license application of
the GT-MHR or other advanced reactors in similar predicaments. This is not to say that
logical event trees are irrelevant in risk determination and qualification, but a standard
metric end result of all accidents such as core damage frequency is irrelevant here and
should be rendered obsolete for advanced reactors or replaced/modified with something
like a threshold release frequency or something similar with meaning.
Risk management for the GT-MHR is not entirely dissimilar from that of LWRs,
but is handled inherently to a much greater degree as a result of the permeating of passive
safety features throughout the design. Emergency planning is handled almost identically
to the current prevailing procedures.
6.1 Seismic Safety Overview
The site selected for construction of the GT-MHR is Diablo Canyon. It is a
particularly seismically active region, being extremely close to the Hosgri fault which lies
underneath the Pacific Ocean a few miles West and South of the site. When the site was
initially selected for construction of the reactors, the fault had not yet been discovered.
Once the activity and proximity of the fault was known, severe enhancements to the
seismic safety of the plants were implemented. It is probably safe to say that if the fault
were identified beforehand, Diablo Canyon would not have been selected as a site for
construction of nuclear power plants. This is not necessarily because of safety concerns
(the Diablo Canyon reactors operate safely today), but because of the great monetary
investments that could easily be avoided by building reactors elsewhere.
The GT-MHR design employs significantly fewer components than a
conventional LWR and those components tend to be more compact. The entire direct
Brayton cycle fits inside of a steel pressure vessel, the Power Conversion System (PCS).
Not only does this provide an additional layer of containment over an LWR, but it also
allows restraint of each component to a single structure. The state of California boasts
many reactor-years of experience with direct Brayton cycle natural gas turbines, so this
plant system is considered sufficiently explored with respect to seismic safety.
The core itself resides within the Reactor Pressure Vessel (RPV) and is composed
of solid blocks stacked in a pile. This core arrangement is not susceptible to bowing or
buckling induced by vibrations. The only credible seismic failure mode identified by the
group was shearing of the cross-vessel connecting the RPV to the PCS by way of
differential displacement of the two vessels during a seismic event. The primary coolant
system resembles a tuning fork and the weakest and most critical section of the barrier is
at the bottom.
At the time of this project, analyses of the response of the GT-MHR to
seismically induced vibrations were not available. Fragility curves for individual
components were not calculated and problematic structures were not identified. The
Hazard curves for the site were available, but are identical for every design group and
thus would not require any novel analysis or insight. It was decided to do a simple
structural analysis of the primary coolant system to identify the natural vibratory periods
and compare these periods to those typically excited by an earthquake.
6.2 Structural Model Description
The structural analysis emulates models employed in virtually every example in
the textbook “Dynamics of Structures: Theory and Applications to Earthquake
Engineering” by A. Chopra. Essentially, three-dimensionally resolved structures are
condensed into two-dimensional frames with massless frame elements and lumped nodal
masses affixed to the ends. The frame elements are assumed inextensible with small
deformations so that linear stress-strain relationships can be used. Rotational momentum
of each node is neglected. The RPV and PCS were assumed to be restrained from the top
with pin connections that permit rotation but not translation. A more rigorous analysis
would represent any base isolation as a separate frame element with a fixed restraint at its
free end. Figure 6-1 below shows a diagram of the primary coolant system and the
structural model used.
Figure 6-1 Structural Model for Seismic Analysis
Five frame elements, four nodal masses, and five vibratory modes were
considered. Three of the vibratory modes were translational and two were rotational.
Schematics of these modes can be seen above in Figure 6-1. Each of these modes
resulted in an independent resonant vibratory frequency. After forming the relevant
matrices, the problem reduces to determining the eigenvalues of a matrix:
0)mk( 2nf =Φω− � 0)Adet( =Ιλ− .
The advantage of this frame analysis over using FEA software such as Ansys or Algor is
the transparency. Appendix A describes the matrices involved in calculating the resonant
vibratory periods.
6.3 Structural Analysis Results
The five natural vibratory periods calculated for the model are as follows:
Mode Tnat [s]
u1 1.8
u2 0.18
u3 0.041
u4 0
u5 0
Figure 6-2 Vibratory Mode Natural Periods
The first modes period of 1.8 seconds is quite long. The mode represents swaying of the
entire system about the pin restraints, just like a pendulum. A first order check confirms
this. If one uses the equation for a pendulum: k2T Ιπ= , a period of the same order of
magnitude is found. Perhaps this structural model is not physical in this sense, since a
good structural engineer would try to avoid a free swinging nuclear reactor pressure
vessel.
The fourth and fifth vibratory modes result in no natural period. It is believed this
is the case because there is no frame element to resist the translation. There is no
stiffness associated with frame element d moving with respect to its node. It is
essentially a cantilever beam attached to the system by a pin connection. Perhaps
modeling the bottom halves of the PCS and RPV as single frame element is also non-
physical. If they were modeled to include the sides and bottom of the vessels in a “U”
shape, some stiffness would be considered and the structure would show some resistance
to translation. This is a major deficiency in the model but is perhaps not important for the
conclusions.
The second and third rotational vibratory modes have periods that are fractions of
a second. These seem to be realistic in magnitude. They also were considered the most
important modes with respect to shearing the cross-vessel, so once these periods were
considered correct, no further adjustments were made to the model. The problem with
these periods is that they are in the region most excited by a typical earthquake. The
figure below shows that this region of natural vibration periods results in the highest
pseudo-acceleration during an earthquake.
Figure 6-3 Typical response spectrum from an earthquake
At this point in the analysis, the design was considered extremely susceptible to
earthquakes and many mitigation techniques were considered. Even though the reactor is
considered capable of maintaining safe conditions during a large break loss of forced
convection accident, the financial implications of building this reactor in a seismically
active area are devastating.
The first mitigating technique was base isolation. Base isolation “lengthens the
fundamental vibration period of [a] structure and thus reduces the pseudo-acceleration for
[a] mode…and hence the earthquake-induced forces in the structure,” (Base Isolation,
749). An order of magnitude analysis found that base isolation could lengthen the natural
period by up to 10x. If this technique were used, the second and third mode periods
could be increased to 1.8 and 0.41 seconds. Unfortunately, one period is still within the
worst range.
Damping would reduce maximum pseudo-acceleration from the resonating of the
structure at the excited periods. It is a difficult factor to quantify and usually 5% is
assumed as a conservative number in calculations. It is a possible strategy to combat
seismic response, but is not typically used in real-world structures.
Other strategies considered were attachment of heavy weights in specific
locations to offset natural periods, and reinforcement of the vessels to minimize
differential displacement. The easiest, most practical, and least daring strategy, was
simply to not build the reactor in a seismically active region like Diablo Canyon. If risk
is significant and unnecessary and it can be avoided, then it should be avoided.
6.4 General Atomics Vessel Support Arrangement
After the structural analysis was performed, a short section addressing seismic
issues was found in the GT-MHR Conceptual Design Report of 1999. The section
describes in intricate system whose purpose is to eliminate differential displacement and
mate vertical and horizontal movement of the vessels to that of the reactor building.
The section outlines the purpose of each feature of the vessel support
arrangement. Both vessels are supported vertically at the height of the cross-vessel so
that differential thermal expansion of the vessels is unimportant. These supports employ
“sliding pads” that are able to translate horizontally to accommodate any horizontal
thermal expansion. At the same time, movement of the vessels with respect to the reactor
building is minimized.
Relative motion of the vessels is moderated with support frames. Lateral frames
span the gap between the two vessels and restrain them from differential movement,
while at the same time allowing thermal expansion. All interfaces allow slow
displacements associated with thermal expansion, but “snub” or suppress fast oscillations.
The conclusion of the Conceptual Design Report is that structural solutions exist
for mitigation of seismic response of the reactor. Real-world solutions that have been
proven in the past can be successful in reducing the overall seismic risk of the reactor.
7.1 Seismic Conclusions
Based on our preliminary cursory analysis, we conclude that it is feasible to
license and safely operate the GT-MHR at the Diablo Canyon site. However, our seismic
analysis indicates that extensive structural modification would be necessary to ensure
minimal seismic excitation of the design. The required seismic modification would
significantly increase the amount of investment capital required to construct the reactor as
well as the construction time.
The final impact of building the reactor at the Diablo Canyon site is a tremendous
increase in the cost of the reactor and its overall construction time. Additionally,
tremendous modification of the site would be necessary above and beyond what would
normally be required.
A much more desirable solution would be to site the reactor in a region of
California less prone to seismic activation than the Diablo Canyon site. As the map
below indicates, there are great portions of California that exhibit significantly less
seismic risk.
Figure 7-1 Seismic Shaking Hazards in California (California)
Because a high peak ground acceleration (PGA) is tantamount to high seismic
risk, the lone section of the map exhibiting less than 10% PGA spanning the western
sides of El Dorado, Amador, Calaveras, and Tuolumne counties represents the most
seismically ideal place to construct our reactor. Additionally, the much lower population
density of that area as well as its significantly less expensive land costs make that region
the probable alternative selection for a GT-MHR site within California.
7.2 Design Basis Accident Conclusions
The analyses performed by S. Ball conclude that maximum core temperatures
during P-LOFC and D-LOFC accidents do not breach the 1600°C. Since this is the
parameter that determines failure or success of the primary radionuclide barrier, it can be
said that safety of the plant and public are maintained. The slow temperature transient
and passive removal of heat to limit peak temperatures to margins of hundreds of degrees
below the limit are testaments to the overall robust, simplified safety approach of GT-
MHR.
Appendix A - Structural Matrices
In order to determine the natural vibration periods of a structure, certain structural
matrices must be defined. The eigenvalue problem is arranged as follows:
0)mk( 2nf =Φω− � 0)Adet( =Ιλ− ,
where mkA 1f−≡ ,
2n
1ω
≡λ , and ≡Ι Identity matrix.
The matrices involved are Φ , the vibratory modes, nω , the natural frequencies,
fk , the global stiffness matrix, where fsT
ff AkAk = , sk , the structural stiffness matrix,
fA , the compatability matrix, which relates deformation to displacement, where
uAv f= , and m, the mass influence matrix. The relation between frequency and period
is used: π=ω 2T nn .
The form of each matrix is shown below:
=
e
d
c
bb
bb
a
s
LEI3
LEI3
LEI3
LEI4
LEI3
LEI3
LEI4
LEI3
k,
−−
−
−
=
ee
dd
c
a
L11L1
L11L1
1L1
1
1
1L1
Af ,
+
=
4
3
21
m
m
0
0
mm
m , )RR(4
4i
4o −π=Ι .
The following values were used for the physical parameters within the matrices,
defined in section “4.2 Vessel System” in the Conceptual Design Report. Masses were
multiplied by 5 to approximately account for internal components whose masses are
unknown:
Lumped node Mass [metric tons]
1 840 x 5
2 1050 x 5
3 540 x 5
4 280 x 5
Frame Element Length [meters]
La 20
Lb 12.6
Lc 17.5
Ld 15.2
Le 5.9
Young’s Modulus of Elasticity [GPA] 200
Frame
Element
Inner
Diameter [m]
Shell
Thickness [m]
a 7.5 0.152
b 2.29 0.0762
c 7.2 0.216
d 7.5 0.152
e 7.2 0.216
References
Ball, S. (2005). Sensitivity Studies of Modular High-Temperature Gas-Cooled
Reactor Postulated Accidents. Nuclear Engineering and Design, 236, 454-462.
Chopra, A. K. (2000). Dynamics of Structures: Theory and Applications to
Earthquake Engineering. London: Prentice Hall.
Fleming K. (2005, September). Challenges and Opportunities in the Performance
of PRAs on New Reactors. International Topical Meeting on Probabilistic Safety
Analysis.
General Atomics. (1996). Gas Turbine-Modular Helium Reactor (GT-MHR)
Conceptual Design Description Report.
Executive Director for Operations. (2000). Modifications to the Reactor Safety
Goal Policy Statement (SECY-00-0077). Washington D.C.: U.S. Nuclear Regulatory
Commission.
Executive Director for Operations. (2004). Regulatory Structure for New Plant
Licensing Part 1: Technology Neutral Framework (NUREG-xxxx), Working Draft
Report, Washington D.C.: U.S. Nuclear Regulatory Commission
Preliminary Safety Information Document for the Standard MHGTR. (various authors/contractors). DOE/HTGR--86-024-Vol.1.
California Geological Survey. Seismic Shaking Hazards in California. (October
2006). Retrieved May 12, 2007, from
http://www.conservation.ca.gov/cgs/rghm/pshamap/pshamain.html