- Email: [email protected]
Discussion on the accident behavior and accident management of the HTGR
Nuclear Engineering and Design 360 (2020) 110497
Contents lists available at ScienceDirect
Nuclear Engineering and Design journal homepage: www.elsevier.com/locate/nucengdes
Discussion on the accident behavior and accident management of the HTGR Zhipeng Chen, Yan Wang, Yanhua Zheng
⁎
T
Institute of Nuclear and New Energy Technology, Collaborative Innovation Center of Advanced Nuclear Energy Technology, Key Laboratory of Advanced Reactor Engineering and Safety of Ministry of Education, Tsinghua University, Beijing 100084, China
A R T I C LE I N FO
A B S T R A C T
Keywords: High Temperature gas-cooled Reactor Pebblebed Modular (HTR-PM) Inherent safety Accident analysis Accident management EEOP BAMG
High Temperature Gas-cooled Reactor (HTGR), which plays an important role in the worldwide development of Generation-IV nuclear energy technology, is well-known for the high safety, high efficiency and process heat application. A commercial-scale 200 MWe High Temperature gas-cooled Reactor Pebble-bed Module (HTR-PM) has been designed and is now under construction in Shandong Province, China. Most of the construction and installation work have been finished and the connection to the electric grid will be expected in the end of 2020. In this paper, the reactor behaviors of the HTR-PM during the typical design basis accidents (DBAs) and beyond design basis accidents (BDBAs) have been introduced. In the DBAs, the maximum fuel temperature will never exceed its design limitation of 1620 °C, below which under the design burn-up the “Tristructural-isotropic” (TRISO) coated particles can effectively retain their fission-product inventory. Even in the typical BDBAs with extremely low probability, there is enough time, e.g. several days, to adopt appropriate measures to mitigate the consequence, so that the large release of the radioactive materials would not happen. Accident management is important for the nuclear power plant. Besides, After the Fukushima Dai-ichi nuclear accident, in the worldwide, people are more concerned about the severe accident management of the nuclear power plant, and some standards and guidelines are issued. Based on the accident analyses of the HTR-PM, its accident management is studied and discussed. The designers believe that the accident management procedures can be simplified and no offsite emergency measures are needed for the HTR-PM due to the inherent safety design. Compared to the other types of the nuclear power plant, e.g. the Pressurized-Water Reactor (PWR) power plant, the Severe Accident Management Guideline (SAMG) can be simplified or even unnecessary for the HTRPM. Above work also can provide reference for the further study on the safety regulations, standards or guidelines for the design, operation and accident management of the HTGR.
1. Introduction Accident analysis and accident management are important for all nuclear power plants. Besides, after the Fukushima Dai-ichi nuclear accident, the severe accident gains more and more attention in the nuclear industry and the regulatory body. For example, according to the policy of the regulatory body in China the Severe Accident Management Guideline (SAMG) is required for all nuclear power plants. High Temperature Gas-cooled Reactor (HGTR) with well-known safety features has been selected as one of the candidates for the Generation IV nuclear energy system and can be widely used for power generation, heat supply and technology heat utilization. A commercialscale 200 MWe High Temperature gas-cooled Reactor Pebble-bed Module project (HTR-PM) has been designed and is now under construction in China (Zhang, 2007; Zhang et al., 2009).
⁎
During the design and analysis of the HTR-PM, the nuclear safety regulations issued by Chinese government were followed, while relevant IAEA and NRC regulations, standards and guidelines were referred to. Since the HTGR is quite different from the Water Reactor in design philosophy and accident characteristics, during the licensing process, hard discussion has been carried out on accident analysis and accident management, and finally a consensus was reached and fruitful results were obtained. In this paper, the typical Design Basis Accident (DBA) scenarios and Beyond Design Basis Accident (BDBA) scenarios of the HTR-PM have been analyzed. Based on the accident behaviors of HTR-PM, its accident management is discussed. It can be expected that the accident management of the HTGR with the inherent safety design could be significantly simplified compared to the current generation II and generation III nuclear power plants.
Corresponding author. E-mail address: [email protected] (Z. Yanhua).
https://doi.org/10.1016/j.nucengdes.2019.110497 Received 21 March 2019; Received in revised form 19 December 2019; Accepted 19 December 2019 0029-5493/ © 2019 Elsevier B.V. All rights reserved.
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Some important engineered safety systems and typical accident scenarios of the HTR-PM are introduced in section II. Section III presents some calculation results for the typical DBAs and BDBAs. The accident management of the HTGR is discussed in section IV. Finally, section V presents the summary and the further work that need to be carried out in the future. What need to be pointed out in particular is that this set of BDBAs are derived by the combination of deterministic assessments, probabilistic assessments and engineering judgment. The selection, analysis and evaluation of these BDBAs follow the philosophy, which is introduced in the IAEA standards (IAEA, 2016) for the Design extension conditions (DEC)1. 2. HTR-Pm The HTR-PM nuclear power plant consists of two pebble-bed modular reactors, which are connected to a single steam-turbine generator for a combined power of 500 MWt and an electrical generating efficiency of about 42%. The primary circuit of the HTR-PM is shown in Fig. 1, while the general design parameters are listed in Table 1. In each modular, the reactor core is a packed bed of 11 m average height and a diameter of 3.0 m, holding roughly 420,000 spherical fuel elements with a diameter of 6.0 cm once the core achieves an equilibrium state. For each fuel element, approximate 12,000 “Tristructuralisotropic (TRISO)” coated fuel particles of 0.92 mm diameter are scattered in the inner graphite matrix with a diameter of 5.0 cm to form the fuel zone, while the outer zone is a fuel-free matrix graphite shell. According to the enrichment of fresh fuel element used in the HTRPM, as well as the design burn-up, the temperature limitation of the HTR-PM fuel elements during DBAs is set at 1620 °C, below which the fission-product-retention capability of the TRISO particles can be well guaranteed (IAEA, 1997; Recommendation of the reactor safety commission on the safety concept of a High-Temperature Modular Power Plant, 1990; Zheng et al., 2009). Due to the excellent fission-product-retention capability of the TRISO particles, during the normal operation, the radioactivity in the primary circuit is maintained at very low levels. It is necessary to point out that the large heat capacity of several hundred tons of graphite, which is the main material of the fuel element, reflector and carbon brick, can effectively limit the temperature increase rate during the accidents. Besides, the thermal decomposition of the SiC layer of the TRISO particle can be obviously detected only when its temperature reaches 2100 °C, and the fusion point of the graphite is much higher than 3000 °C. In the HTR-PM, two independent shutdown systems, the control rod system and the Small Absorber Sphere (SAS) system, are designed and installed in the side graphite reflectors.
Fig. 1. Cross-section of the HTR-PM reactor. 1 reactor core; 2 side reflector and carbon shield; 3 core barrel; 4 reactor pressure vessel; 5 steam generator; 6 steam generator vessel; 7 coaxial hot-gas duct; 8 water-cooling panel; 9 blower; 10 fuel discharging tube; 11 control rod driving system; 12 small absorber sphere unit; 13 fuel charging tube. Table 1 Main design parameters of the HTR-PM.
2.1. Engineered safety system Some important engineered safety systems are introduced below. (1) Primary pressure release system In the HTR-PM, the design pressure of the RPV is 8.1 MPa, and the pressure limit under Anticipated Operational Occurrence (AOO) is 110% of the design value. The primary pressure release system is designed as a two-fold redundancy to protect the reactor pressure boundary from overpressure. The set points of the two safety valves are 7.9 MPa and 8.4 MPa respectively, while the discharge flow rates are about 0.17 kg/s and 1 During the licensing process of the HTR-PM, “BDBA” is still used in Chinese regulations. In the future, with the issue of the new regulations, standards and guidelines following IAEA, it will be replaced by “DEC”.
2
Parameter
Value
Reactor total thermal power, MWt Rated electrical power, MWe Average core power density, MW/m3 Net electrical efficiency, % Primary helium pressure, MPa He temperature at reactor inlet/outlet, °C Primary helium flow rate, kg/s Core main flow rate, kg/s Heavy metal loading per fuel element, g Enrichment of fresh fuel element (for the equilibrium core), % Active core diameter, m Equivalent active core height, m Diameter of the RPV, m Number of fuel elements in one module Number of fuel passages through the core Average burn-up, GWd/tU Main life steam pressure, MPa Main life steam temperature, °C Main feed water temperature, °C
2 × 250 210 3.22 42 7 250/750 96 ≥86.4 7 8.5 3 11 ~6.0 420,000 15 90 13.9 571 205
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
environment, so as to prevent the large release of the radioactive materials. According to the design of the HTR-PM, if a small DLOFC accident happens, for example, a tube with the diameter less than 10 mm breaks, the gas mixture in the containment will be released after being filtered. However, for a large DLOFC accident, which means a tube with the diameter larger than 10 mm breaks, there exists a short time unfiltered release. The details will also be introduced in Section 3.1. The VLPC is a special structure of the HTR-PM based on the inherent safety design.
11.7 kg/s respectively. Both safety valves are expected to close again once the primary pressure has reached the value of 6.9 MPa. (2) Reactor Cavity Cooling System (RCCS) In the HTR-PM, the RCCS (Zheng et al., 2009) is designed as a passive system to remove the heat from the reactor pressure vessel (RPV) and reactor cavity to the final heat sink – the atmosphere in normal and accident conditions, ensuring the thermal integrity of the RPV and the cavity concrete. The water-cooling panel, placed on the inner surface of the reactor cavity concrete, mainly consists of a cylindrical plate and vertical cooling tubes uniformly welded on the plate. In accident condition, after scram of the reactor and stop of the forced circulation, the decay heat can be transferred from the core to the RPV mainly by heat conduction, and then from the RPV to the water-cooling panel by radiation and natural convection. Therefore, the water in the tubes will be heated up forming the natural circulation and flow upwards to the air-cooling tower, where the heat can be finally transferred to the atmosphere. (3) Reactor Pressure Vessel support cooling system Besides, the RPV support cooling system is also designed as a passive system, which can guarantee the temperature of the concrete near the RPV support below the limitation, even in the BDBA of the complete failure of the RCCS.
(7) Helium purification system The helium purification system is designed to purify the primary coolant to specified values by removing chemical impurities (H2O, O2, CO, CO2, N2, H2, CH4, etc.), as well as regulate the helium inventory and thereby control the primary pressure. In water ingress accident, after the reactor scram, a stand-by accident purification line, which is specially designed with water separator and serves both modules, can start up to remove the superfluous water, as well as cool down the hot core, so as to effectively mitigate the accident. In HTR-PM, most systems and components are designed to work independently, which means one system or component only serves one reactor. Few systems or components are used by both reactors. For example, in helium purification system, there are two normal purification lines, each serves one reactor. However, only one accident purification line is designed and serves both reactors.
The design capacity of the RPV support cooling system is 23 kW, which can guarantee that during the normal operation the temperature of the mass concrete near the RPV is below 65 °C. While in abnormal condition, the temperature of mass concrete is below 90 °C.
2.2. Protection system
(4) Secondary circuit isolation system Two feed-water isolation valves, as well as two live-steam isolation valves, are installed on the feed-water line and the live-steam line respectively. In accident condition, these valves will close automatically soon after the accident is detected and the protective actions are triggered. (5) Steam Generator (SG) emergency drainage system The SG emergency drainage system is specially designed for the water ingress accident. High attention has been paid to the water ingress phenomenon because it is one of the most particular and important accident types for the HTGR (Lohnert, 1992). An airtight drainage tank, installed inside the reactor building below the SG, is connected to the feed-water line via two parallel and independent relief lines. In each relief line, there are two relief valves. The large content of the steam and water between the feed-water isolation valves and the live-steam isolation valves can be discharged to the tank within 60 s if the high humidity in the primary circuit is detected and the relief valves is open, so as to reduce the water ingress amount to the primary circuit. The relief valves will close again when the pressures of primary circuit and secondary circuit reach balance.
During the normal operation, if any accident is detected by the protection system, protective actions will be executed immediately, including: ▪ Dropping of control rods ▪ Shutdown of blower and close of blower flap ▪ Isolation of secondary circuit Besides, if a DLOFC accident is detected by high pressure sliding rate (absolute value) of the primary circuit, the isolation of primary circuit will also be executed. The highly reliable and redundant humidity sensors in the primary circuit can detect the water ingress accident and the SG emergency drainage will start immediately. For the BDBA of Anticipated Transient Without Scram (ATWS), the SASs will be dropped to introduce the negative reactivity in case that the drop of control rods fails and the malfunction cannot be repaired in a short time.
2.3. Typical accident scenarios Table 2 lists the classification of the plant states, as well as their frequencies and evaluation criteria. Typical accident scenarios of the HTR-PM include:
The drainage tank, designed with sufficient volume, is pre-filled with a small amount of cold water. The high temperature steam and water discharged into the tank can be cooled down with the temperature and pressure below the design limitation of the tank.
Table 2 Classification of the HTR-PM plant states.
(6) Ventilated low pressure containment (VLPC) Compared to the airtight confinement, a VLPC is used in the HTRPM. In normal operation, a negative pressure (50 Pa below the atmospheric pressure) is kept in the containment. The air in the containment is released to the environment through a stack after being filtered. Besides, an accident negative pressure ventilation system is designed to filter the gas in the containment, for example after a Depressurized Loss of Forced Cooling (DLOFC) accident, before it is released to the
Category
AOO
DBA1
BDBA2
Frequency (/module/year) Evaluation criterion
> 10−2
10−2 ~ 10−4
10−4~10−6
< 10−6
0.25 mSv (/plant/year)
5 mSv
10 mSv
< 10−6
1The DBA is evaluated with the “off-site individual effective dose” at the site boundary in a single accident. 2A trial risk metric is recommended by the HTR-PM safety review principles: “The cumulative frequency of all the beyond design basis accident sequences which may cause the off-site (including site boundaries) individual effective dose exceeding 50 mSv should be less than 1E−6/RY”. 3
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Table 3 Typical DBAs analyzed for the HTR-PM. Reactivity accident
▪ ▪ ▪ ▪ ▪
Inadvertent withdrawal of one control rod in normal operation Inadvertent withdrawal of one control rod from low power condition Inadvertent withdrawal of one control rod from a subcritical condition Pebble bed densification due to OBE (operating basis earthquake) Inadvertent acceleration of main helium blower
Main heat transfer system malfunction
▪ ▪ ▪ ▪ ▪
Loss of off-site power Loss of feed water Break of one primary tube with the diameter of 65 mm Break of one primary tube with the diameter of 10 mm Double-ended guillotine break of a SG heating tube
Primary circuit depressurization Water ingress
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Fig. 2. Fuel temperature during DLOFC accident.
(1) (2) (3) (4) (5) (6)
Loss of off-site power ATWS Loss of feed water ATWS Inadvertent withdrawal of one control rod ATWS Pebble bed densification due to OBE ATWS Loss of feed water together with failure of closing blower flap Double-ended guillotine break of one SG heating tube together with failure of SG emergency drainage Double-ended guillotine break of one SG heating tube together with failure of two safety valves Break of one primary tube together with complete failure of RCCS Inadvertent withdrawal of one control rod together with complete failure of RCCS Air ingress caused by the simultaneous rupture of the fuel charging tube and fuel discharging tube
3. Accident behavior of the HTR-PM
Reactivity accident Main heat transfer system malfunction Primary circuit depressurization Water ingress Air ingress ATWS
The HTR-PM has the following design characteristics: large negative temperature feedback coefficient, large temperature rise margin between the operating temperature and temperature limitation, low power density, large heat capacity, passive decay heat removal mechanism. A series of in-depth analyses indicate, that above design features can effectively exclude early fast and unacceptable transients. Analysis also shows that all accidents of the HTR-PM can be divided into several categories, each with similar phenomena or same mitigation measures.
Table 3 lists the typical and representative DBAs of the HTR-PM, which have been analyzed during the licensing process (PSAR, 2008; FSAR, 2015). Other accidents, e.g., increase in feed water flow, turbine trip, loss of condenser vacuum, inadvertent opening of a safety valve, and so on, have also been studied. It is proved that their consequences can be enveloped by the accidents listed in the Table 3. Typical BDBAs analyzed for the HTR-PM include:
a) DBA: DLOFC accident DLOFC accident is a typical DBA and receives high attention, because it will result in the higher maximum fuel temperature
Fig. 3. Primary pressure during DLOFC accident. 4
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Fig. 4. Fuel temperature during PLOFC accident.
Fig. 5. Primary pressure during PLOFC accident.
introduction. Above inherent safety design guarantees, that in ATWS accident, reactor can shut itself down safely without causing any unacceptable consequence. e) BDBA: air ingress accident Air ingress accident, which will result in the corrosion of the graphite as well as the production of the carbon monoxide and carbon dioxide, is the subsequence of simultaneous rupture of more than one connecting pipe of the RPV. As water ingress accident, air ingress accident is also a typical accident of the HTGR and receives high attention. f) BDBA: water ingress accident Typical BDBAs of water ingress, for example, simultaneous break of two or more SG heating tubes, or double-ended guillotine break of one heating tube together with failure of SG emergency drainage, may cause more water ingress into the core. This kind of water ingress accidents happens with extremely low probability. g) BDBA: a DLOFC or PLOFC DBA together with failure of RCCS As mentioned above, in the HTR-PM, the RCCS is designed to protect the RPV and the reactor cavity, especially after reactor scram (namely fast reactor shutdown by injection of control rods and stop of helium blower). During the normal operation, partial or even
compared to other DBAs. b) DBA: PLOFC accident This type of accident includes the majority of the DBAs that do not cause the depressurization of the primary circuit or water ingress into the core. c) DBA: water ingress accident Due to the much higher pressure in the secondary circuit, the leakage or break of the SG heating tube will result in the water/ steam in the secondary circuit flowing into the primary circuit. Water ingress accident is special for the HTGR, because it may cause the introduction of the reactivity, the corrosion of the graphite, and the increase of the primary pressure. A typical DBA of water ingress is the double-ended guillotine break of one SG heating tube. d) BDBA: ATWS This type of accident receives high attention in Pressurized Water Reactor (PWR) analysis. However, in the HTR-PM, the average and maximal fuel temperature in normal operation are 600 °C and 900 °C respectively, far below the limitation of 1620 °C, and the total temperature feedback coefficient of the fuel and the moderator is about −5 × 10−5 (1/K). Therefore, in accident condition, the increase of the fuel temperature can result in the negative reactivity 5
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Fig. 6. Mass flow rate during water ingress accident.
Fig. 7. Relative fission power during water ingress accident.
3.1. DBA – DLOFC accident
complete failure of the RCCS will not affect the safety of the fuel elements, or even will not lead to the scram of the reactor. In accordance with the reactor operating procedures, the operators will try to repair the RCCS within the specified time in case system malfunction being detected. If the repair could not be completed within this specified time, the reactor should be shut down safely.
Fig. 2 shows the maximal and average fuel temperatures during a DLOFC accident, break of one primary tube with the diameter of 65 mm. In this accident, the primary coolant will be discharged to the reactor cavity rapidly (as shown in Fig. 3). Then a rupture disk installed before the pressure relief pipeline connecting the reactor cavity and the environment will rupture due to the higher pressure in the cavity, and the gas mixture in the cavity will be released to the environment without being filtered. Later, an isolation valve before this rupture disk will be closed after the pressures in the primary circuit, reactor cavity and environment reach a balance, and the gas in the cavity will again be released to the environment after being filtered. Besides, it is assumed that about 800 kg graphite dust will be generated and deposited during the total 40 years of plant lifetime. During a DLOFC accident only about 1/500 of these deposited dust source will be remobilized and released. After the depressurization, there is only about one bar residual helium in the primary circuit, which means, the decay heat in the core is transferred from the fuel elements to the RPV mainly via radiation and heat conductivity, and the natural convection in the core only plays a
However, if the reactor scram has happened due to a certain DBA, at the same time the RCCS partially or completely fails, which is the BDBA with extremely low probability, the safety of the RPV and the reactor cavity will be jeopardized. h) BDBA: other DLOFC or PLOFC accidents This type of accident includes the BDBAs that do not cause water ingress or air ingress into the core, or do not happen together with the failure of CR system or RCCS, for example, loss of feed water together with failure of closing blower flap, one control rod withdrawal together with operational basis earthquake (OBE). Besides, some accident scenarios are excluded by truncation probability (e.g. > 10−8 per reactor year), engineering judgment and operational experience. Some representative analysis results are presented below. 6
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Fig. 8. Fuel temperature during water ingress accident.
Fig. 9. Primary pressure during water ingress accident.
natural convection will come into being due to the large temperature difference in the core and the high-density helium in the primary circuit, which can effectively enhance the heat transfer and cooling of the core. Therefore, the maximal fuel temperatures and average fuel temperatures during the PLOFC accident are much lower compared to those in the DLOFC accidents. The peak value of the maximal fuel temperature is less than 1100 °C, far below the limitation of 1620 °C. The heat accumulated in the reactor core will also result in the temperature increase and pressure increase of the helium coolant. It can be seen from the Fig. 5 that during the accident, the primary pressure remains below 7.9 MPa, and the safety valve would not open. Large numbers of analysis results show that the accident phenomena in most DBAs, except the DLOFC accident and water ingress accident, are very similar, especially the long-term fuel temperature and primary pressure changes. This can be explained by the inherent safety design of the HTR-PM, e.g. large negative temperature feedback coefficient, large temperature rise margin between the operating temperature and temperature limitation, low power density, large heat capacity, and so on.
very small role. After reactor shutdown, the fuel temperatures start to increase due to the decay heat. With the increasing RPV temperature, the heat transferred to the RCCS will increase and eventually exceed the decreasing decay heat. Therefore, the fuel temperatures will begin to decrease later. About 20 ~ 30 h later, the maximal fuel temperature is predicted to reach a peak value around 1500 °C. Considering the uncertainty, there is a high degree of confidence that this peak value would not exceed the fuel temperature limitation of 1620 °C. The average fuel temperature will reach the peak value more lately. Due to the low radioactivity in the primary circuit, even all the coolant is discharged to the environment the release of radioactive materials can be maintained below the limitation (FSAR, 2015). 3.2. DBA – PLOFC accident Fig. 4 shows the maximal and average fuel temperatures during a typical PLOFC accident, inadvertent withdrawal of one control rod, while Fig. 5 shows the primary pressure during the accident. After reactor scram, the fuel temperature will increase due to the loss of forced cooling. However, in the PLOFC accident, a significant 7
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
tank (FSAR, 2010; Yanhua et al., 2010). After SG emergency drainage, this 400 kg steam remained in the SG only can diffuse into the core very slowly because the blower is stop and the steam generator pressure vessel (SGPV) is placed below the RPV. Conservatively assumed that total 600 kg steam enters the primary circuit in 2 min with a mass flow rate of 5 kg/s, Figs. 7–9 show the analysis results. Increasing water vapor content in the core will introduce positive reactivity, resulting in a nuclear power increase. However, the power will soon decrease via the negative temperature feedback and drop of control rods, as shown in Fig. 7. Because of the large heat capacity in the core, the fuel temperature curves are similar as those in other PLOFC accidents (as shown in Figs. 4 and 8). However, the partial pressure of the water vapor and the chemical reaction products will result in faster pressure increase compared to other PLOFC accidents (as shown in Figs. 5 and 9), and the safety valve may open if the function of helium purification and pressure regulation are not taken into account. With the open of the safety valve, a part of the helium will be discharged and flow into the atmosphere after being filtered. Even conservatively assumed that the helium flows out of the containment without being filtered, the release of the radioactive materials is still below the limitation. Actually, in such DBAs or even some BDBAs, the large amount of steam in the SG will diffuse into the primary circuit very slowly. Therefore, there may be no release of the helium and the radioactive materials. After reactor shutdown, the operators can assess the reactor status and activate the helium purification system (the stand-by accident purification line) to remove the steam from the primary circuit in accordance with the procedures. Fig. 10. Relative fission power during ATWS accident.
3.4. BDBA – ATWS accident Figs. 10–12 show the analysis results of one control rod withdrawal ATWS accident. In the HTR-PM, when an accident is detected, the most important and the only necessary protective action is to close the blower. With loss of forced cooling, the reactor core can shut itself down via the temperature increase and the consequent negative temperature feedback, even all the control rods fail to drop, as shown in Fig. 10a). In this accident, the second shutdown system (SAS system) can be used to introduce negative reactivity and the reactor can remain subcritical. The fuel temperature and primary pressure will begin to decrease slowly after a period of increasing (Figs. 11 and 12). If the second shutdown system also fails, which would happen with very, very low probability, the reactor will be critical again at approximately 30 h later due to the decreasing Xenon concentration. It can be seen from the Fig. 10b) that due to the negative temperature feedback caused by the again increasing fuel temperature (Fig. 11) the reactor power is kept at a very low level of less than 0.5% rated power after several damped oscillations. The primary pressure may reach the set point of the first safety valve if the pressure regulation is not taken into account (Fig. 12). However, during the accident, the fuel temperatures remain below the limitation and the release of the radioactive materials is limited. Analysis results prove that in the HTR-PM, the slow accident transient gives the operators enough time to repair the control rod system or launch the SAS system. ATWS accident would not cause any unacceptable consequence.
Fig. 11. Fuel temperature during ATWS accident.
3.3. DBA – water ingress accident The most serious water ingress DBA is the double-ended guillotine break of one SG heating tube. After the break of one SG heating tube, at the first stage, less than 200 kg steam may flow into the primary circuit due to the much higher pressure in the secondary circuit. Fig. 6 shows the water ingress flow rates at the first stage when break occurs at the inlet or outlet of the tube. After the pressures of the primary circuit and secondary circuit reach balance, about 400 kg steam is remained in the SG, and in the feed-water line and live-steam line between the isolation valves. More than 3000 kg water/steam is discharged into the drainage
3.5. BDBA – air ingress accident A typical air ingress accident of the HTR-PM is the simultaneous rupture of the fuel charging tube and fuel discharging tube, which are both connected to the reactor pressure boundary. After the quick depressurization, the colder air in the fuel handling compartment will be 8
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Fig. 12. Primary pressure during ATWS accident.
Fig. 13. Natural convection flow rate during air ingress accident.
the coated particles will not occur in a relatively long time of about several days. Therefore, there is enough time for the operators to assess the accident and then to execute some mitigation measures, for example, plugging the broken pipe or injecting gases, which would not react with the graphite, to deter the air from continuously entering the core.
sucked into the hotter core through the lower discharging pipe and then flow out from the upper charging pipe, due to the so-called chimney effect. The probability of this kind of air ingress accident is below 1 × 10−10 per reactor year (Yanhua et al., 2010). After the depressurization of the primary circuit, the fuel handling compartment, where the discharging tube breaks and in normal operation it is filled with cold air, will be filled with gas mixture of helium and air, among which the air might occupy less than 20% mole ratio. Assumed a gas mixture of 200 °C consisting of 20% air and 80% helium in the compartment, the calculation result of the mass flow rate at the inlet is shown in Fig. 13. The corresponding mass flow rate of the oxygen is only about 0.02 mol/s. The total mass of the graphite being corroded during the accident is shown in Fig. 14 (Zhipeng et al., 2017). Each modular reactor of the HTR-PM consists of more than 80 t fuel elements and 250 t graphite reflectors. Besides, for each fuel element with the diameter of 6 cm, there exists an outer protective graphite shell with a thickness of 0.5 cm, also called as fuel-free zone. Therefore, the analysis result indicates that, in the first several days, only very little part of the graphite will be corroded. The slow air ingress and slow corrosion mean that the exposure of
3.6. BDBA – break of one primary tube together with complete failure of RCCS The RCCS of the HTR-PM is designed as three independent trains with 3 × 50% heat removal capability, which means after reactor scram, two available trains can keep the RPV and cavity concrete safe. Due to the inherent safety design of the HTR-PM, the decay heat can be transferred from the core to the RPV via the heat conductivity, radiation and natural convection after reactor shutdown. Therefore, even the RCCS fails completely the fuel temperature can still keep below the limitation of 1620 °C. However, if two or three trains fail, the decay heat could not be successfully transferred from the RPV to the environment, which will threaten the integrity of the RPV. Fig. 15 shows the maximal RPV temperature during the accident of 9
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Fig. 14. Total graphite corrosion during air ingress accident.
Fig. 15. Maximal RPV temperature during a DLOFC together with complete failure of RCCS accident. Table 4 Measures and off-site sources considered in BAMGs of the HTR-PM. Off-site source Nitrogen Diesel generator Container for fuel elements
Description of accident and mitigation measure Air ingress: nitrogen injection is used to prevent air ingress and on-site nitrogen source is used up Loss of all power supply, including on-site diesel generators and batteries Long-term failure of two shutdown system, fuel elements need to be discharged
the limitation of 1620 °C and the release of the radioactive materials is very limited, meeting the evaluation criteria shown in Table 2. Furthermore, the use of TRISO particle fuel element can ensure in a HTGR nuclear power plant there is no core meltdown or severe accident. In addition, after reactor scram, the operators can easily diagnose what kind of accident happens by its specific phenomena or parameters, for example, the primary pressure, the humidity of the primary circuit, the RPV temperature, the working parameters of the RCCS, and so on. Besides, the slow transient can leave operators enough time to take measures.
one primary tube break together with complete failure of RCCS. The complete failure of the RCCS would result in the continuous increase of the RPV temperature in a long time. However, it can be seen that the heat up of the RPV is also a very slow process and there is enough time for the operators to execute some mitigation measures, for example, repairing the RCCS or re-establishing the forced cooling in the primary circuit. Besides, in unpressurized condition, the RPV can keep integrity under higher temperature, therefore primary pressure relief also can be used as a mitigation method. The above analyses indicate that a reasonable design can guarantee the inherent safety of the HTGR. In all the DBAs, as well in the selected BDBAs, which are with relatively high occurrence probability or considered as important for the HTR-PM, the fuel temperature keeps below 10
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
4. Discussion on the accident management of the HTR-PM
mitigation measures. (4) According to the inherent safety of the HTR-PM, EEOPs are developed for operators to deal with all DBAs and most of the BDBAs. BAMGs are only developed for few particular BDBAs when off-site equipment or resource is needed several days later. Compared to the SAMGs, the BAMGs of the HTR-PM are very simple, which might be incorporated into EEOPs in the future.
As a nuclear power plant, accident management must be considered and operating procedures need to be established for the operators, for example, SAMG is now required by licensing authorities in many countries. Based on the design and analysis of the HTR-PM, and also referring to the experience from PWR nuclear power plant, the Extended Emergency Operational Procedures (EEOP) and Beyond design basis accident Additional Mitigation Guideline (BAMG) have been developed for the HTR-PM operators. The EEOPs can deal with all DBAs and most of the BDBAs, especially in the early stages of the accident, and operators in the main control room (MCR) are the responsible personnel. The BAMGs will be initiated and experts from the technical support center (TSC) will become responsible only when the off-site equipment or resource should be used to mitigate the consequence. It also need to be indicated that, the BAMG only gets involved in several particular BDBAs and it might be used some days after the accident happening. The BAMG is somewhat similar to the SAMG of the PWR but simpler than it is. Table 4 lists the mitigation measures and the possible off-site sources currently being considered in the BAMGs of the HTR-PM. The research also shows that the systems and apparatuses involved in the accident management of the HTR-PM are much less than what are used in the PWR, which can significantly minify the workload of the operators. Once an accident has been detected and reactor is shut down, only several parameters need to be monitored to confirm the safety of the reactor, including the reactor power, the primary pressure, the RPV temperature, the working parameters of the RCCS, and so on. Besides, the system, equipment and instrumentation, which are designed for the normal operation and DBAs, also can be used for the BDBAs, and no additional equipment and instrumentation need to be designed for the BDBAs. Besides, because the heating-up process of the core is very slow, the operators have enough time to take measures mitigating the accident consequence. According to the above analysis, the designers of the HTR-PM consider it would be possible for the future HTGR nuclear power plant that the BAMGs also can be incorporated into the EEOPs. SAMG or BAMG may not be necessary for the HTGR.
As one of the candidates for the Generation IV nuclear energy system, the study and discussion on the accident behavior and especially the accident management are important and necessary for the further development of the HTGR. The design and review of the HTRPM have accumulated rich experience. Chinese regulatory authorities are now working with some research institutes on the research and development of the HTGR regulations and guidelines. The work introduced in this paper can provide preliminary reference for the further study. Further work, including more discussion and international cooperation would also be expected. CRediT authorship contribution statement Chen Zhipeng: Writing - review & editing. Wang Yan: . : Writing review & editing. Zheng Yanhua: Writing - original draft, Conceptualization. Acknowledgment This research is supported by Ministry of Science and Technology of the People's Republic of China, National S&T Major Project ZX06901 and ZX06902. References FSAR, 2015. (Final Safety Analysis Report) of HTR-PM, INET, Tsinghua University. Fuel performance and fission product behavior in gas cooled reactor. IAEA-TECDOC-978 (ISSN 1011-4289), IAEA, VIENNA, 1997. IAEA Safety Standards. Safety of nuclear power plants: design. Specific Safety Requirements, No. SSR-2/1, 2016. Lohnert, G.H., 1992. The consequences of water ingress into the primary circuit of a HTRModule-from design basis accident to hypothetical postulates. Nucl. Eng. Des. 134, 159–176. PSAR, 2008. (Preliminary Safety Analysis Report) of HTR-PM, INET, Tsinghua University. Recommendation of the reactor safety commission on the safety concept of a HighTemperature Modular Power Plant. In: 250th meeting of the reactor safety commission, Germany, January 24, 1990. Yanhua, Zheng, Lei, Shi, Yan, Wang, 2010. Water-ingress analysis for the 200 MWe pebble-bed modular high temperature gas-cooled reactor. Nucl. Eng. Des. 240, 3095–3107. Zhang, Z., et al., 2007. Economic potential of modular reactor nuclear power plants based on the Chinese HTR-PM project. Nucl. Eng. Des. 237, 2265–2274. Zhang, Z.Y., Wu, Z.X., Wang, D.Z., Xu, Y.H., Sun, Y.L., Li, F., Dong, Y.J., 2009. Current status and technical description of the Chinese 2×250MWth HTR-PM demonstration plant. Nucl. Eng. Des. 239, 1212. Zheng, Yanhua, Shi, Lei, Dong, Yujie, 2009. Thermohydraulic transient studies of the Chinese 200 MWe HTR-PM for loss of forced cooling accidents. Ann. Nucl. Energy 36, 742–751. Zhipeng, Chen, et al., 2017. Air ingress analysis of chimney effect in the 200 MWe pebblebed modular high temperature gas cooled reactor. Ann. Nucl. Energy 106, 143–153.
5. Summary and further work Based on the design of the HTR-PM, the accident behavior of its typical DBAs and BDBAs has been analyzed and introduced in this paper. The accident management is also discussed. The accident behaviors and the accident management of the HTR-PM are summarized as following: (1) Adoption of the TRISO particle fuel element and reasonable design can guarantee the inherent safety feature of the HTGR. (2) Accident analyses of the HTR-PM prove that the maximum fuel temperature and release of the radioactive materials in all the DBAs can keep below the limitation. (3) Even in the BDBAs with extremely low probability, there is enough time (more than several days) for the operators to execute
11
Contents lists available at ScienceDirect
Nuclear Engineering and Design journal homepage: www.elsevier.com/locate/nucengdes
Discussion on the accident behavior and accident management of the HTGR Zhipeng Chen, Yan Wang, Yanhua Zheng
⁎
T
Institute of Nuclear and New Energy Technology, Collaborative Innovation Center of Advanced Nuclear Energy Technology, Key Laboratory of Advanced Reactor Engineering and Safety of Ministry of Education, Tsinghua University, Beijing 100084, China
A R T I C LE I N FO
A B S T R A C T
Keywords: High Temperature gas-cooled Reactor Pebblebed Modular (HTR-PM) Inherent safety Accident analysis Accident management EEOP BAMG
High Temperature Gas-cooled Reactor (HTGR), which plays an important role in the worldwide development of Generation-IV nuclear energy technology, is well-known for the high safety, high efficiency and process heat application. A commercial-scale 200 MWe High Temperature gas-cooled Reactor Pebble-bed Module (HTR-PM) has been designed and is now under construction in Shandong Province, China. Most of the construction and installation work have been finished and the connection to the electric grid will be expected in the end of 2020. In this paper, the reactor behaviors of the HTR-PM during the typical design basis accidents (DBAs) and beyond design basis accidents (BDBAs) have been introduced. In the DBAs, the maximum fuel temperature will never exceed its design limitation of 1620 °C, below which under the design burn-up the “Tristructural-isotropic” (TRISO) coated particles can effectively retain their fission-product inventory. Even in the typical BDBAs with extremely low probability, there is enough time, e.g. several days, to adopt appropriate measures to mitigate the consequence, so that the large release of the radioactive materials would not happen. Accident management is important for the nuclear power plant. Besides, After the Fukushima Dai-ichi nuclear accident, in the worldwide, people are more concerned about the severe accident management of the nuclear power plant, and some standards and guidelines are issued. Based on the accident analyses of the HTR-PM, its accident management is studied and discussed. The designers believe that the accident management procedures can be simplified and no offsite emergency measures are needed for the HTR-PM due to the inherent safety design. Compared to the other types of the nuclear power plant, e.g. the Pressurized-Water Reactor (PWR) power plant, the Severe Accident Management Guideline (SAMG) can be simplified or even unnecessary for the HTRPM. Above work also can provide reference for the further study on the safety regulations, standards or guidelines for the design, operation and accident management of the HTGR.
1. Introduction Accident analysis and accident management are important for all nuclear power plants. Besides, after the Fukushima Dai-ichi nuclear accident, the severe accident gains more and more attention in the nuclear industry and the regulatory body. For example, according to the policy of the regulatory body in China the Severe Accident Management Guideline (SAMG) is required for all nuclear power plants. High Temperature Gas-cooled Reactor (HGTR) with well-known safety features has been selected as one of the candidates for the Generation IV nuclear energy system and can be widely used for power generation, heat supply and technology heat utilization. A commercialscale 200 MWe High Temperature gas-cooled Reactor Pebble-bed Module project (HTR-PM) has been designed and is now under construction in China (Zhang, 2007; Zhang et al., 2009).
⁎
During the design and analysis of the HTR-PM, the nuclear safety regulations issued by Chinese government were followed, while relevant IAEA and NRC regulations, standards and guidelines were referred to. Since the HTGR is quite different from the Water Reactor in design philosophy and accident characteristics, during the licensing process, hard discussion has been carried out on accident analysis and accident management, and finally a consensus was reached and fruitful results were obtained. In this paper, the typical Design Basis Accident (DBA) scenarios and Beyond Design Basis Accident (BDBA) scenarios of the HTR-PM have been analyzed. Based on the accident behaviors of HTR-PM, its accident management is discussed. It can be expected that the accident management of the HTGR with the inherent safety design could be significantly simplified compared to the current generation II and generation III nuclear power plants.
Corresponding author. E-mail address: [email protected] (Z. Yanhua).
https://doi.org/10.1016/j.nucengdes.2019.110497 Received 21 March 2019; Received in revised form 19 December 2019; Accepted 19 December 2019 0029-5493/ © 2019 Elsevier B.V. All rights reserved.
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Some important engineered safety systems and typical accident scenarios of the HTR-PM are introduced in section II. Section III presents some calculation results for the typical DBAs and BDBAs. The accident management of the HTGR is discussed in section IV. Finally, section V presents the summary and the further work that need to be carried out in the future. What need to be pointed out in particular is that this set of BDBAs are derived by the combination of deterministic assessments, probabilistic assessments and engineering judgment. The selection, analysis and evaluation of these BDBAs follow the philosophy, which is introduced in the IAEA standards (IAEA, 2016) for the Design extension conditions (DEC)1. 2. HTR-Pm The HTR-PM nuclear power plant consists of two pebble-bed modular reactors, which are connected to a single steam-turbine generator for a combined power of 500 MWt and an electrical generating efficiency of about 42%. The primary circuit of the HTR-PM is shown in Fig. 1, while the general design parameters are listed in Table 1. In each modular, the reactor core is a packed bed of 11 m average height and a diameter of 3.0 m, holding roughly 420,000 spherical fuel elements with a diameter of 6.0 cm once the core achieves an equilibrium state. For each fuel element, approximate 12,000 “Tristructuralisotropic (TRISO)” coated fuel particles of 0.92 mm diameter are scattered in the inner graphite matrix with a diameter of 5.0 cm to form the fuel zone, while the outer zone is a fuel-free matrix graphite shell. According to the enrichment of fresh fuel element used in the HTRPM, as well as the design burn-up, the temperature limitation of the HTR-PM fuel elements during DBAs is set at 1620 °C, below which the fission-product-retention capability of the TRISO particles can be well guaranteed (IAEA, 1997; Recommendation of the reactor safety commission on the safety concept of a High-Temperature Modular Power Plant, 1990; Zheng et al., 2009). Due to the excellent fission-product-retention capability of the TRISO particles, during the normal operation, the radioactivity in the primary circuit is maintained at very low levels. It is necessary to point out that the large heat capacity of several hundred tons of graphite, which is the main material of the fuel element, reflector and carbon brick, can effectively limit the temperature increase rate during the accidents. Besides, the thermal decomposition of the SiC layer of the TRISO particle can be obviously detected only when its temperature reaches 2100 °C, and the fusion point of the graphite is much higher than 3000 °C. In the HTR-PM, two independent shutdown systems, the control rod system and the Small Absorber Sphere (SAS) system, are designed and installed in the side graphite reflectors.
Fig. 1. Cross-section of the HTR-PM reactor. 1 reactor core; 2 side reflector and carbon shield; 3 core barrel; 4 reactor pressure vessel; 5 steam generator; 6 steam generator vessel; 7 coaxial hot-gas duct; 8 water-cooling panel; 9 blower; 10 fuel discharging tube; 11 control rod driving system; 12 small absorber sphere unit; 13 fuel charging tube. Table 1 Main design parameters of the HTR-PM.
2.1. Engineered safety system Some important engineered safety systems are introduced below. (1) Primary pressure release system In the HTR-PM, the design pressure of the RPV is 8.1 MPa, and the pressure limit under Anticipated Operational Occurrence (AOO) is 110% of the design value. The primary pressure release system is designed as a two-fold redundancy to protect the reactor pressure boundary from overpressure. The set points of the two safety valves are 7.9 MPa and 8.4 MPa respectively, while the discharge flow rates are about 0.17 kg/s and 1 During the licensing process of the HTR-PM, “BDBA” is still used in Chinese regulations. In the future, with the issue of the new regulations, standards and guidelines following IAEA, it will be replaced by “DEC”.
2
Parameter
Value
Reactor total thermal power, MWt Rated electrical power, MWe Average core power density, MW/m3 Net electrical efficiency, % Primary helium pressure, MPa He temperature at reactor inlet/outlet, °C Primary helium flow rate, kg/s Core main flow rate, kg/s Heavy metal loading per fuel element, g Enrichment of fresh fuel element (for the equilibrium core), % Active core diameter, m Equivalent active core height, m Diameter of the RPV, m Number of fuel elements in one module Number of fuel passages through the core Average burn-up, GWd/tU Main life steam pressure, MPa Main life steam temperature, °C Main feed water temperature, °C
2 × 250 210 3.22 42 7 250/750 96 ≥86.4 7 8.5 3 11 ~6.0 420,000 15 90 13.9 571 205
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
environment, so as to prevent the large release of the radioactive materials. According to the design of the HTR-PM, if a small DLOFC accident happens, for example, a tube with the diameter less than 10 mm breaks, the gas mixture in the containment will be released after being filtered. However, for a large DLOFC accident, which means a tube with the diameter larger than 10 mm breaks, there exists a short time unfiltered release. The details will also be introduced in Section 3.1. The VLPC is a special structure of the HTR-PM based on the inherent safety design.
11.7 kg/s respectively. Both safety valves are expected to close again once the primary pressure has reached the value of 6.9 MPa. (2) Reactor Cavity Cooling System (RCCS) In the HTR-PM, the RCCS (Zheng et al., 2009) is designed as a passive system to remove the heat from the reactor pressure vessel (RPV) and reactor cavity to the final heat sink – the atmosphere in normal and accident conditions, ensuring the thermal integrity of the RPV and the cavity concrete. The water-cooling panel, placed on the inner surface of the reactor cavity concrete, mainly consists of a cylindrical plate and vertical cooling tubes uniformly welded on the plate. In accident condition, after scram of the reactor and stop of the forced circulation, the decay heat can be transferred from the core to the RPV mainly by heat conduction, and then from the RPV to the water-cooling panel by radiation and natural convection. Therefore, the water in the tubes will be heated up forming the natural circulation and flow upwards to the air-cooling tower, where the heat can be finally transferred to the atmosphere. (3) Reactor Pressure Vessel support cooling system Besides, the RPV support cooling system is also designed as a passive system, which can guarantee the temperature of the concrete near the RPV support below the limitation, even in the BDBA of the complete failure of the RCCS.
(7) Helium purification system The helium purification system is designed to purify the primary coolant to specified values by removing chemical impurities (H2O, O2, CO, CO2, N2, H2, CH4, etc.), as well as regulate the helium inventory and thereby control the primary pressure. In water ingress accident, after the reactor scram, a stand-by accident purification line, which is specially designed with water separator and serves both modules, can start up to remove the superfluous water, as well as cool down the hot core, so as to effectively mitigate the accident. In HTR-PM, most systems and components are designed to work independently, which means one system or component only serves one reactor. Few systems or components are used by both reactors. For example, in helium purification system, there are two normal purification lines, each serves one reactor. However, only one accident purification line is designed and serves both reactors.
The design capacity of the RPV support cooling system is 23 kW, which can guarantee that during the normal operation the temperature of the mass concrete near the RPV is below 65 °C. While in abnormal condition, the temperature of mass concrete is below 90 °C.
2.2. Protection system
(4) Secondary circuit isolation system Two feed-water isolation valves, as well as two live-steam isolation valves, are installed on the feed-water line and the live-steam line respectively. In accident condition, these valves will close automatically soon after the accident is detected and the protective actions are triggered. (5) Steam Generator (SG) emergency drainage system The SG emergency drainage system is specially designed for the water ingress accident. High attention has been paid to the water ingress phenomenon because it is one of the most particular and important accident types for the HTGR (Lohnert, 1992). An airtight drainage tank, installed inside the reactor building below the SG, is connected to the feed-water line via two parallel and independent relief lines. In each relief line, there are two relief valves. The large content of the steam and water between the feed-water isolation valves and the live-steam isolation valves can be discharged to the tank within 60 s if the high humidity in the primary circuit is detected and the relief valves is open, so as to reduce the water ingress amount to the primary circuit. The relief valves will close again when the pressures of primary circuit and secondary circuit reach balance.
During the normal operation, if any accident is detected by the protection system, protective actions will be executed immediately, including: ▪ Dropping of control rods ▪ Shutdown of blower and close of blower flap ▪ Isolation of secondary circuit Besides, if a DLOFC accident is detected by high pressure sliding rate (absolute value) of the primary circuit, the isolation of primary circuit will also be executed. The highly reliable and redundant humidity sensors in the primary circuit can detect the water ingress accident and the SG emergency drainage will start immediately. For the BDBA of Anticipated Transient Without Scram (ATWS), the SASs will be dropped to introduce the negative reactivity in case that the drop of control rods fails and the malfunction cannot be repaired in a short time.
2.3. Typical accident scenarios Table 2 lists the classification of the plant states, as well as their frequencies and evaluation criteria. Typical accident scenarios of the HTR-PM include:
The drainage tank, designed with sufficient volume, is pre-filled with a small amount of cold water. The high temperature steam and water discharged into the tank can be cooled down with the temperature and pressure below the design limitation of the tank.
Table 2 Classification of the HTR-PM plant states.
(6) Ventilated low pressure containment (VLPC) Compared to the airtight confinement, a VLPC is used in the HTRPM. In normal operation, a negative pressure (50 Pa below the atmospheric pressure) is kept in the containment. The air in the containment is released to the environment through a stack after being filtered. Besides, an accident negative pressure ventilation system is designed to filter the gas in the containment, for example after a Depressurized Loss of Forced Cooling (DLOFC) accident, before it is released to the
Category
AOO
DBA1
BDBA2
Frequency (/module/year) Evaluation criterion
> 10−2
10−2 ~ 10−4
10−4~10−6
< 10−6
0.25 mSv (/plant/year)
5 mSv
10 mSv
< 10−6
1The DBA is evaluated with the “off-site individual effective dose” at the site boundary in a single accident. 2A trial risk metric is recommended by the HTR-PM safety review principles: “The cumulative frequency of all the beyond design basis accident sequences which may cause the off-site (including site boundaries) individual effective dose exceeding 50 mSv should be less than 1E−6/RY”. 3
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Table 3 Typical DBAs analyzed for the HTR-PM. Reactivity accident
▪ ▪ ▪ ▪ ▪
Inadvertent withdrawal of one control rod in normal operation Inadvertent withdrawal of one control rod from low power condition Inadvertent withdrawal of one control rod from a subcritical condition Pebble bed densification due to OBE (operating basis earthquake) Inadvertent acceleration of main helium blower
Main heat transfer system malfunction
▪ ▪ ▪ ▪ ▪
Loss of off-site power Loss of feed water Break of one primary tube with the diameter of 65 mm Break of one primary tube with the diameter of 10 mm Double-ended guillotine break of a SG heating tube
Primary circuit depressurization Water ingress
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Fig. 2. Fuel temperature during DLOFC accident.
(1) (2) (3) (4) (5) (6)
Loss of off-site power ATWS Loss of feed water ATWS Inadvertent withdrawal of one control rod ATWS Pebble bed densification due to OBE ATWS Loss of feed water together with failure of closing blower flap Double-ended guillotine break of one SG heating tube together with failure of SG emergency drainage Double-ended guillotine break of one SG heating tube together with failure of two safety valves Break of one primary tube together with complete failure of RCCS Inadvertent withdrawal of one control rod together with complete failure of RCCS Air ingress caused by the simultaneous rupture of the fuel charging tube and fuel discharging tube
3. Accident behavior of the HTR-PM
Reactivity accident Main heat transfer system malfunction Primary circuit depressurization Water ingress Air ingress ATWS
The HTR-PM has the following design characteristics: large negative temperature feedback coefficient, large temperature rise margin between the operating temperature and temperature limitation, low power density, large heat capacity, passive decay heat removal mechanism. A series of in-depth analyses indicate, that above design features can effectively exclude early fast and unacceptable transients. Analysis also shows that all accidents of the HTR-PM can be divided into several categories, each with similar phenomena or same mitigation measures.
Table 3 lists the typical and representative DBAs of the HTR-PM, which have been analyzed during the licensing process (PSAR, 2008; FSAR, 2015). Other accidents, e.g., increase in feed water flow, turbine trip, loss of condenser vacuum, inadvertent opening of a safety valve, and so on, have also been studied. It is proved that their consequences can be enveloped by the accidents listed in the Table 3. Typical BDBAs analyzed for the HTR-PM include:
a) DBA: DLOFC accident DLOFC accident is a typical DBA and receives high attention, because it will result in the higher maximum fuel temperature
Fig. 3. Primary pressure during DLOFC accident. 4
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Fig. 4. Fuel temperature during PLOFC accident.
Fig. 5. Primary pressure during PLOFC accident.
introduction. Above inherent safety design guarantees, that in ATWS accident, reactor can shut itself down safely without causing any unacceptable consequence. e) BDBA: air ingress accident Air ingress accident, which will result in the corrosion of the graphite as well as the production of the carbon monoxide and carbon dioxide, is the subsequence of simultaneous rupture of more than one connecting pipe of the RPV. As water ingress accident, air ingress accident is also a typical accident of the HTGR and receives high attention. f) BDBA: water ingress accident Typical BDBAs of water ingress, for example, simultaneous break of two or more SG heating tubes, or double-ended guillotine break of one heating tube together with failure of SG emergency drainage, may cause more water ingress into the core. This kind of water ingress accidents happens with extremely low probability. g) BDBA: a DLOFC or PLOFC DBA together with failure of RCCS As mentioned above, in the HTR-PM, the RCCS is designed to protect the RPV and the reactor cavity, especially after reactor scram (namely fast reactor shutdown by injection of control rods and stop of helium blower). During the normal operation, partial or even
compared to other DBAs. b) DBA: PLOFC accident This type of accident includes the majority of the DBAs that do not cause the depressurization of the primary circuit or water ingress into the core. c) DBA: water ingress accident Due to the much higher pressure in the secondary circuit, the leakage or break of the SG heating tube will result in the water/ steam in the secondary circuit flowing into the primary circuit. Water ingress accident is special for the HTGR, because it may cause the introduction of the reactivity, the corrosion of the graphite, and the increase of the primary pressure. A typical DBA of water ingress is the double-ended guillotine break of one SG heating tube. d) BDBA: ATWS This type of accident receives high attention in Pressurized Water Reactor (PWR) analysis. However, in the HTR-PM, the average and maximal fuel temperature in normal operation are 600 °C and 900 °C respectively, far below the limitation of 1620 °C, and the total temperature feedback coefficient of the fuel and the moderator is about −5 × 10−5 (1/K). Therefore, in accident condition, the increase of the fuel temperature can result in the negative reactivity 5
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Fig. 6. Mass flow rate during water ingress accident.
Fig. 7. Relative fission power during water ingress accident.
3.1. DBA – DLOFC accident
complete failure of the RCCS will not affect the safety of the fuel elements, or even will not lead to the scram of the reactor. In accordance with the reactor operating procedures, the operators will try to repair the RCCS within the specified time in case system malfunction being detected. If the repair could not be completed within this specified time, the reactor should be shut down safely.
Fig. 2 shows the maximal and average fuel temperatures during a DLOFC accident, break of one primary tube with the diameter of 65 mm. In this accident, the primary coolant will be discharged to the reactor cavity rapidly (as shown in Fig. 3). Then a rupture disk installed before the pressure relief pipeline connecting the reactor cavity and the environment will rupture due to the higher pressure in the cavity, and the gas mixture in the cavity will be released to the environment without being filtered. Later, an isolation valve before this rupture disk will be closed after the pressures in the primary circuit, reactor cavity and environment reach a balance, and the gas in the cavity will again be released to the environment after being filtered. Besides, it is assumed that about 800 kg graphite dust will be generated and deposited during the total 40 years of plant lifetime. During a DLOFC accident only about 1/500 of these deposited dust source will be remobilized and released. After the depressurization, there is only about one bar residual helium in the primary circuit, which means, the decay heat in the core is transferred from the fuel elements to the RPV mainly via radiation and heat conductivity, and the natural convection in the core only plays a
However, if the reactor scram has happened due to a certain DBA, at the same time the RCCS partially or completely fails, which is the BDBA with extremely low probability, the safety of the RPV and the reactor cavity will be jeopardized. h) BDBA: other DLOFC or PLOFC accidents This type of accident includes the BDBAs that do not cause water ingress or air ingress into the core, or do not happen together with the failure of CR system or RCCS, for example, loss of feed water together with failure of closing blower flap, one control rod withdrawal together with operational basis earthquake (OBE). Besides, some accident scenarios are excluded by truncation probability (e.g. > 10−8 per reactor year), engineering judgment and operational experience. Some representative analysis results are presented below. 6
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Fig. 8. Fuel temperature during water ingress accident.
Fig. 9. Primary pressure during water ingress accident.
natural convection will come into being due to the large temperature difference in the core and the high-density helium in the primary circuit, which can effectively enhance the heat transfer and cooling of the core. Therefore, the maximal fuel temperatures and average fuel temperatures during the PLOFC accident are much lower compared to those in the DLOFC accidents. The peak value of the maximal fuel temperature is less than 1100 °C, far below the limitation of 1620 °C. The heat accumulated in the reactor core will also result in the temperature increase and pressure increase of the helium coolant. It can be seen from the Fig. 5 that during the accident, the primary pressure remains below 7.9 MPa, and the safety valve would not open. Large numbers of analysis results show that the accident phenomena in most DBAs, except the DLOFC accident and water ingress accident, are very similar, especially the long-term fuel temperature and primary pressure changes. This can be explained by the inherent safety design of the HTR-PM, e.g. large negative temperature feedback coefficient, large temperature rise margin between the operating temperature and temperature limitation, low power density, large heat capacity, and so on.
very small role. After reactor shutdown, the fuel temperatures start to increase due to the decay heat. With the increasing RPV temperature, the heat transferred to the RCCS will increase and eventually exceed the decreasing decay heat. Therefore, the fuel temperatures will begin to decrease later. About 20 ~ 30 h later, the maximal fuel temperature is predicted to reach a peak value around 1500 °C. Considering the uncertainty, there is a high degree of confidence that this peak value would not exceed the fuel temperature limitation of 1620 °C. The average fuel temperature will reach the peak value more lately. Due to the low radioactivity in the primary circuit, even all the coolant is discharged to the environment the release of radioactive materials can be maintained below the limitation (FSAR, 2015). 3.2. DBA – PLOFC accident Fig. 4 shows the maximal and average fuel temperatures during a typical PLOFC accident, inadvertent withdrawal of one control rod, while Fig. 5 shows the primary pressure during the accident. After reactor scram, the fuel temperature will increase due to the loss of forced cooling. However, in the PLOFC accident, a significant 7
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
tank (FSAR, 2010; Yanhua et al., 2010). After SG emergency drainage, this 400 kg steam remained in the SG only can diffuse into the core very slowly because the blower is stop and the steam generator pressure vessel (SGPV) is placed below the RPV. Conservatively assumed that total 600 kg steam enters the primary circuit in 2 min with a mass flow rate of 5 kg/s, Figs. 7–9 show the analysis results. Increasing water vapor content in the core will introduce positive reactivity, resulting in a nuclear power increase. However, the power will soon decrease via the negative temperature feedback and drop of control rods, as shown in Fig. 7. Because of the large heat capacity in the core, the fuel temperature curves are similar as those in other PLOFC accidents (as shown in Figs. 4 and 8). However, the partial pressure of the water vapor and the chemical reaction products will result in faster pressure increase compared to other PLOFC accidents (as shown in Figs. 5 and 9), and the safety valve may open if the function of helium purification and pressure regulation are not taken into account. With the open of the safety valve, a part of the helium will be discharged and flow into the atmosphere after being filtered. Even conservatively assumed that the helium flows out of the containment without being filtered, the release of the radioactive materials is still below the limitation. Actually, in such DBAs or even some BDBAs, the large amount of steam in the SG will diffuse into the primary circuit very slowly. Therefore, there may be no release of the helium and the radioactive materials. After reactor shutdown, the operators can assess the reactor status and activate the helium purification system (the stand-by accident purification line) to remove the steam from the primary circuit in accordance with the procedures. Fig. 10. Relative fission power during ATWS accident.
3.4. BDBA – ATWS accident Figs. 10–12 show the analysis results of one control rod withdrawal ATWS accident. In the HTR-PM, when an accident is detected, the most important and the only necessary protective action is to close the blower. With loss of forced cooling, the reactor core can shut itself down via the temperature increase and the consequent negative temperature feedback, even all the control rods fail to drop, as shown in Fig. 10a). In this accident, the second shutdown system (SAS system) can be used to introduce negative reactivity and the reactor can remain subcritical. The fuel temperature and primary pressure will begin to decrease slowly after a period of increasing (Figs. 11 and 12). If the second shutdown system also fails, which would happen with very, very low probability, the reactor will be critical again at approximately 30 h later due to the decreasing Xenon concentration. It can be seen from the Fig. 10b) that due to the negative temperature feedback caused by the again increasing fuel temperature (Fig. 11) the reactor power is kept at a very low level of less than 0.5% rated power after several damped oscillations. The primary pressure may reach the set point of the first safety valve if the pressure regulation is not taken into account (Fig. 12). However, during the accident, the fuel temperatures remain below the limitation and the release of the radioactive materials is limited. Analysis results prove that in the HTR-PM, the slow accident transient gives the operators enough time to repair the control rod system or launch the SAS system. ATWS accident would not cause any unacceptable consequence.
Fig. 11. Fuel temperature during ATWS accident.
3.3. DBA – water ingress accident The most serious water ingress DBA is the double-ended guillotine break of one SG heating tube. After the break of one SG heating tube, at the first stage, less than 200 kg steam may flow into the primary circuit due to the much higher pressure in the secondary circuit. Fig. 6 shows the water ingress flow rates at the first stage when break occurs at the inlet or outlet of the tube. After the pressures of the primary circuit and secondary circuit reach balance, about 400 kg steam is remained in the SG, and in the feed-water line and live-steam line between the isolation valves. More than 3000 kg water/steam is discharged into the drainage
3.5. BDBA – air ingress accident A typical air ingress accident of the HTR-PM is the simultaneous rupture of the fuel charging tube and fuel discharging tube, which are both connected to the reactor pressure boundary. After the quick depressurization, the colder air in the fuel handling compartment will be 8
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Fig. 12. Primary pressure during ATWS accident.
Fig. 13. Natural convection flow rate during air ingress accident.
the coated particles will not occur in a relatively long time of about several days. Therefore, there is enough time for the operators to assess the accident and then to execute some mitigation measures, for example, plugging the broken pipe or injecting gases, which would not react with the graphite, to deter the air from continuously entering the core.
sucked into the hotter core through the lower discharging pipe and then flow out from the upper charging pipe, due to the so-called chimney effect. The probability of this kind of air ingress accident is below 1 × 10−10 per reactor year (Yanhua et al., 2010). After the depressurization of the primary circuit, the fuel handling compartment, where the discharging tube breaks and in normal operation it is filled with cold air, will be filled with gas mixture of helium and air, among which the air might occupy less than 20% mole ratio. Assumed a gas mixture of 200 °C consisting of 20% air and 80% helium in the compartment, the calculation result of the mass flow rate at the inlet is shown in Fig. 13. The corresponding mass flow rate of the oxygen is only about 0.02 mol/s. The total mass of the graphite being corroded during the accident is shown in Fig. 14 (Zhipeng et al., 2017). Each modular reactor of the HTR-PM consists of more than 80 t fuel elements and 250 t graphite reflectors. Besides, for each fuel element with the diameter of 6 cm, there exists an outer protective graphite shell with a thickness of 0.5 cm, also called as fuel-free zone. Therefore, the analysis result indicates that, in the first several days, only very little part of the graphite will be corroded. The slow air ingress and slow corrosion mean that the exposure of
3.6. BDBA – break of one primary tube together with complete failure of RCCS The RCCS of the HTR-PM is designed as three independent trains with 3 × 50% heat removal capability, which means after reactor scram, two available trains can keep the RPV and cavity concrete safe. Due to the inherent safety design of the HTR-PM, the decay heat can be transferred from the core to the RPV via the heat conductivity, radiation and natural convection after reactor shutdown. Therefore, even the RCCS fails completely the fuel temperature can still keep below the limitation of 1620 °C. However, if two or three trains fail, the decay heat could not be successfully transferred from the RPV to the environment, which will threaten the integrity of the RPV. Fig. 15 shows the maximal RPV temperature during the accident of 9
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
Fig. 14. Total graphite corrosion during air ingress accident.
Fig. 15. Maximal RPV temperature during a DLOFC together with complete failure of RCCS accident. Table 4 Measures and off-site sources considered in BAMGs of the HTR-PM. Off-site source Nitrogen Diesel generator Container for fuel elements
Description of accident and mitigation measure Air ingress: nitrogen injection is used to prevent air ingress and on-site nitrogen source is used up Loss of all power supply, including on-site diesel generators and batteries Long-term failure of two shutdown system, fuel elements need to be discharged
the limitation of 1620 °C and the release of the radioactive materials is very limited, meeting the evaluation criteria shown in Table 2. Furthermore, the use of TRISO particle fuel element can ensure in a HTGR nuclear power plant there is no core meltdown or severe accident. In addition, after reactor scram, the operators can easily diagnose what kind of accident happens by its specific phenomena or parameters, for example, the primary pressure, the humidity of the primary circuit, the RPV temperature, the working parameters of the RCCS, and so on. Besides, the slow transient can leave operators enough time to take measures.
one primary tube break together with complete failure of RCCS. The complete failure of the RCCS would result in the continuous increase of the RPV temperature in a long time. However, it can be seen that the heat up of the RPV is also a very slow process and there is enough time for the operators to execute some mitigation measures, for example, repairing the RCCS or re-establishing the forced cooling in the primary circuit. Besides, in unpressurized condition, the RPV can keep integrity under higher temperature, therefore primary pressure relief also can be used as a mitigation method. The above analyses indicate that a reasonable design can guarantee the inherent safety of the HTGR. In all the DBAs, as well in the selected BDBAs, which are with relatively high occurrence probability or considered as important for the HTR-PM, the fuel temperature keeps below 10
Nuclear Engineering and Design 360 (2020) 110497
C. Zhipeng, et al.
4. Discussion on the accident management of the HTR-PM
mitigation measures. (4) According to the inherent safety of the HTR-PM, EEOPs are developed for operators to deal with all DBAs and most of the BDBAs. BAMGs are only developed for few particular BDBAs when off-site equipment or resource is needed several days later. Compared to the SAMGs, the BAMGs of the HTR-PM are very simple, which might be incorporated into EEOPs in the future.
As a nuclear power plant, accident management must be considered and operating procedures need to be established for the operators, for example, SAMG is now required by licensing authorities in many countries. Based on the design and analysis of the HTR-PM, and also referring to the experience from PWR nuclear power plant, the Extended Emergency Operational Procedures (EEOP) and Beyond design basis accident Additional Mitigation Guideline (BAMG) have been developed for the HTR-PM operators. The EEOPs can deal with all DBAs and most of the BDBAs, especially in the early stages of the accident, and operators in the main control room (MCR) are the responsible personnel. The BAMGs will be initiated and experts from the technical support center (TSC) will become responsible only when the off-site equipment or resource should be used to mitigate the consequence. It also need to be indicated that, the BAMG only gets involved in several particular BDBAs and it might be used some days after the accident happening. The BAMG is somewhat similar to the SAMG of the PWR but simpler than it is. Table 4 lists the mitigation measures and the possible off-site sources currently being considered in the BAMGs of the HTR-PM. The research also shows that the systems and apparatuses involved in the accident management of the HTR-PM are much less than what are used in the PWR, which can significantly minify the workload of the operators. Once an accident has been detected and reactor is shut down, only several parameters need to be monitored to confirm the safety of the reactor, including the reactor power, the primary pressure, the RPV temperature, the working parameters of the RCCS, and so on. Besides, the system, equipment and instrumentation, which are designed for the normal operation and DBAs, also can be used for the BDBAs, and no additional equipment and instrumentation need to be designed for the BDBAs. Besides, because the heating-up process of the core is very slow, the operators have enough time to take measures mitigating the accident consequence. According to the above analysis, the designers of the HTR-PM consider it would be possible for the future HTGR nuclear power plant that the BAMGs also can be incorporated into the EEOPs. SAMG or BAMG may not be necessary for the HTGR.
As one of the candidates for the Generation IV nuclear energy system, the study and discussion on the accident behavior and especially the accident management are important and necessary for the further development of the HTGR. The design and review of the HTRPM have accumulated rich experience. Chinese regulatory authorities are now working with some research institutes on the research and development of the HTGR regulations and guidelines. The work introduced in this paper can provide preliminary reference for the further study. Further work, including more discussion and international cooperation would also be expected. CRediT authorship contribution statement Chen Zhipeng: Writing - review & editing. Wang Yan: . : Writing review & editing. Zheng Yanhua: Writing - original draft, Conceptualization. Acknowledgment This research is supported by Ministry of Science and Technology of the People's Republic of China, National S&T Major Project ZX06901 and ZX06902. References FSAR, 2015. (Final Safety Analysis Report) of HTR-PM, INET, Tsinghua University. Fuel performance and fission product behavior in gas cooled reactor. IAEA-TECDOC-978 (ISSN 1011-4289), IAEA, VIENNA, 1997. IAEA Safety Standards. Safety of nuclear power plants: design. Specific Safety Requirements, No. SSR-2/1, 2016. Lohnert, G.H., 1992. The consequences of water ingress into the primary circuit of a HTRModule-from design basis accident to hypothetical postulates. Nucl. Eng. Des. 134, 159–176. PSAR, 2008. (Preliminary Safety Analysis Report) of HTR-PM, INET, Tsinghua University. Recommendation of the reactor safety commission on the safety concept of a HighTemperature Modular Power Plant. In: 250th meeting of the reactor safety commission, Germany, January 24, 1990. Yanhua, Zheng, Lei, Shi, Yan, Wang, 2010. Water-ingress analysis for the 200 MWe pebble-bed modular high temperature gas-cooled reactor. Nucl. Eng. Des. 240, 3095–3107. Zhang, Z., et al., 2007. Economic potential of modular reactor nuclear power plants based on the Chinese HTR-PM project. Nucl. Eng. Des. 237, 2265–2274. Zhang, Z.Y., Wu, Z.X., Wang, D.Z., Xu, Y.H., Sun, Y.L., Li, F., Dong, Y.J., 2009. Current status and technical description of the Chinese 2×250MWth HTR-PM demonstration plant. Nucl. Eng. Des. 239, 1212. Zheng, Yanhua, Shi, Lei, Dong, Yujie, 2009. Thermohydraulic transient studies of the Chinese 200 MWe HTR-PM for loss of forced cooling accidents. Ann. Nucl. Energy 36, 742–751. Zhipeng, Chen, et al., 2017. Air ingress analysis of chimney effect in the 200 MWe pebblebed modular high temperature gas cooled reactor. Ann. Nucl. Energy 106, 143–153.
5. Summary and further work Based on the design of the HTR-PM, the accident behavior of its typical DBAs and BDBAs has been analyzed and introduced in this paper. The accident management is also discussed. The accident behaviors and the accident management of the HTR-PM are summarized as following: (1) Adoption of the TRISO particle fuel element and reasonable design can guarantee the inherent safety feature of the HTGR. (2) Accident analyses of the HTR-PM prove that the maximum fuel temperature and release of the radioactive materials in all the DBAs can keep below the limitation. (3) Even in the BDBAs with extremely low probability, there is enough time (more than several days) for the operators to execute
11