- Email: [email protected]
Study of the PWR hybrid safety system
Nuclear Engineering and Design 144 (1993) 247-256 North-Holland
247
Study of the PWR hybrid safety system Y. M a k i h a r a a, T. Sugizaki a, y . N a k a h a r a a, K. O k a b e a, T. Kato ~, T. M a t s u o k a b a n d K. T a b u c h i b " Mitsubishi Atomic Power Industries, INC., 4-1 Shibakoen 2-chome, Minato-ku, Tokyo 105, Japan h Mitsubishi Heary Industries, LTD., 4-1 Shibakoen 2-chome, Minato-ku, Tokyo 105, Japan
Received 24 May 1993 In recent years, studies to apply passive safety system to PWRs have been performed by many organizations. On the other hand, studies to improve the conventional active safety systems are also being evaluated. This article shows another approach to improve the PWR safety systems. The Hybrid Safety System which is a combination of a passive safety system and an active safety system has a possibility to improve both reliability and plant economy. In this article, a selection of elemental technologies to construct the whole-system are discussed. Then, operational signal and reactor cooling after the grace period are discussed.
1. Introduction In recent years, the study to incorporate new safety concepts consisting mainly of passive safety systems into the safety system of a PWR has been performed by many organizations. The results of the study on the applicability of these new safety concepts to PWR are indicated in ref. [1], in which a number of new concepts extracted proved to be applicable especially to a large PWR. When the whole safety systems are constructed, these new concepts which are principally elemental technologies must be combined with each other. Since there are some preferences among these elemental technologies, it is important to examine carefully how to combine them. This article, to begin with, describes the fundamental structure of the hybrid safety system under development by Mitsubishi, and then explains the structure of operation signals, the process that the signal system, of which the main concept is the system pressure, discriminates various accident conditions and causes the safety system to operate adequately, and the method of containment vessel (CV) cooling after the grace period for 3 days.
2. Concepts of the Hybrid Safety System 2. l. Heat transport to ultimate heat sink
Safety functions in PWR are divided into reactor shutdown, core cooling, heat transport to ultimate heat
sink (to transfer decay heat to the ultimate heat sink from inside of the containment vessel), and fission product (FP) retention. In these functions, elemental technologies related to reactor shutdown and FP retention can be achieved by themselves. Considering the priority in the study from the standpoint of the whole structure of the hybrid safety system, the long-term heat transport to ultimate heat sink method was selected as the main concept of the safety system. Table 1 shows the elemental technologies on heat transport to ultimate heat sink evaluated in this study. In the process of selecting the elemental technology to be used in the hybrid safety system, the following points of view were considered: (a) Use present systems or components as much as possible. (b) Use proven technologies. (c) The selected elemental technologies are applicable to a large size PWR. (d) To keep the grace period of 3 days, passive systems are preferable. The method to remove decay heat through the containment vessel wall by locating a water pool surrounding the containment vessel was not adopted because it was thought to be difficult to justify the natural circulation of flooded water. Similarly, heat transport to ultimate heat sink with heat pipe was not adopted because the number of heat pipes required was too big. The steam generator (SG) cooling method consists of releasing decay heat to the atmosphere by natural circulation and boiling of the cooling water in the
0 0 2 9 - 5 4 9 3 / 9 3 / $ 0 6 . 0 0 © 1993 - Elsevier Science Publishers B.V. All rights reserved
248
Y. Makihara et al. / PWR Hybrid Safet v System
Table 1 Elemental technologies for heat transport to ultimate heat sink No.
Elemental technology
Description
I
Heat transport to ultimate heat sink with water wall or outer pool
Decay heat in flooded water in CV be removed through CV wall to water surrounding wall.
Heat transport to ultimate heat sink with heat pipe
Decay heat in flooded water be transferred by heat pipe to the outside of CV.
Heat transport to ultimate heat sink with Steam Generator
Decay heat in primary system be transferred to secondary system through SG 2
secondary system. In this method, even if non-condensable gas flows into the primary system after an accident, the natural circulation in the primary system must be secured. In the vertical U-type SG used in the conventional PWR plant, the non-condensable gas remaining in the heat transfer tubes might prevent natural circulation in the primary system to preclude the removal of decay heat. It is reasonable, on the other hand, to use SG, which is originally the component for heat exchange in PWR, for the purpose of removing decay heat during accidents. And there is a possibility that the horizontal SG with a vent line in the channel head will vent non-condensable gas out of the primary system. Considering the above, the heat transport to ultimate heat sink method by SG was adopted as the basic concept of the safety system. The safety grade of SG systems is considered to be PS-1 as current PWRs according to Japanese Safety Guidelines. 2.2. Core cooling
Core cooling functions are divided into that during LOCA and that during N O N - L O C A (transients or accidents other than LOCA). During LOCA, the primary system pressure decreases and the primary coolant spills to the containment vessel. Leaving it unchanged leads to the decrease of the primary coolant,
carrying the core exposure. In this case, the safety system must start up to inject the coolant to the primary system as soon as possible, without relying on operator's judgment, in order to prevent core meltdown and ensure plant security. On the other hand, during NON-LOCA, the pressure boundary in the primary system having sufficient stability, it is possible to ensure the plant security only by removing decay heat after the reactor shutdown. It is concluded, therefore, that the cooling method should be studied individually, considering the difference of the plant conditions between during LOCA and during NON-LOCA. Table 2 shows the typical elemental technologies on core cooling. An advanced accumulator, which supplies a great amount of water to the core in the early stage of a large break LOCA to accelerate the core reflooding and also supplies additional water after reflooding, is indispensable for core cooling, because there is no other system which can provide a large amount of water in a short period. Since it is desirable that the phenomena seriously affecting the plant security like LOCA should be disposed without relying on operator's action, the passive safety system seems to be available for core cooling. One of the passive elemental technologies for core cooling after L O C A is the gravity driven injection system. This system depressurizes the primary system
Table 2 Elemental technologies for core cooling No.
Elemental technology
Description
Accumulated boron injection system (advanced accumulator)
Borated water be injected by pressurized nitrogen gas. Flow rate is controlled by flow dumper.
Gravity driven injection system
Borated water be injected by gravity out of injection tank.
High pressure natural circulation RHR for primary loop
Decay heat in primary system be removed through heat exchanger in water tank by natural circulation.
249
Y. Makihara et aZ / PWR Hybrid Safety System
to the level of the containment vessel pressure by opening the depressurization valves in the primary system, and then injects the coolant into the primary system out of the gravity injection tank located on the upper side of the primary system. The problem related to this system is the erroneous operation. When the erroneous operation occurs in the depressurization valve installed in the primary system, the primary system is expected to be flooded. To resolve this problem, the possibility to remove the primary system depressurization valve which directly opens to the atmosphere in CV was evaluated. As result of the study, it was found that the opening of the secondary depressurization valve was effective to reduce the primary system pressure by removing stored energy in primary system water through the steam generator. Then, the combination of opening the primary depressurization valves and the secondary depressurization valves for depressurizing the primary system, as shown in Fig. 1, was enough to decrease the primary system pressure and start the gravity driven injection. Since the system has no depressurization valve opened directly to the containment vessel out of the primary system, even if any
erroneous operation occurs, there is no possibility of the primary system flooding by the primary coolant spilt to the containment vessel. In selecting the design concepts for core cooling during NON-LOCA, the followings should bc considered: (1) From the viewpoint of flexibility in operation, the active system is rather available against NONLOCA including various phenomena, each of which requires the optimum operation. (2) With the operation of gravity driven injection system, which is the passive core cooling component during LOCA, the primary system pressure decreases rapidly so that the inside of the containment vessel will be filled with steam. It will be required to take much hours to dispose them and recover normal condition. Consequently, it is not desirable to start up the gravity driven injection system against the phenomena such as small break LOCA or SG tube rupture (SGTR) in which the reduction of the coolant is rather slow. (3) In the primary system, even if the passive safety system is adopted, the charging pump is needed to
Secondary Depressurization Valves
Gravity Injection Tanks(6)
;.';...':-..":v':..::..::v? .?::I
Auxiliary Feedwater Tank(l)
Primary Depressurizatlon Valves
..
. . . . . . . . .
N
.....
:
..
Fig. 1. G r a v i t y d r i v e n i n j e c t i o n s y s t e m .
250
Y. Makihara et al. / PWR Hybrid Safety System
Table 3 Elemental technologies for reactors shutdown No.
Elemental technology
System description
Boron injection by natural circulation
Borated water in tank located upper portion of primary system is injected by natural circulation.
Boron injection by pump head
Borated water in tank located in the bypass loop of primary pump is injected by pump head.
Boron injection by high pressure accumulator
Borated water in accumulator tank is injected following the depressurization of primary system
supply the coolant and change the boron concentration during normal operation, therefore, it is reasonable to use this pump during small LOCA and SGTR. Considering the above, as one of core cooling function during NON-LOCA, the charging pump used in the conventional plant was adopted to supply the borated water to the primary system. This pump also
functions as the high head injection pump to supply the borated water during small L O C A so that it becomes possible to dispose small L O C A under 1 inch break size without starting up the passive safety system. The auxiliary feedwater system (AFWS), which has given satisfactory results in the conventional plant, was adopted to remove decay heat in the secondary side
Primary containment (concrete filled steel)
Charcoa filter
[/ I .L
Almost atmospheric I pressure
k
* Double containment vessel . ( ~ e l + concrete f'dled steel) *_ Passived annulus system . . . . . (Conventional)
- Make annulus portion negative pressure by fan and ventilate through charcoal filter
(Passive)
- Make annulus portion leaktight - Leak gas is ventilated through charcoal filter without fan
Fig. 2. Passive annulus filtration system using double containment.
251
Y. Makihara et al. / PWR Hybrid Safety System
cal by force during the anticipated transient without scram (ATWS)
during NON-LOCA. The safety grade of AFWS is the same as current PWRs since the basic function is the same.
2.4. Fission product retention 2.3. Reactor shutdown
In the conventional plant, the fission products leaked to the annulus during LOCA, are absorbed into the fan and then released to the atmosphere through the filter. The object of this study is to keep the grace period by the passive safety system operating against LOCA. The fission product retention should also be achieved in the passive safety system. Figure 2 shows the structure of the passive annulus system. Rising of the temperature in the containment vessel by energy released to the containment vessel causes rising of the annulus temperature, followed by increase of the annulus pressure and then the fission product is released to the atmosphere through the filter. This function will be achieved by preventing the fission products from leaking through the gap of the steel plate of the inner wall of the containment vessel.
Table 3 shows the components having a reactor shutdown function besides the charging pump used in the conventional plant. It seems to be most reasonable to apply the charging pump for reactor shutdown, now that this pump is adopted for core cooling during NON-LOCA. In the following cases, the possibility of some of the components shown in Table 3 operating more effectively than the charging pump is considered, therefore, further study to select the optimum component should be performed in the future. (1) In case that it is required to keep the core subcritical or reduce the critical period as much as possible during the main steamline break accident (MSLB) (2) In case that it is required to keep the core subcriti-
(9) (2)
(7)
(1)
•. ' . ' . ' . . ' . ' . ' . ' . ' . . . ' . ' . . ' . ' : ' : : : ' :
~
:~ . .' '...-. . - . - , ' . ' . ' . ' . - . - . ' . ' . ' . ' X - ~ ' : ' " .... ....
(s)
Fig. 3. Concept of Hybrid Safety System.
(1): Primary Depressurization Valves (2): Secondary Depressurization Valves (3): Advanced Accumulators (4): Horizontal Steam Generators (5): Charging SI Pumps (6): Auxiliary Feedwater Pumps (T/D:1, M/D:2) (7): Auxiliary Feedwater Tank (8): Gravity Injection Tanks (9): CV External Spray
252
E Makihara et al. / PWR Hybrid Safety System
Water Level in Accumulator
Large Flow Rate (RV Refilling)
Reduced Flow Rate (Core Reflooding)
Fig. 4. Concept and performance of advanced accumulator. structed as shown in Fig. 3. New components introduced in the Hybrid Safety System are advanced accumulators and horizontal steam generators. Figure 4 shows the structure and performance of the advanced
2.5. 6bnstruction of'the Hybrid Safety System
Combining the elemental technologies selected in former sections, the Hybrid Safety System is con-
MoistureSeparater ~ l n t e r n a l Pipings ~
\
Steam Nozzles
\Z'~
Z~
,~
HeatTransferTubes Fig. 5. Concept of horizontal steam generator.
Gas Vent
PrimaryWater Outlet
Y Makihara et al. / PWR Hybrid Safety System
accumulator. In this design, a flow dumper is installed in the tank. When the water level is above the flow standpipe of the flow dumper, water comes into the device from both flow standpipe and side connection. Since both flows merge in the device, no vortex is made. This results to a high flow injection into the primary system. When the water level in the tank goes down to the level of flow standpipe, only flow from the side connection comes into the device. Since this flow makes a vortex in the device, flow resistance will be increased several times. This results to a low flow injection into the primary system. By using advanced accumulators, functions to fill the downcomer in a short period just after large break LOCA and to continue to inject water by low flow rate in long period are achieved. Figure 5 shows the horizontal steam generator. The basic concepts are the same as for a conventional vertical U-type steam generator. The main features are: (a) there are 6 steam nozzles located on the top of the vessel. This is to give a uniform flow at moisture separator region, and (b) the gas vent line is mounted on the channel head.
3. Features of the Hybrid Safety System The features of the Hybrid Safety System composing of these components are as follows; (1) As for the medium and large break LOCA with break size over 1 inch, the passive safety system starts up to dispose it. This provides a grace period of 3 days, ensuring plant security without operator's action. (2) In the gravity driven injection system adopted for core cooling during LOCA, the primary system pressure is decreased by opening the secondary depressurization valve as well as the primary depressurization valve. Therefore, it is unnecessary to install the depressurization valve opened directly to the containment vessel out of the primary system piping. (3) As the high head safety injection pump with safety grade is adopted, the primary system pressure can be retained above the level of passive safety system actuation. Therefore, it is possible to achieve safe reactor shutdown during small break LOCA with break size under 1 inch, SGTR and other NONLOCA events without starting up the passive safety system.
253
4. Operation signal of the Hybrid Safety System It is the basic concept of the Hybrid Safety System that on discerning abnormal conditions, the active safety system operates as effectively as possible, if necessary, supplemented by the passive safety system. Consequently, the method to examine the plant condition should be adequately selected. Taking into account the fact that the system pressure is the most important parameter in order to discriminate LOCA, during which the passive safety system operates, the system pressure is considered satisfactory for the main concept of operation signals of the hybrid safety system. As for the reactor trip signal preceding the start up of the hybrid safety system, the same signal as used in the conventional plant is adopted. With the system pressure decreasing lower than about 13 MPa after the reactor trip, the active safety system makes itself ready for operation. In this condition, the high head safety injection pump supplies the cooling water to the reactor in order to restore the system pressure. With the system pressure decreasing below about 9 MPa, the passive safety system starts up according to the judgement of the break over 1 inch occured. In case of the system pressure keeping over about 9 MPa, the active safety system judges the break size is smaller than 1 inch and leads to the safe reactor shutdown by the normal system, while supplying water through the high lead safety injection pump. When the normal system such as offsite power is out of service, safe reactor shutdown is achieved by the active safety system, of which the power is supplied by safety class Diesel Generators. If the active safety system is not operable, the passive safety system starts up finally. It must be noted, however, that the operation signal of the passive safety system should be a combination of the primary system pressure decreasing and the secondary system pressure leaving, lest the passive safety system should start up, even with the primary system pressure decreasing lower than 9 MPa during MSLB. Figure 6 shows the result of study on the primary system pressure and the features of the core injection in the passive safety system during the unexpected opening of the pressurizer relief valve. Plant conditions used in the analysis are shown in Table 4. With the primary system pressure decreasing to 9 MPa during small LOCA, the depressurization valve in the primary system opens to accelerate the depressurization of the primary system. The decrease of the primary system pressure coming down to 5 MPa, those in the secondary system opens to depressurize the primary system. Decreasing to 4 MPa, the advanced accumulator
254
Z Makihara et al. / PWR Hybrid Safety System
primary system is flooded with the cooling water, in which the decay heat is removed through the steam generator. LH O3
1200
--
12o
--
lOOO ~ LIJ t-,< r'r'
o, U. Z
o_ I-O LU
..~ RCS P R E S S U R E 800
",.."
"',,%
600
'~o
T',. '"1"1
400
--~
200
INJECTION F R O M GRAVITY INJECTION T A N K
l--I---I INJECTION FROM
~, ~
-
i
"-
-
O~
,Io (.~
2o
rr'
p
0
~oo
5. Reactor cooling after the grace period
~o
200 5oo 400 5oD 60o 700
8oo
9oo
1ooo 1~oo
TIME(SEC) Fig. 6. Injection flow and pressure transients during unexpected opening of pressure relief valve.
supplies a great amount of water to the reactor, which is changed to a small amount of water within about 300 seconds. The primary system pressure decreases continuously and, within about 830 seconds, the gravity driven injection system begins to inject water in the gravity iniection tank bv ~ravitv head. in turn. the
Outer CV Spray
Since the passive safety system by SG cooling transfers decay heat to the ultimate head sink by boiling the SG secondary side, the temperature in the containment vessel will not become less than 100°C. It is concluded, therefore, that any active component is required for safe reactor shutdown at a low temperature. In selecting the active component, the followings were considered: (1) The main purpose of the active component added to the safety system is to induce safe reactor shutdown at a low temperature. This component is assumed to be operable as a countermeasure against severe accidents, hence it is desirable to locate the active portions outside the containment vessel, permitting the operators to access. (2) Transferring decay heat to the ultimate heat sink can be achieved only by supplying cooling water to SG secondary side. The regulatory reauirement
Outer Shield
AuxiliaryFeed Water Pump
Containment Vessel~.
Condensate Water Storage Tank --"{[ ~
Provisional Feedwater Connection
CharcoalFilter
ComponentCooling - -
Boric AcidTank
RHR Systems ~-Drain
Systems
\
Line
Charging Safety Injection pump
Sea Water Pump Fig. 7. System concept for reactor cooling after grade period.
Y. Makihara et al. / PWR Hybrid Safety System
Table 4 Plant conditions used in the analysis Core thermal power (MWt) Operating pressure (MPa) Number of loops Core conditions Equivalent diameter (m) Effective height (m) Average power density (kW/1) Coolant conditions Total flow rate (m3/hr) Hotleg temperature (°C) Coldleg temperature (°C) Steam generator type
Core cooling
Fission products retention
the provisional feedwater connection is installed to supply water in case that the auxiliary feedwater pump is not operable.
1820 15.5 2
2.92 3.66 74.5
44,600 325.0 290.6 U-tube, horizontal
Containment vessel conditions Type Spherical Diameter (m) 52 Safety systems Reactor shutdown
255
(1) Control rods (2) Charging pump (1) Advanced accumulator (2) Gravity driven injection system (3) Steam generator cooling (4) Charging safety injection pump Passive annulus system
associated with this component is not necessarily clear, however, this study will regard it as that belonging to the safety grade. Figure 7 shows the general concept of the system. In this plant, as with the normal conditions, reactor shutdown during the long-term cooling after LOCA is achieved by RHR. Outer CV spray, which connects with the auxiliary feedwater pump to spray water in the condensate storage tank, withdraws the energy released to the atmosphere in the containment vessel to decrease the pressure in the containment vessel. These systems should be considered to be a safety system according to current Japanese Safety Guidelines. And
6. Summary The safety function in PWR are divided into reactor shutdown, core cooling, heat transport to ultimate heat sink, and fission product retention. This study performed an investigation to extract the optimum combination of all concepts of the safety system. The steam generator, which is the largest heat exchanger installed in the primary system of PWR, is adopted as the basic concept for heat transport to ultimate heat sink in the safety system. The horizontal SG with the vent line on the channel head is possible to ensure the natural circulation in the primary system under any circumstances. In this system, the non-condensable gas flowing into the primary system is vented through the vent line lest it should prevent the natural circulation in the primary system. Core cooling functions are divided into that during LOCA and that during NON-LOCA, each of which requires the specific component individually. The gravity driven injection system, which is a passive system, is adopted for core cooling during LOCA. There will be the possibility of the primary system flooding by an erroneous operation of the primary depressurization valve in this system. It is concluded, however, that the combination with SG cooling makes it possible to delete the depressurization valve opened directly to the containment vessel out of the primary piping permitting to minimize the influence to the plant operation by unexpected opening of the depressurization valve. The charging high head safety injection pump and the auxiliary feedwater pump, which are active systems, are adopted for core cooling during NON-LOCA. Since a plant of which the safety system is composed mainly of passive components requires a charging pump to supply cooling water during normal operation, this pump with safety grade is found to be available for core cooling during NON-LOCA. The auxiliary feedwater pump is adopted because it has acquired a high reliability in the conventional plant and seems to be superior to the passive system from the viewpoint of cost reduction. The charging high head safety injection pump, which is adopted for core cooling during NON-LOCA, is also used for reactor shutdown by adopting active systems for NON-LOCA core cooling; flexible operation will be a available against various phenomena during transients. The passive annulus system is adopted for fission product
256
Y. Makihara et aL / PWR Hybrid SateO' System
retention so that the grace period of 3 days may be kept after L O C A . Consequently, in this study, it is concluded that the optimum design for the safety system, which is based on SG cooling, should be achieved by a combination of an active system and a passive system; that is, the active system is applicable to core cooling during N O N - L O C A and reactor shutdown function and the passive system to the other functions.
References [1] M. Aritomi et al., Study of applicability of advanced safety systems and concepts to large size light water reactors, b-11, The 1st JSME/ASME Joint International Conference on Nuclear Engineering, Tokyo, 1991. [2] T. Sugizaki et al., Development of Hybrid Safety System, The 1st JSME/ASME Joint Conference on Nuclear Engineering, November, 1991.
247
Study of the PWR hybrid safety system Y. M a k i h a r a a, T. Sugizaki a, y . N a k a h a r a a, K. O k a b e a, T. Kato ~, T. M a t s u o k a b a n d K. T a b u c h i b " Mitsubishi Atomic Power Industries, INC., 4-1 Shibakoen 2-chome, Minato-ku, Tokyo 105, Japan h Mitsubishi Heary Industries, LTD., 4-1 Shibakoen 2-chome, Minato-ku, Tokyo 105, Japan
Received 24 May 1993 In recent years, studies to apply passive safety system to PWRs have been performed by many organizations. On the other hand, studies to improve the conventional active safety systems are also being evaluated. This article shows another approach to improve the PWR safety systems. The Hybrid Safety System which is a combination of a passive safety system and an active safety system has a possibility to improve both reliability and plant economy. In this article, a selection of elemental technologies to construct the whole-system are discussed. Then, operational signal and reactor cooling after the grace period are discussed.
1. Introduction In recent years, the study to incorporate new safety concepts consisting mainly of passive safety systems into the safety system of a PWR has been performed by many organizations. The results of the study on the applicability of these new safety concepts to PWR are indicated in ref. [1], in which a number of new concepts extracted proved to be applicable especially to a large PWR. When the whole safety systems are constructed, these new concepts which are principally elemental technologies must be combined with each other. Since there are some preferences among these elemental technologies, it is important to examine carefully how to combine them. This article, to begin with, describes the fundamental structure of the hybrid safety system under development by Mitsubishi, and then explains the structure of operation signals, the process that the signal system, of which the main concept is the system pressure, discriminates various accident conditions and causes the safety system to operate adequately, and the method of containment vessel (CV) cooling after the grace period for 3 days.
2. Concepts of the Hybrid Safety System 2. l. Heat transport to ultimate heat sink
Safety functions in PWR are divided into reactor shutdown, core cooling, heat transport to ultimate heat
sink (to transfer decay heat to the ultimate heat sink from inside of the containment vessel), and fission product (FP) retention. In these functions, elemental technologies related to reactor shutdown and FP retention can be achieved by themselves. Considering the priority in the study from the standpoint of the whole structure of the hybrid safety system, the long-term heat transport to ultimate heat sink method was selected as the main concept of the safety system. Table 1 shows the elemental technologies on heat transport to ultimate heat sink evaluated in this study. In the process of selecting the elemental technology to be used in the hybrid safety system, the following points of view were considered: (a) Use present systems or components as much as possible. (b) Use proven technologies. (c) The selected elemental technologies are applicable to a large size PWR. (d) To keep the grace period of 3 days, passive systems are preferable. The method to remove decay heat through the containment vessel wall by locating a water pool surrounding the containment vessel was not adopted because it was thought to be difficult to justify the natural circulation of flooded water. Similarly, heat transport to ultimate heat sink with heat pipe was not adopted because the number of heat pipes required was too big. The steam generator (SG) cooling method consists of releasing decay heat to the atmosphere by natural circulation and boiling of the cooling water in the
0 0 2 9 - 5 4 9 3 / 9 3 / $ 0 6 . 0 0 © 1993 - Elsevier Science Publishers B.V. All rights reserved
248
Y. Makihara et al. / PWR Hybrid Safet v System
Table 1 Elemental technologies for heat transport to ultimate heat sink No.
Elemental technology
Description
I
Heat transport to ultimate heat sink with water wall or outer pool
Decay heat in flooded water in CV be removed through CV wall to water surrounding wall.
Heat transport to ultimate heat sink with heat pipe
Decay heat in flooded water be transferred by heat pipe to the outside of CV.
Heat transport to ultimate heat sink with Steam Generator
Decay heat in primary system be transferred to secondary system through SG 2
secondary system. In this method, even if non-condensable gas flows into the primary system after an accident, the natural circulation in the primary system must be secured. In the vertical U-type SG used in the conventional PWR plant, the non-condensable gas remaining in the heat transfer tubes might prevent natural circulation in the primary system to preclude the removal of decay heat. It is reasonable, on the other hand, to use SG, which is originally the component for heat exchange in PWR, for the purpose of removing decay heat during accidents. And there is a possibility that the horizontal SG with a vent line in the channel head will vent non-condensable gas out of the primary system. Considering the above, the heat transport to ultimate heat sink method by SG was adopted as the basic concept of the safety system. The safety grade of SG systems is considered to be PS-1 as current PWRs according to Japanese Safety Guidelines. 2.2. Core cooling
Core cooling functions are divided into that during LOCA and that during N O N - L O C A (transients or accidents other than LOCA). During LOCA, the primary system pressure decreases and the primary coolant spills to the containment vessel. Leaving it unchanged leads to the decrease of the primary coolant,
carrying the core exposure. In this case, the safety system must start up to inject the coolant to the primary system as soon as possible, without relying on operator's judgment, in order to prevent core meltdown and ensure plant security. On the other hand, during NON-LOCA, the pressure boundary in the primary system having sufficient stability, it is possible to ensure the plant security only by removing decay heat after the reactor shutdown. It is concluded, therefore, that the cooling method should be studied individually, considering the difference of the plant conditions between during LOCA and during NON-LOCA. Table 2 shows the typical elemental technologies on core cooling. An advanced accumulator, which supplies a great amount of water to the core in the early stage of a large break LOCA to accelerate the core reflooding and also supplies additional water after reflooding, is indispensable for core cooling, because there is no other system which can provide a large amount of water in a short period. Since it is desirable that the phenomena seriously affecting the plant security like LOCA should be disposed without relying on operator's action, the passive safety system seems to be available for core cooling. One of the passive elemental technologies for core cooling after L O C A is the gravity driven injection system. This system depressurizes the primary system
Table 2 Elemental technologies for core cooling No.
Elemental technology
Description
Accumulated boron injection system (advanced accumulator)
Borated water be injected by pressurized nitrogen gas. Flow rate is controlled by flow dumper.
Gravity driven injection system
Borated water be injected by gravity out of injection tank.
High pressure natural circulation RHR for primary loop
Decay heat in primary system be removed through heat exchanger in water tank by natural circulation.
249
Y. Makihara et aZ / PWR Hybrid Safety System
to the level of the containment vessel pressure by opening the depressurization valves in the primary system, and then injects the coolant into the primary system out of the gravity injection tank located on the upper side of the primary system. The problem related to this system is the erroneous operation. When the erroneous operation occurs in the depressurization valve installed in the primary system, the primary system is expected to be flooded. To resolve this problem, the possibility to remove the primary system depressurization valve which directly opens to the atmosphere in CV was evaluated. As result of the study, it was found that the opening of the secondary depressurization valve was effective to reduce the primary system pressure by removing stored energy in primary system water through the steam generator. Then, the combination of opening the primary depressurization valves and the secondary depressurization valves for depressurizing the primary system, as shown in Fig. 1, was enough to decrease the primary system pressure and start the gravity driven injection. Since the system has no depressurization valve opened directly to the containment vessel out of the primary system, even if any
erroneous operation occurs, there is no possibility of the primary system flooding by the primary coolant spilt to the containment vessel. In selecting the design concepts for core cooling during NON-LOCA, the followings should bc considered: (1) From the viewpoint of flexibility in operation, the active system is rather available against NONLOCA including various phenomena, each of which requires the optimum operation. (2) With the operation of gravity driven injection system, which is the passive core cooling component during LOCA, the primary system pressure decreases rapidly so that the inside of the containment vessel will be filled with steam. It will be required to take much hours to dispose them and recover normal condition. Consequently, it is not desirable to start up the gravity driven injection system against the phenomena such as small break LOCA or SG tube rupture (SGTR) in which the reduction of the coolant is rather slow. (3) In the primary system, even if the passive safety system is adopted, the charging pump is needed to
Secondary Depressurization Valves
Gravity Injection Tanks(6)
;.';...':-..":v':..::..::v? .?::I
Auxiliary Feedwater Tank(l)
Primary Depressurizatlon Valves
..
. . . . . . . . .
N
.....
:
..
Fig. 1. G r a v i t y d r i v e n i n j e c t i o n s y s t e m .
250
Y. Makihara et al. / PWR Hybrid Safety System
Table 3 Elemental technologies for reactors shutdown No.
Elemental technology
System description
Boron injection by natural circulation
Borated water in tank located upper portion of primary system is injected by natural circulation.
Boron injection by pump head
Borated water in tank located in the bypass loop of primary pump is injected by pump head.
Boron injection by high pressure accumulator
Borated water in accumulator tank is injected following the depressurization of primary system
supply the coolant and change the boron concentration during normal operation, therefore, it is reasonable to use this pump during small LOCA and SGTR. Considering the above, as one of core cooling function during NON-LOCA, the charging pump used in the conventional plant was adopted to supply the borated water to the primary system. This pump also
functions as the high head injection pump to supply the borated water during small L O C A so that it becomes possible to dispose small L O C A under 1 inch break size without starting up the passive safety system. The auxiliary feedwater system (AFWS), which has given satisfactory results in the conventional plant, was adopted to remove decay heat in the secondary side
Primary containment (concrete filled steel)
Charcoa filter
[/ I .L
Almost atmospheric I pressure
k
* Double containment vessel . ( ~ e l + concrete f'dled steel) *_ Passived annulus system . . . . . (Conventional)
- Make annulus portion negative pressure by fan and ventilate through charcoal filter
(Passive)
- Make annulus portion leaktight - Leak gas is ventilated through charcoal filter without fan
Fig. 2. Passive annulus filtration system using double containment.
251
Y. Makihara et al. / PWR Hybrid Safety System
cal by force during the anticipated transient without scram (ATWS)
during NON-LOCA. The safety grade of AFWS is the same as current PWRs since the basic function is the same.
2.4. Fission product retention 2.3. Reactor shutdown
In the conventional plant, the fission products leaked to the annulus during LOCA, are absorbed into the fan and then released to the atmosphere through the filter. The object of this study is to keep the grace period by the passive safety system operating against LOCA. The fission product retention should also be achieved in the passive safety system. Figure 2 shows the structure of the passive annulus system. Rising of the temperature in the containment vessel by energy released to the containment vessel causes rising of the annulus temperature, followed by increase of the annulus pressure and then the fission product is released to the atmosphere through the filter. This function will be achieved by preventing the fission products from leaking through the gap of the steel plate of the inner wall of the containment vessel.
Table 3 shows the components having a reactor shutdown function besides the charging pump used in the conventional plant. It seems to be most reasonable to apply the charging pump for reactor shutdown, now that this pump is adopted for core cooling during NON-LOCA. In the following cases, the possibility of some of the components shown in Table 3 operating more effectively than the charging pump is considered, therefore, further study to select the optimum component should be performed in the future. (1) In case that it is required to keep the core subcritical or reduce the critical period as much as possible during the main steamline break accident (MSLB) (2) In case that it is required to keep the core subcriti-
(9) (2)
(7)
(1)
•. ' . ' . ' . . ' . ' . ' . ' . ' . . . ' . ' . . ' . ' : ' : : : ' :
~
:~ . .' '...-. . - . - , ' . ' . ' . ' . - . - . ' . ' . ' . ' X - ~ ' : ' " .... ....
(s)
Fig. 3. Concept of Hybrid Safety System.
(1): Primary Depressurization Valves (2): Secondary Depressurization Valves (3): Advanced Accumulators (4): Horizontal Steam Generators (5): Charging SI Pumps (6): Auxiliary Feedwater Pumps (T/D:1, M/D:2) (7): Auxiliary Feedwater Tank (8): Gravity Injection Tanks (9): CV External Spray
252
E Makihara et al. / PWR Hybrid Safety System
Water Level in Accumulator
Large Flow Rate (RV Refilling)
Reduced Flow Rate (Core Reflooding)
Fig. 4. Concept and performance of advanced accumulator. structed as shown in Fig. 3. New components introduced in the Hybrid Safety System are advanced accumulators and horizontal steam generators. Figure 4 shows the structure and performance of the advanced
2.5. 6bnstruction of'the Hybrid Safety System
Combining the elemental technologies selected in former sections, the Hybrid Safety System is con-
MoistureSeparater ~ l n t e r n a l Pipings ~
\
Steam Nozzles
\Z'~
Z~
,~
HeatTransferTubes Fig. 5. Concept of horizontal steam generator.
Gas Vent
PrimaryWater Outlet
Y Makihara et al. / PWR Hybrid Safety System
accumulator. In this design, a flow dumper is installed in the tank. When the water level is above the flow standpipe of the flow dumper, water comes into the device from both flow standpipe and side connection. Since both flows merge in the device, no vortex is made. This results to a high flow injection into the primary system. When the water level in the tank goes down to the level of flow standpipe, only flow from the side connection comes into the device. Since this flow makes a vortex in the device, flow resistance will be increased several times. This results to a low flow injection into the primary system. By using advanced accumulators, functions to fill the downcomer in a short period just after large break LOCA and to continue to inject water by low flow rate in long period are achieved. Figure 5 shows the horizontal steam generator. The basic concepts are the same as for a conventional vertical U-type steam generator. The main features are: (a) there are 6 steam nozzles located on the top of the vessel. This is to give a uniform flow at moisture separator region, and (b) the gas vent line is mounted on the channel head.
3. Features of the Hybrid Safety System The features of the Hybrid Safety System composing of these components are as follows; (1) As for the medium and large break LOCA with break size over 1 inch, the passive safety system starts up to dispose it. This provides a grace period of 3 days, ensuring plant security without operator's action. (2) In the gravity driven injection system adopted for core cooling during LOCA, the primary system pressure is decreased by opening the secondary depressurization valve as well as the primary depressurization valve. Therefore, it is unnecessary to install the depressurization valve opened directly to the containment vessel out of the primary system piping. (3) As the high head safety injection pump with safety grade is adopted, the primary system pressure can be retained above the level of passive safety system actuation. Therefore, it is possible to achieve safe reactor shutdown during small break LOCA with break size under 1 inch, SGTR and other NONLOCA events without starting up the passive safety system.
253
4. Operation signal of the Hybrid Safety System It is the basic concept of the Hybrid Safety System that on discerning abnormal conditions, the active safety system operates as effectively as possible, if necessary, supplemented by the passive safety system. Consequently, the method to examine the plant condition should be adequately selected. Taking into account the fact that the system pressure is the most important parameter in order to discriminate LOCA, during which the passive safety system operates, the system pressure is considered satisfactory for the main concept of operation signals of the hybrid safety system. As for the reactor trip signal preceding the start up of the hybrid safety system, the same signal as used in the conventional plant is adopted. With the system pressure decreasing lower than about 13 MPa after the reactor trip, the active safety system makes itself ready for operation. In this condition, the high head safety injection pump supplies the cooling water to the reactor in order to restore the system pressure. With the system pressure decreasing below about 9 MPa, the passive safety system starts up according to the judgement of the break over 1 inch occured. In case of the system pressure keeping over about 9 MPa, the active safety system judges the break size is smaller than 1 inch and leads to the safe reactor shutdown by the normal system, while supplying water through the high lead safety injection pump. When the normal system such as offsite power is out of service, safe reactor shutdown is achieved by the active safety system, of which the power is supplied by safety class Diesel Generators. If the active safety system is not operable, the passive safety system starts up finally. It must be noted, however, that the operation signal of the passive safety system should be a combination of the primary system pressure decreasing and the secondary system pressure leaving, lest the passive safety system should start up, even with the primary system pressure decreasing lower than 9 MPa during MSLB. Figure 6 shows the result of study on the primary system pressure and the features of the core injection in the passive safety system during the unexpected opening of the pressurizer relief valve. Plant conditions used in the analysis are shown in Table 4. With the primary system pressure decreasing to 9 MPa during small LOCA, the depressurization valve in the primary system opens to accelerate the depressurization of the primary system. The decrease of the primary system pressure coming down to 5 MPa, those in the secondary system opens to depressurize the primary system. Decreasing to 4 MPa, the advanced accumulator
254
Z Makihara et al. / PWR Hybrid Safety System
primary system is flooded with the cooling water, in which the decay heat is removed through the steam generator. LH O3
1200
--
12o
--
lOOO ~ LIJ t-,< r'r'
o, U. Z
o_ I-O LU
..~ RCS P R E S S U R E 800
",.."
"',,%
600
'~o
T',. '"1"1
400
--~
200
INJECTION F R O M GRAVITY INJECTION T A N K
l--I---I INJECTION FROM
~, ~
-
i
"-
-
O~
,Io (.~
2o
rr'
p
0
~oo
5. Reactor cooling after the grace period
~o
200 5oo 400 5oD 60o 700
8oo
9oo
1ooo 1~oo
TIME(SEC) Fig. 6. Injection flow and pressure transients during unexpected opening of pressure relief valve.
supplies a great amount of water to the reactor, which is changed to a small amount of water within about 300 seconds. The primary system pressure decreases continuously and, within about 830 seconds, the gravity driven injection system begins to inject water in the gravity iniection tank bv ~ravitv head. in turn. the
Outer CV Spray
Since the passive safety system by SG cooling transfers decay heat to the ultimate head sink by boiling the SG secondary side, the temperature in the containment vessel will not become less than 100°C. It is concluded, therefore, that any active component is required for safe reactor shutdown at a low temperature. In selecting the active component, the followings were considered: (1) The main purpose of the active component added to the safety system is to induce safe reactor shutdown at a low temperature. This component is assumed to be operable as a countermeasure against severe accidents, hence it is desirable to locate the active portions outside the containment vessel, permitting the operators to access. (2) Transferring decay heat to the ultimate heat sink can be achieved only by supplying cooling water to SG secondary side. The regulatory reauirement
Outer Shield
AuxiliaryFeed Water Pump
Containment Vessel~.
Condensate Water Storage Tank --"{[ ~
Provisional Feedwater Connection
CharcoalFilter
ComponentCooling - -
Boric AcidTank
RHR Systems ~-Drain
Systems
\
Line
Charging Safety Injection pump
Sea Water Pump Fig. 7. System concept for reactor cooling after grade period.
Y. Makihara et al. / PWR Hybrid Safety System
Table 4 Plant conditions used in the analysis Core thermal power (MWt) Operating pressure (MPa) Number of loops Core conditions Equivalent diameter (m) Effective height (m) Average power density (kW/1) Coolant conditions Total flow rate (m3/hr) Hotleg temperature (°C) Coldleg temperature (°C) Steam generator type
Core cooling
Fission products retention
the provisional feedwater connection is installed to supply water in case that the auxiliary feedwater pump is not operable.
1820 15.5 2
2.92 3.66 74.5
44,600 325.0 290.6 U-tube, horizontal
Containment vessel conditions Type Spherical Diameter (m) 52 Safety systems Reactor shutdown
255
(1) Control rods (2) Charging pump (1) Advanced accumulator (2) Gravity driven injection system (3) Steam generator cooling (4) Charging safety injection pump Passive annulus system
associated with this component is not necessarily clear, however, this study will regard it as that belonging to the safety grade. Figure 7 shows the general concept of the system. In this plant, as with the normal conditions, reactor shutdown during the long-term cooling after LOCA is achieved by RHR. Outer CV spray, which connects with the auxiliary feedwater pump to spray water in the condensate storage tank, withdraws the energy released to the atmosphere in the containment vessel to decrease the pressure in the containment vessel. These systems should be considered to be a safety system according to current Japanese Safety Guidelines. And
6. Summary The safety function in PWR are divided into reactor shutdown, core cooling, heat transport to ultimate heat sink, and fission product retention. This study performed an investigation to extract the optimum combination of all concepts of the safety system. The steam generator, which is the largest heat exchanger installed in the primary system of PWR, is adopted as the basic concept for heat transport to ultimate heat sink in the safety system. The horizontal SG with the vent line on the channel head is possible to ensure the natural circulation in the primary system under any circumstances. In this system, the non-condensable gas flowing into the primary system is vented through the vent line lest it should prevent the natural circulation in the primary system. Core cooling functions are divided into that during LOCA and that during NON-LOCA, each of which requires the specific component individually. The gravity driven injection system, which is a passive system, is adopted for core cooling during LOCA. There will be the possibility of the primary system flooding by an erroneous operation of the primary depressurization valve in this system. It is concluded, however, that the combination with SG cooling makes it possible to delete the depressurization valve opened directly to the containment vessel out of the primary piping permitting to minimize the influence to the plant operation by unexpected opening of the depressurization valve. The charging high head safety injection pump and the auxiliary feedwater pump, which are active systems, are adopted for core cooling during NON-LOCA. Since a plant of which the safety system is composed mainly of passive components requires a charging pump to supply cooling water during normal operation, this pump with safety grade is found to be available for core cooling during NON-LOCA. The auxiliary feedwater pump is adopted because it has acquired a high reliability in the conventional plant and seems to be superior to the passive system from the viewpoint of cost reduction. The charging high head safety injection pump, which is adopted for core cooling during NON-LOCA, is also used for reactor shutdown by adopting active systems for NON-LOCA core cooling; flexible operation will be a available against various phenomena during transients. The passive annulus system is adopted for fission product
256
Y. Makihara et aL / PWR Hybrid SateO' System
retention so that the grace period of 3 days may be kept after L O C A . Consequently, in this study, it is concluded that the optimum design for the safety system, which is based on SG cooling, should be achieved by a combination of an active system and a passive system; that is, the active system is applicable to core cooling during N O N - L O C A and reactor shutdown function and the passive system to the other functions.
References [1] M. Aritomi et al., Study of applicability of advanced safety systems and concepts to large size light water reactors, b-11, The 1st JSME/ASME Joint International Conference on Nuclear Engineering, Tokyo, 1991. [2] T. Sugizaki et al., Development of Hybrid Safety System, The 1st JSME/ASME Joint Conference on Nuclear Engineering, November, 1991.