Synthesis of the safety studies carried out on the GFR2400

Nuclear Engineering and Design 253 (2012) 161–182

Contents lists available at SciVerse ScienceDirect

Nuclear Engineering and Design journal homepage: www.elsevier.com/locate/nucengdes

Synthesis of the safety studies carried out on the GFR2400 F. Bertrand a,∗ , C. Bassi a , F. Bentivoglio b , F. Audubert c , C. Guéneau d , G. Rimpault a , C. Journeau e a

CEA, DEN, DER, F-13108, Saint Paul-lez-Durance, France CEA, DEN, DM2S, F-38054, Grenoble, France c CEA, DEN, DEC, F-13108, Saint Paul-lez-Durance, France d CEA, DEN, DPC, F-91191, Gif-sur-yvette, France e CEA, DEN, DTN, F-13108, Saint Paul-lez-Durance, France b

h i g h l i g h t s

g r a p h i c a l

a b s t r a c t

 Insights from accident studies and PSA have consolidated GFR2400 design.  Safety margins are adequate for design basis accidents.  Core cooling strategy is reinforced by use of PCS for frequent events.  Prevention of core degradation is shown in challenging hypothetic situations.  It is shown that most of severe accidents can be managed despite limited test data.

a r t i c l e

i n f o

Article history: Received 12 August 2011 Received in revised form 23 July 2012 Accepted 2 August 2012

a b s t r a c t The present paper is dedicated to the synthesis of the safety studies carried out on the 2400 MWth gas-cooled fast reactor (GFR2400) concept developed at CEA. The analysis of the reference design basis accidents investigated up to now, has shown margins up to the acceptance criteria, equal at least to 300 ◦ C for the category 3 situations and larger than 100 ◦ C for the category 4 situations. The dimensioning of the decay heat removal (DHR) loops and of the power conversion system (PCS) loops has been shown adequate even for bounding degraded situations including multiple failures. Furthermore, in the following part of the paper, it is shown how the main insights provided by a level 1 probabilistic safety assessment (PSA) carried out at an early stage of the design, have led to reinforce the reliability of the DHR function in high pressure conditions by using the PCS as the first mean to cool the core; in the same time, on the basis of a combination of deterministic augments and of PSA results, a design simplification process has led to add a low pressure DHR loop to replace a high pressure DHR loop. The last section is dedicated to prevention and preliminary study of severe accidents (SA). Four SA families have been identified depending on the dynamics and on the scale of the considered accident. The possibility to prevent core degradation by using an adapted accident management (nitrogen injection, use of PCS loops) has been preliminarily shown in several particularly challenging situations (loss of active means, unprotected transients, full depressurization). Finally, preliminary results regarding analytical studies carried out on phenomena involved in GFR2400 core degradation (physico-chemistry and neutron physics) are presented. Then, the application of the separate results aforementioned by considering results of analytical simplified thermalhydraulic calculations and of system calculations (carried out with the CATHARE2 code) have enabled a preliminary assessment of GFR2400 behaviour in case of core degradation. For some

∗ Corresponding author. E-mail address: [email protected] (F. Bertrand). 0029-5493/$ – see front matter © 2012 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.nucengdes.2012.08.002

162

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

cases, such applications permitted to conclude on the problematic/begnin issue of a phenomenon (like air ingress in realistic scenarios) whereas in other cases, those applications have illustrated that more complex calculation tools coupling the various phenomena are necessary (like effects of water ingress for instance) as well as semi-integral experiments reproducing a fuel assembly degradation. © 2012 Elsevier B.V. All rights reserved.

1. Introduction The present paper is dedicated to the synthesis of the safety studies carried out on the 2400 MWth French gas-cooled fast reactor (GFR) developed at a pre-conceptual design stage by the CEA. After a presentation of the GFR as designed at the end of 2007 and taken as the reference in the studies presented here, the safety approach adopted is then briefly presented. The following part of the paper is dedicated to the deterministic study of the design basis accidents (DBA). The results of these studies in addition with a level 1 probabilistic safety assessment (PSA) to support the reactor design enabled an evolution of the decay heat removal strategy; this evolution presented in the paper enabled the reactor architecture to be simplified, providing at the same time the fulfilment of the deterministic decoupling criteria (described in the paper) and reaching a probabilistic target equivalent to that of the third generation reactors. Then, a dedicated approach proposed in order to identify the events/situations able to cause a severe accident is presented and is applied to the GFR2400; the possibility to prevent core degradation in several of the situations identified by using an adapted management of the accident is assessed. Moreover, this part of the paper deals also with the situations able to induce core degradation. Finally, the results of all the studies aforementioned are discussed in order to draw the main noticeable trends in terms of safety assessment of the GFR2400. 2. The CEA concept of a 2400 MWth gas-cooled fast reactor (GFR2400) The GFR represents a promising and attractive fourth generation (GEN IV) concept, combining the benefits of a fast spectrum and of a high temperature (∼850 ◦ C at the core outlet). The GFR concept is clearly innovative compared to other reactor concepts and no demonstrator has ever been built. The project of an industrial GFR has to address key R&D challenges, especially regarding, the fuel technology and core performance and the safety (in particular the decay heat removal (DHR) issue). 2.1. Main features of the reactor The detailed GFR design is presented for instance by Malo et al. (2009), therefore only the features useful to the understanding of this paper are presented here. 2.1.1. Main design options The design options presented here result from a pre-viability design internal CEA report released at the end of 2007 whose main features are available in Malo et al. (2008). The operating point of the three-loops reactor at full nominal power enables to convert the 2400 MWth delivered by the core thanks to a primary flow rate of 1020 kg/s in 1100 MWe, partly by secondary circuit turbomachineries (auxiliary alternators: 3 × 130 MWe) and partly by a steam turbine (main alternator: 1 × 730 MWe) settled in the ternary circuit (Fig. 1). The resulting cycle efficiency is very close to 45%. The secondary circuit is filled with a mixture of helium (to favour the heat exchanges) and nitrogen (to favour the efficiency and the design of the turbomachineries); the ternary circuit is filled with water, vapourised in three steam generators according to a classical

Fig. 1. Nominal operating point of the GFR.

Rankine cycle. The primary system arrangement (Fig. 2) includes the reactor vessel, the three main primary loops (PCS loops) and their heat exchangers (IHX) as well as the DHR loops permitting to cool the core in accidental situations. Actually, there are three loops, so-called, reactor high pressure cooling system (RHP) and a loop for the low pressure situations (RLP). The label “multi-˝” on Fig. 2 means that rotation speed of the DHR loop blowers is adapted to the primary circuit pressure and to the number of blowers under operation. The secondary side of the DHR loops, each one being able to remove 100% of the decay heat after the reactor scram, is filled with water pressurized at 10 bar. These secondary DHR loops are cooled via an exchanger immersed in a pool. Each pool associated to a loop can remove (thanks to its thermal inertia and to water boiling) the residual power during 24 h without being refilled. Moreover, all the previous components are enclosed in a close containment (CC) which keeps the primary inventory in case of loss of coolant accident (LOCA) and whose free volume is equal to 11 600 m3 . The CC is filled with nitrogen at 1 bar under normal operation. This CC is in its turn enclosed in the containment building (CB) whose free volume is assumed to be equal to 60 000 m3 in our reference configuration. Two fuel concepts have been investigated: a plate type and a more classical pin-type. The present paper only deals with the plate type developed earlier than the other one (Fig. 3). The plate type fuel element is an innovative concept based on two ceramic plates which enclose a honeycomb structure containing the fuel cylindrical pellets. The plate consists in a uranium–plutonium carbide, (UPuC) for pellets, composite SiC–SiCf (SiCf: fibered reinforced SiC) for thin plates (clad) and SiC for the honeycomb structure (Fig. 3). It appeared necessary to add a leak-tight barrier to prevent the fission products (FP) diffusion through the clad. The current reference choice for this internal liner is a 50 ␮m layer of W–5Re (alloy of 95% of tungsten and of 5% of rhénium in mass percent). At the hot spot of the core, the clad temperature is equal to 1000 ◦ C and the fuel temperature is about 1380 ◦ C in nominal conditions. The plates are arranged in baskets superposed in hexagonal tubes (TH) permitting to differentiate the flow rate depending on the power factor distribution within the core. The height of the core is of 2.35 m and its diameter is of 3.8 m, thus corresponding to a power density of about 90 MW/m3 distributed over 144 assemblies in the internal core and 102 in the external core featured by a stronger enrichment. The head loss across the core has been minimized at a value of 1.4 bar at the nominal regime in order to favour natural circulation in DHR regime.

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

163

Fig. 2. Arrangement of the primary circuit components.

Table 1 Core main neutronic features.

TRU enrichment (%) Doppler Constant* , ** (pcm) He depressurization* (pcm) Delayed neutron fraction* (pcm)

First cycle

Equilibrium

17.3 −1331/−905 259/282 389/349

18.2 −1283/−837 309/307 355/342

TRU, transuranides: Pu only at first cycle; Pu plus minor actinides at equilibrium (isogenerating operation). * BOL (beginning of life)/EOL (end of life). ** At nominal temperature.

2.1.2. Main options and features dealing with the safety of the GFR The reactivity control is firstly insured by a favourable natural behaviour of the core resulting from the neutronic reaction feedback (Table 1). In particular, the coolant being largely transparent to neutrons: the voiding effect is lower than 1$ without a threshold effect due to a phase change like with liquid coolants. Furthermore, the Doppler coefficient is large for a fast reactor, resulting in a stabilizing effect. The reactor shutdown can be actuated by means of control rod drive mechanisms located at the bottom of the vessel, in the coldest environment. The absorber rods are located above the core. The proposed arrangement takes into account the sodium cooled fast reactor background and it is clearly derived from European fast reactor (EFR): two redundant and diversified shutdown devices. Thanks to this design, the practical elimination of a control rod ejection accident is targeted. The tightness of the first barrier and the keeping of core coolable geometry rely mainly on the fuel element based on refractory materials with high thermal conductivity and high temperature melting point, with the ability to ensure FP confinement up to a fairly high temperature. Considering the power

density of the GFR core and its low thermal inertia (compared to the HTR whose power density is about several MW/m3 ) and that of the coolant as well (compared to the SFR: the thermal inertia of the sodium is between 2 and 3 orders of magnitude (depending on the GFR primary pressure) larger than that of helium), the decay heat removal relies on a gas circulation (natural circulation as far as possible) across the core but not on solutions based on thermal inertia plus conduction/radiation. The DHR operating depends on the accidental situation to face on (Fig. 4). The selected combination of systems takes into account the two main accidental situation families: the pressurized situations (intact primary boundary) and the depressurization situations resulting from a LOCA. In addition, the situation related to a primary pressure reaching around 0.1 MPa, corresponding to a combination of LOCA and a leak of the CC, has been considered. Such an architecture of the DHR system has been assessed with a line of protection approach (Bertrand et al., 2008) and satisfies its requirements, in particular, thanks to the natural convection capability in case of small breaks. It is worth noticing that the DHR based on natural circulation with a heavy gas for small breaks relies on the presence of the CC insuring a back-up pressure ranging between 0.5 and 1 MPa. This CC permits also to dimension DHR blowers with a low power, compatible with an emergency electrical power supply, delivered by Diesel engines.

3. Basic principles of the safety approach retained for the GFR 2400 MWth Beyond a fundamental set of safety objectives defined by IAEA (IAEA, 1999) for all nuclear plants, as fourth generation reactors, the GFR must include specific qualitative objectives aimed to increase public confidence in their safety (IAEA, 2005). Among others, the

Fig. 3. Fuel assembly sketch.

164

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

Fig. 4. Sketch of the initial DHR operation (as defined in (Malo, 2008)).

need of minimal emergency protection action of the population around the site is aimed. The general safety objectives can be declined as release targets according to different operating conditions, these conditions resulting from a combination of initiating events categorized according to their estimated frequencies and of a subsequent sequence of events. 3.1. Governing principles The governing principle of the safety approach is grounded on the defense in depth principle (DiD) (Bertrand et al., 2008), the existence of physical barriers, the safety functions aimed at protecting these barriers and the ALARA principle regarding the radiation protection of the facility’s staff. The physical barriers enabling the fission product to be confined are, successively, the metallic liner of the fuel assembly, the primary circuit boundary and finally the containment building (CB). 3.2. Definition of operating conditions The demonstration that the design cope the safety objectives is made by considering (as usual) two kinds of conditions (Fig. 5): the design basis conditions and the design extension conditions (DEC, including complex sequences, limiting events and severe accident/beyond design plant states). The aim of the study of the design basis accidents (DBA) and of the DEC is to show that the sequence of events occurring leads to a final safe state. Internal and external hazards should be analysed in order to reduce as far as possible their occurrence, and to dimension against hazards the systems which are important for safety. The initiating events associated to operating conditions (IEs) have been identified with the Master logic diagram (MLD) approach (Papazoglou and Aneziris, 2003), which selects the IEs by looking at the physical phenomena able to disturb the physics of the reactor concerning each main safety function. On the other hand, in a complementary way, a comparison of the list obtained with the MLD was performed with the pre-existing lists of IEs. This comparison enabled unidentified

additional events to be included or IEs belonging to usual lists but not relevant for the GFR to be excluded from the identified list. 3.3. Safety analysis methodology The adequacy of the provisions retained in the design can be judged using a variety of deterministic and probabilistic methods and this is further discussed in this section. In general terms, the plant is deterministically designed against the identified list of the operating conditions using well-established design criteria to ensure suitable safety margins. A probabilistic assessment has also been performed to verify that there are no vulnerable areas in the design with the potential for high-risk sequences (Bassi et al., 2010). 3.4. Rules for the safety analysis of operating conditions The systematic investigation of normal operating conditions enables the enveloping situations to be retained as an initial unfavourable reactor state to combine with an IE for the selection of the operating situations (i.e. representative bounding operating conditions). The aim of the study of incidents and accidents from the design basis (i.e. from category 2 to 4) is to dimension the systems enabling them to be controlled, and to prevent them from leading to unacceptable consequences for the facility and the surrounding environment. The acceptability of the consequences is assessed with specific acceptance criteria detailed later on. Once the various situations are defined, the transient calculations are usually performed considering conservative assumptions that are presumed to lead to appropriate design margins. However, since the normal operating transients and the various intermediate states of the reactor have not been yet defined, the IEs have been assumed to occur at the full power nominal state of the GFR2400. Similarly, before applying the penalizing value to the “key” physical parameters in the calculation, those parameters are presumed to be identified properly. As far as the GFR2400 is concerned, this systematic identification has only been carried for particular

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

165

Fig. 5. Sketch of the methodology and rules for safety analysis during a reactor design.

transients. As a consequence, the acceptance criteria retained for the fuel and the claddings are presumed to include the main part of these margins as far as the physical integrity of the barriers is concerned. Moreover, as usual in the study of the design basis accidents (DBAs), only the safety systems (shutdown system, DHR systems, etc.) are presumed to be available in order to reach a final controlled state. Furthermore, as far as the analysis of the design basis operating situations is concerned, a single aggravating failure has been taken into account in the transient studies of the operating situations. Finally, the end of the incidental and accidental sequences investigated must correspond to a safe final state, which is either a controlled state or either a safe shutdown state. The study of design extension conditions has been performed considering the realistic following assumptions: the nominal state of the reactor is assumed as the initial state of the accidental sequence; all the systems are available except those postulated as unavailable due to the accident considered; the physical calculations are performed with realistic assumptions (best-estimate calculations plus uncertainties assessment); no additional aggravating failure is considered.

3.6. Interactions between safety assessment and design process The classical methodology and rules used in the deterministic safety analysis described in the previous sub-section are usually used and presented in the safety case. Regarding the GFR2400, the design is not yet consolidated and the reference architecture and dimensioning of the system can be revised on the basis of the results of the safety studies. Moreover, the performance of the safety system has been assessed first with simplified transient calculations and simplified deterministic rules (namely, without modelling the behaviour of the secondary circuit and of the steam generators). By the way, the safety studies carried out by taking into account an adequate set of transients and combination of deterministic and probabilistic criteria led to improvements, simplifications and verification of the reactor design according to the process described on Fig. 6 (IAEA, 2005). The exhaustive purpose of PSA has led to enlarge the limited scope of the transient calculated for the preliminary design of the GFR2400 (Bassi et al., 2010). 4. Design basis accidents analysis

3.5. Probabilistic safety assessment (PSA) as a support of the GFR2400 design PSA enables weak points in the design of the reactor to be identified, due to its broad framework and its exhaustive purpose. As a result, a homogenous safety design should result from a valuable use of PSA results avoiding a family of sequences contributing too greatly to the overall risk number. Finally, the PSA could help to locate the IEs and the resulting sequences in the risk domain for IEs which are questionable and/or difficult to categorize. Valuable results without respect to absolute quantification can be used by differentiating relative results in order to prioritize the design studies and improvements of the reactor. A particular point of interest is also that it contributes to the demonstration that sequences leading to important and/or early releases are practically eliminated. Moreover, regarding severe accidents, it provides a preliminary assessment of the safety improvement resulting from the planned mitigation measures as well to prioritize the R&D efforts.

After a brief presentation of the CATHARE2 modelling used to simulate the accidents of the GFR, the main results of the transient analysis of reference DBAs are reported. Beyond the study of the reference accidents aforementioned, the verification of the dimensioning of the DHR loops, including with natural convection enhanced by a heavy gas injection, and the assessment of the capability of the PCS loops to cool the core are discussed in the second part of this section. 4.1. CATHARE2 modelling of the GFR2400 The CATHARE2 code main features and capabilities are described by Widlund et al. (2005) in the frame of gas-cooled reactor applications. Fig. 7 presents a schematic drawing of the CATHARE2 modelling of the GFR2400. In addition to the circuits represented, a large free volume filled with nitrogen is used to describe the spherical CC. This free volume consists indeed in pipe

166

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

SAFETY OBJECTIVES • General Nuclear Safety Objective • Radiation Protection Objective • Technical Safety Objective

SAFETY GOAL

F C FUNDAMENTAL SAFETY FUNCTIONS • Confinement of radioactive material • Control of reactivity • Removal of the heat from the core

IMPLEMENTATION OF Probabilistic Success Criteria

DEFENCE IN DEPTH • Level • Level • Level • Level • Level

1 (Prevention) 2 (Control) 3 (Accidents Condit.) 4 (Severe Plant Cond ) 5 (Off site - M i t ig a t .)

Deterministic Success Criteria

DEVELOPMENT OF SAFETY REQUIREMENTS

SAFETY REQUIREMENTS

Fig. 6. Representation of the methodology used for the safety design.

geometry (two pipes interconnected) with an equivalent volume and is hydraulically and energetically linked to the primary circuit (Bentivoglio and Messié, 2009). A wall representing the CC can exchange energy with the outside (with a boundary condition) and with the gas inside by convection. The outside boundary condition is represented by a constant temperature and a heat transfer coefficient.

4.2. Specific consideration on LOCAs In case of LOCAs, both the primary barrier (the clads) and the CC due to its pressurization meanwhile the primary boundary is open are challenged. Moreover, a particular thermal loading of the clads is due to a flow inversion in the core for the fast depressurizations. The occurrence of this flow inversion is proposed as a “phenomenon-based” distinction between the small breaks and the large breaks. Another distinction between the small breaks and the large breaks (i.e., between cat. 3 LOCAs and cat. 4 LOCAs) results from the additional system to foresee in order to control the most frequent LOCAs situations (cat. 3) with the same risk level as for the large LOCAs situations that are less likely (Bertrand et al., 2008). According to the transient analysis presented later on, the depressurization transient controlled within the limit of the category 3 acceptance criteria and without any natural core flow inversion corresponds to a break equivalent diameter up to approximately 3 in. (SB-LOCAs) considering the injection of nitrogen from the accumulators enabling the natural convection to be enhanced. Furthermore, due to the specificity of LOCA transient and the dependency of the mass flow rate versus the pressure into the primary circuit, the rotation speed of the DHR blowers is controlled over a pressure range from 4.25 to 70 bar in order to have a

more or less constant flow rate no matter the value of the pressure (Bentivoglio and Messié, 2009). 4.3. Study of the reference design basis accident (DBAs) The preliminary criteria retained for the assessment of the acceptability of the accidental situations are: • category 3 situations (estimated frequency ranging between 10−2 and 10−4 by year): ◦ clad temperature <1450 ◦ C; ◦ upper plenum gas temperature <1250 ◦ C; • category 4 situations, the more limiting criterion being considered among (frequency <10−4 by year): ◦ fuel temperature <2000 ◦ C; ◦ clad temperature <1600 ◦ C; ◦ upper plenum gas temperature <1250 ◦ C; ◦ no degradation of the fluid channel able to prevent the core cooling. • categories 3 and 4: a controlled state must be reached at the end of the sequence. Those criteria deserve to be further refined because they are preliminary but, as far as the fourth category criteria are concerned, they roughly correspond to the cladding tightness (1600 ◦ C), to the preservation of a coolable geometry (2000 ◦ C) and to a margin up to the primary boundary loss of integrity (1250 ◦ C). The PSA, whose main results are presented in Section 5 provided a very helpful way to identify the various aggravating failures to consider because of its exhaustive purpose and its systematic way to consider all the possible failures along an accidental sequence. The single aggravating failures considered were: the failure of a Diesel train (when

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

167

Fig. 7. Schematic drawing of the GFR CATHARE modelling. (a) Cold collector, (b) downcomer, (c) lowerplenum, (d) core, (e) upper plenum, (f) hot-duct, (g) IHX primary side, (h) cold-duct, (i) primary blower, (j) primary isolating valve, (k) IHX secondary side, (l) turbine, (m) GV gas side, (n) compressor, (o) by-pass line, (p) by-pass valve, (q) GV water side, (r) generator, (s) DHR primary loop, (t) DHR blower, (u) DHR isolating valve, (v) DHR primary heat exchanger, (w) DHR secondary loop, (x) DHR secondary heat exchanger, (y) DHR waterpool, (z) nitrogen accumulators.

relevant considering the IE), the failure to start of a DHR blower, the failure to open of the DHR loop isolating valve and the failure of the closing of a main loop (required to operate normally the DHR loops). They correspond to failure of equipments of the primary circuit since the deterministic analysis has been mainly focussed on the specific challenges of the concept that are the LOCA and the LOFA due to the low thermal inertia of the core materials and of the coolant. 4.3.1. Category 3 reference situations These reference situations consist in the loss of off-site power (LOOP) for a duration longer than 2 h, a small break in the primary circuit (SB-LOCA) and a small break in one out of three IHX. 4.3.1.1. Illustration of the GFR transient behaviour in case of SB-LOCA. The bounding equivalent diameter of the category 3 SB-LOCA (see Section 4.2) combined to the more adverse aggravating failure (failure of the opening of a DHR loop) leads to a margin up to the category 3 criterion regarding the maximum cladding temperature of about 250 ◦ C and the temperature of the gas in the upper plenum does almost not experience any overheating (Fig. 8). 4.3.1.2. Summary of the results for situations of third category. The results of the bounding transients (for high pressure and depressurized situations) calculated with the reference design of the end of 2007 are summarized in the Table 2. It exhibits a large temperature margin up to the acceptance criteria.

Table 2 Summary of the overheating resulting from the third category situations. Situation

Maximum clad temperature

Maximum upper plenum gas temperature

LOOP with one DHR loop failing to open (pressurized) 3 in. break with one DHR loop failing to open (depressurized)

1005 ◦ C

922 ◦ C

1180 ◦ C

886 ◦ C

4.3.2. Category 4 reference situations Only few bounding situations have been considered here, resulting from primary breaks. Other situations are still to address but will have less influence on the dimensioning of the DHR loops. 4.3.2.1. Illustration of the GFR transient behaviour in case of LB-LOCA. The equivalent breach diameter is 10 in. and corresponds to the largest pipe connected to the primary circuit (i.e. pipe of the helium supply service system (HSS); the same approach for the choice of the break size investigated has been used in the GT-MHR project for instance (Gorelov et al., 1997)) plus a margin in order to provide a conservative equivalent diameter.1 The reactor scram is actuated

1 The total rupture of the cold-duct (equivalent diameter of 55 in.) is not considered in the dimensioning of the safety system (with the rules applied within the design basis domain) thanks to a rupture exclusion approach relying, among other, on the leak before break concept, on substantial provisions taken into account in

168

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182 Core flow rate

Lowerplenum, Upperplenum and maximum clad temperatures

60

1400 TLOWERP T06Z12

40

Flow rate (kg/s)

Temperature (°C)

50

TUPPERP

1200 1000 800 600 400

30 20 10 0

200

0

200 400 600 800 1000 1200 1400 1600 1800 2000

-10

0

0

200

400

600

800 1000 1200 1400 1600 1800 2000 Time (s)

-20

Time (s)

Fig. 8. 3 in. SB-LOCA, thermal transient and core flow rate evolution.

necessary verification of this margin by considering conservative assumptions on physical key parameters of the transient (cf. 4.7).

Core temperature (z=4.05m) 1400

1400 Fuel Clad Helium Core mass flow rate

1000

1200 1000

800

800

600

600

400

400

200

200

0

Mass flow rate (kg/s)

Temperature (°C)

1200

0 0

10

20

30

-200

40

50

60 -200

Time (s)

Fig. 9. 10 in. LB-LOCA, thermal transient and core flow rate evolution.

approximately 1 s after the occurrence of the break because the CC pressure exceeds its protection threshold. The blow-down phase lasts 60 s, leading to an equilibrium pressure between the primary circuit and the close containment equal to 8.8 bar. Between 20 and 50 s, the core mass flow rate is negative, leading to a quick increase of the temperatures at the inlet of the fissile region of the core and to a quick decrease of the temperatures at the outlet of the fissile region (about 50 ◦ C/s at the maximum cooling rate (Fig. 9)). At 46 s, the DHR blowers start, enabling the core to be cooled with a flow rate larger than 30 kg/s. Considering the failure of the opening of the valve of a DHR loop, this transient leads to a maximum clad temperature equal to 1470 ◦ C and to a maximum upper plenum temperature equal to 1160 ◦ C. This bounding case enables a margin up to the acceptance criteria of category 4 exceeding 100 ◦ C regarding both the clad temperature and the gas temperature in the upper plenum. However, the cooling experienced by the claddings added to a pressure gradient inversion (the inwards pressurization before the LOCA becomes an outwards pressurization due to the FP gas presence) requires further assessments in order to add, if relevant, an acceptance criterion associated to this fast thermomechanical loading. 4.3.2.2. Summary of the results for situations of fourth category. The margin between the temperature calculated and the acceptance criteria presented in Table 3 and indicates an appropriate margin up to the 4th category acceptance criteria despite a

the design process of the cross-duct and on the detailed inspection during the plant lifetime. However, according to the DiD principle and considering the very low estimated frequency of such a large rupture, the behaviour of the reactor in case of rupture of the cold has been investigated (Bertrand et al., 2009) with the design extension rules of analysis (without conservatism and without aggravating failure) in order to check that such a transient would not lead to core degradation (clad temperature does not exceed 1600 ◦ C i.e. 4th category criterion).

4.4. Assessment of the dimensioning of the DHR loops (RHP system) The safety analysis and its related accident studies performed up to now cover only several situations expected in the classical deterministic safety analysis as presented in the previous sub-sections because only the bounding situations in terms of consequences have been investigated as the stage of the pre-viability demonstration. Nevertheless, in order to further assess the appropriate sizing of the DHR loops (RHP system only, up to now), several extreme situations have been additionally calculated in two typical cases: one when the integrity of the primary circuit is kept (pressurized situations) and the other with a break in the primary circuit leading to a partial loss of pressure. For these two situations, the cooling capability of the DHR loops has been assessed in forced convection but also in natural convection. Therefore, situations that are very unlikely have been considered as design extension conditions. By the way, the results of these calculations permit to assess the robustness of the DHR system for scenarios of the PSA into which all the situations (including multiple failures) must be represented and not only those taking into account a single failure as in the deterministic approach.

4.4.1. Pressurized situations The calculation of the bounding case resulting from the operation of only one DHR loop blower combined with a core by-pass by considering a normal loop remained open led to fulfil the category 4 criteria with a quite comfortable margin. The calculated maximum clad temperature is equal to 1150 ◦ C and the maximum upper plenum temperature is equal to 915 ◦ C. The bounding case resulting from a black-out IE with only one DHR loop available in natural convection combined with a main loop remaining open permits to have a substantial margin (around 350 ◦ C) up to the category 4 criterion on the clad. This result shows that the driven height foreseen in the two RHP loops designed to operate in natural convection is adequate.

Table 3 Summary of the overheating resulting from the reference fourth category situations. Situation

Maximum clad temperature

Maximum upper plenum temperature

10 in. break with a DHR loop failing to open 10 in. break in the IHX

1470 ◦ C

1160 ◦ C

1070 ◦ C

918 ◦ C

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

4.5. Increase of the capability of the natural convection cooling of the DHR loops at a low pressure The lessons learnt from the PSA carried out to support the GFR design (Bassi et al., 2008) and the objective targeted of a progressive safety architecture have led to require more reliable and more numerous safety systems to control frequent IEs compared to rare IEs (see Section 5). As a result, regarding the low pressure situations, the reactor must be better protected against the small breaks than against the large breaks due to the difference of their likelihood. The strategy retained to reinforce and to diversify the means to remove the decay heat consists in a compensation of the primary loss of inventory by injecting a gas in the primary circuit. The objective targeted is to compensate small breaks in order to allow a core cooling in natural convection in case of unavailability of the active means (e.g. DHR blower’s failure to start) or in case of their failure under operation. The acceptance criteria are those of 4th category even if the IE considered belongs to the category 3 because the higher frequency of such a situation resulting from multiple failures (failure of the forced convection on three loops) would not exceed that of the category 4 (PSA insights). As a result, the chemical degradation of the clad by the possible nitriding process is not a concern since the reactor is not a priori foreseen to restart after such an accident as usual for 4th category situations. In this subsection the capability of the DHR loops in case of loss of helium inventory situations are investigated, firstly without the injection of a heavy gas in the primary circuit and then with the help of a heavy gas injection. Nitrogen injection and Argon injection have been compared one to each other. 4.5.1. Natural convection capability with a helium flow The helium injection/draining by the HSS has been roughly modelled according to the following considerations: the gas inventory corresponds to a tank volume permitting to store the primary helium inventory in order to reach a primary pressure of about 5 bar at shutdown operating conditions (for refuelling); the injection and

8,00E+06 Primary_pressure

7,00E+06

Accumulator_pressure

6,00E+06

Pressure (Bar)

4.4.2. Depressurized situations The situations discussed here enabled the dimensioning of the DHR blowers to be checked. Among these situations, the leak towards the CC (low pressure) must be distinguished from those resulting from leaks towards the secondary circuit that is, resulting from breaks in the IHX (intermediate pressure). A 10 in. LOCA with only one DHR loop operating leads to a maximum upper plenum temperature (1220 ◦ C) and a maximum clad temperature (1560 ◦ C) insuring a narrow margin up to the category 4 criteria. The large IHX LOCA is enveloped by this one that consists in the most adverse case except the by-pass situations that would induce an overheating above 1600 ◦ C considering the current design. More precisely, a DHR blower is not sized to withstand a by-pass situation in case of fast depressurization transients, because even with two loops operating adequately, the category 4 criteria is exceeded. However, the severe accident prevention (expressed by “keeping of a coolable geometry”) should be fulfilled because the temperature excursion over 1600 ◦ C lasts only 15 min with a temperature peak around 1800 ◦ C. The dimensioning of the driven height of the DHR loops (natural convection regime) enables the core to be cooled within the limit of the 4th category criteria as far as the intermediate pressure situations are concerned: the bounding case resulting from a 10 in. break indicates that the driven height of a DHR loop is large enough to limit the overheating at 1470 ◦ C in a natural convection regime. However, in low pressure situations (i.e. for a primary pressure lower than 15 bar), except after a time period of about 5 days (Bassi et al., 2008) the driven height of the two DHR loops designed to operate in natural convection are not able to cool the core satisfactorily. Thus this issue is addressed in Section 4.5 below.

169

Close_containment_pressure

5,00E+06

Accumulator opening (free injection)

4,00E+06 HSS opening (regulated injection) 3,00E+06

Accumulator opening (slaved injection)

2,00E+06 1,00E+06 0,00E+00 0

10000

20000

30000

40000

50000

60000

70000

80000

Time (s) Fig. 10. Pressure transient resulting from a 1 in. LOCA combined with the failure of the blowers (helium injection strategy).

draining flow rates have been deduced from a linear extrapolation of the GT-MHR data (Gorelov et al., 1997). The resulting parameters of the HSS are: a helium inventory available of approximately 6500 kg, a maximum surge flow rate of 15 kg/s and a maximum draining flow rate of 4 kg/s. The CATHARE2 modelling of the HSS just consists in a source or a sink of mass and its associated enthalpy. The gas injection is performed in the lower plenum. The HSS is designed to compensate the leak after a very small break LOCA of second category without triggering an emergency shutdown of the reactor; when Pprim < 68 bar and when the reactor is not shutdown, a regulated helium injection is triggered; after the scram, due to the LOCA detection, the HSS is closed, letting the pressure decrease up to a pressure permitting to maintain the cooling in case of failure of the active means at which it is open again; this pressure has been assessed by means of parametric calculations presented later on. Moreover, the HSS injection/draining is regulated by means of a proportional integral derivative (PID) regulation in order to maintain the primary pressure equal to its opening pressure. Once the HSS has been drained, four gas accumulators2 are opened together at a pressure permitting to maintain a natural convection flow rate able to cool the core within the limit of the 4th category criteria. The HSS surge and the accumulator opening are slaved in order to inject just enough gas to compensate the leak by cooling the core in the same time. A typical transient following this operating mode is presented on Fig. 10 in case of a 1 in. LOCA combined with a total failure of the DHR active means at scram. The natural convection through two DHR loops only (RHP loops) is taken into account, as retained in the reference design of the reactor at the end of 2007. Considering the operating pattern of the HSS and of the accumulators described above, the HSS injection begins around 3000 s after IE and lasts approximately 8400 s at a flow rate equal to 0.8 kg/s (Fig. 10). During this injection, the pressure stays at the triggering value of the HSS that is 20 bar thanks to the PID regulation. When the HSS is empty, the accumulator’s injection begins at 16 bar, and occurs free, up to 32 500 s, that is when the maximum pressure chosen for the close containment is reached (15 bar in the current example). After this time, the accumulator injection is pursued only when the pressure does not exceed 15 bar. As a first step, the accumulator injection is operated in “all or nothing” and should better smooth in order to avoid thermal cycling on the core and primary boundary materials. The thermal transient (Fig. 11) resulting from this primary inventory management permits to fulfil the decoupling criteria of

2 Each accumulator contains 540 m3 of helium at an initial pressure of 75 bar and an initial temperature of about 50 ◦ C.

170

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182 20

1700

18

Tupper_plenum

Downcomer_Flowrate Break_Flowrate

Tmax_cladding

HSS_Flowrate

Temperature (°C)

Flow rate (kg/s)

16

1500

14 12 10 8 6 4

1300

1100

900

700

2 0

500 0

10000

20000

30000

40000

50000

60000

70000

Times (s)

80000

0

10000

20000

30000

40000

50000

60000

70000

80000

Time (s)

Fig. 11. Flow rate in downcomer, HSS and break and temperature transient resulting from a 1 in. LOCA combined with the failure of the blowers (helium injection strategy).

fourth category with a margin wider than 100 ◦ C, despite temperature escalations resulting from the switching from one operating mode of cooling to the other one. Considering the sizing of the DHR loops, the equilibrium back-up pressure of 15 bar permits to cool adequately the fuel after 9 h with a helium natural convection flow (Figs. 10 and 11). Beyond this illustrative case, the capability of the provisions and systems described before have been tested in a systematic way by means of approximately 100 parametrical CATHARE2 calculations with the variation of the following parameters: ◦ break equivalent diameter equal to ¾, 1 and 1.25 in.; ◦ HSS opening pressure after scram, ranging between 15 and 23 bar; ◦ HSS helium inventory equal to 6500 kg or 8000 kg; ◦ opening pressure of the four accumulators, ranging between 12 and 16 bar; ◦ maximum pressure in the close containment, ranging between 12 and 15 bar. The preliminary assessments performed on the natural convection capability with helium have shown that, considering the current sizing of the DHR loops, as well as the maximum pressure tolerated in the close containment (about 15 bar), the natural convection operating of the DHR loops permits to maintain the cladding temperature below 1600 ◦ C for breaks of diameter up to approximately 1 in. Such a behaviour is obtained by compensating the helium leak induced by the LOCA by means of the HSS (triggered at 20 bar) and of four gas accumulators (triggered at 16 bar). Finally considering the necessity of four accumulators and of a back-up pressure about 15 bar in order to manage the end of the depressurization phase for breaks whose diameter is limited to 1 in., a heavy gas injection is investigated hereafter. 4.5.2. Natural convection capability in case of a heavy gas injection Argon and nitrogen have been shown to cool efficiently the core in case of failure of the forced convection (Bertrand et al., 2009) and (Epiney et al., 2010). Further details regarding the physical reasons for this better cooling capability are available in the previous references and therefore, only the transient behaviour in case of nitrogen injection is illustrated here (Fig. 12). Considering the bounding SBLOCA (diameter of 3 in.), the opening pressure of the accumulators has been optimized in order to inject the gas as late as possible in order to keep the accumulator inventory as long as possible but early enough not to induce unacceptable overheating. As a result, the optimal opening pressure is about 14 bar (Fig. 12) and permits

to fulfil the third category criteria with only three accumulators discharged that is with a lower equilibrium pressure in the CC at the end of the transient. Calculations have also been performed assuming argon injection, but a larger overheating was obtained with argon because of its lower heat capacity except if the mole number injected is increased (thus increasing the dimensioning pressure of the CC); on the other hand, the low temperature experienced in nitrogen atmosphere would result in a kinetic blockage of the nitriding process that would enable to not jeopardize the coolable geometry of the core. 4.6. Assessment of the capability of the PCS loops to remove the decay heat As presented later on in Section 5, one of the major insight of the PSA (first version, see Bassi et al., 2008) carried out to orientate the design of the GFR was to foresee a diversification of the DHR means. Therefore, the solution proposed is the use of the PCS loops whose dimensioning assessment and cooperation with DHR loops is presented in the present sub-section. In the frame of the last version of the PSA (Bassi et al., 2010), the decay heat removal can be operated firstly using the ternary circuit. More precisely, if available and supplied with water, the steam generator permits to transfer the heat from the secondary circuit towards a steam condenser cooled by the ultimate cold source by by-passing the steam turbine (Fig. 13). These ternary circuit components are assumed, by the time, almost similar to the secondary PWR components. The auxiliary feed water system (AFW) is not supplied by means of Diesel engine, therefore in case of electrical grid loss, the secondary circuit must be reconfigured in order to orientate the secondary flow towards the air cooling system (labelled ILC on Fig. 13), plugged on the secondary circuit, that can be operated with the emergency electrical supply. It is worth noticing that by means of a turbine by-pass line and a compressor by-pass line,3 the secondary loops are assumed to operate in natural convection flow. CATHARE2 calculations have been performed in order to validate that assumption (Bassi et al., 2010). On the primary side, the rotation of main circulators is insured by auxiliary motors (so-called pony motors) in order to keep the primary flow rate at a value permitting to remove the decay heat from the core (about 10% of the nominal flow rate

3 These by-pass lines are assumed to be passively open when the pressure loss/increase across the turbine and the compressor becomes low, that is when the turbine is about to be stopped.

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

Pressure history in the accumulators, the guard vessel and the primary circuit

171

Cladding and upper plenum temperature, core flow rate 300

1600 8,00E+06

T_max_cladding

1400

P_accumulator

1200

P_close_containmen

1000

T_upper_plenum

7,00E+06

T(°C)

Pressure (Pa)

6,00E+06 5,00E+06 4,00E+06

200 150

800 600

3,00E+06

250

Q_downcomer

100

Flow rate (kg/s)

P_lower_plenum

400

2,00E+06

50

200

1,00E+06

0 0

0,00E+00 0

0 2000 4000 6000 8000 100001200014000160001800020000 Time (s)

2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Time (s)

Fig. 12. Primary/close containment vessel pressure, cladding, upper plenum temperature, core flow rate (3 in. LOCA), for nitrogen accumulator’s opening pressure of 14 bar.

Fig. 13. Sketch of various DHR means.

1400

100

Tgaz_core_inlet

Power_steam_gener Power_IHX Residual_power

90 80

1200

Tmax_fuel

1000

Temperature (°C)

70

Power (MW)

Tgaz_core_outlet

60 50 40 30

Tgas_steam_generator_outl 800

600

400

20 200 10 0

0 0

2000

4000

6000

8000

10000 12000 14000 16000 18000 20000

Time (s)

0

5000

10000

15000

Time (s)

Fig. 14. Power balance and temperature transient during a loss of flow accident controlled with one steam generator.

20000

172

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

Table 4 Impact of main uncertain parameters on a large LOCA transient (10 in.) including the bounding aggravating failure (one DHR loop fails to open). Parameters

Modification

Tmax (◦ C)

Initial power Core thermal exchanges Primary blower speed Primary blower inertia Shutdown delay DHR water side temperature DHR loops opening delay DHR blower speed Thermal resistance of fuel/clad gap Fuel element radial conductivity Primary loops closing delay

5% −10% −5% −10% 5s 5% 5s 5% 5% −10% Threshold on flow rate decreased from 5% Nb Tubes −10% −5% −5% Helium density +15% Doppler −7.5% 10%

1258 1289 1235 1227 1198 1198 1203 1225 1201 1202 1197

DHR exchanger fouling Thermal inertia of fuel element Pool water inventory Neutronic feed-back Core pressure drop

1198 1196 1196 1195 1196

is delivered). The initiating event assumed in order to check the dimensioning consists in the shutdown of the three main primary blowers. The power balance between the residual power and the power exchanged at the steam generator and at the IHX (Fig. 14), that takes into account the power stored and unstored in the heat exchanger walls, shows as an illustration, that only one steam generator permits to remove the decay heat beyond 6000 s, and therefore permits to cool the whole system (Fig. 14). The use of the additional mean for removing the decay heat from the core will be included in the up-to-date DHR strategy resulting from the safety analysis (in particular from the PSA). The corresponding DHR system architecture results from deterministic considerations and from PSA insights (see Section 6). 4.7. Elements on the justification of the exhaustiveness and of the conservatism of the accident studies As noticed before, the LOCAs induce the largest overheating within the core. Since only LOCAs located on the cold-duct of main loop had been investigated on the reference concept of 2007 (Malo et al., 2008), additional studies have been performed by using the reference design of 2008 that let more margin when facing transients (mainly due to the increase of the nominal rotational speed of the PCS blowers, other differences except a new pin-type core design not investigated here being of the second order for our purpose). A dedicated CATHARE2 modelling of the primary circuit with three independent loops for the PCS system and three independent loops for the DHR system has been performed instead of a model with only two loops for each system (one weighting 1 and the other weighting 2) in order to model the breaks on the DHR loops. Basically, the downcomer flow rate remains the same wherever the break is because once the depressurization phase is over, the primary pressure is balanced with the CC pressure and the flow rate delivered by the DHR loop broken remains nominal. This behaviour comforts the results presented before for breaks located on the main loops since the system behaves more or less the same no matter the break location. Still using the design of 2008, sensitivity studies have been carried out and enabled the uncertain parameters to be identified in order to provide a conservative calculation (Table 4). Only the parameters inducing a significant overheating have been kept in the calculation. The overheating calculated by cumulating all these uncertain parameters in a pessimistic way (bounding values have been determined on the basis of expert judgment (Bassi and Marques, 2008)) leads to a maximum cladding temperature of about 1340 ◦ C instead of about 1200 ◦ C for

Fig. 15. Illustration of risk reduction process from PSA insights.

the best-estimate case. Finally, the lower values of the overheating additionally calculated with the design and the input deck of 2008 are mainly due to the larger speed of the primary blowers, thus indicating that there are still design margins in order to cope with core materials limit. 5. Level 1 probabilistic safety assessment (PSA) carried out to support the GFR2400 design PSA results are increasingly used in the safety case, even at early stages of the design process, in combination with the deterministic approach in the frame of the so-called “risk-informed” methodology. As part of the design of 4th generation reactors, the integration of safety in the early phases of the concept is foreseen and the CEA has performed a level 1 PSA (named PSA later on for simplification purpose) to support the design of the 2400 MWth GFR at its preliminary design stage (Devictor et al., 2005) of 2007 as well as in a more advanced design stage achieved in 2009 (Bertrand et al., 2011a) taking into account several improvements drawn from the safety studies already performed. The PSA elaboration and technical details are presented by Bassi et al. (2010) in a dedicated paper. Thus, in the present paper, only the main insights drawn by the PSA and the resulting design improvement are underlined. 5.1. PSA insights on the initial design The IEs and their occurrence frequencies, considered in the first version of the PSA (Bassi et al., 2008) are consistent with those investigated in the deterministic approach presented before; an inadvertent reactor trip which is a category 2 IE has also been studied. When support calculations of the sequences were not performed, the final state leading to core damage was considered to be the loss of a main safety function. The various sources of uncertainties were taken into account in order to quantify the reliability of natural convection, the risk of the possible inability to design or to manufacture innovative components and the risk for a component to not fulfil its mission due to not well calculated physical phenomena (Bassi et al., 2010). In the light of the minimal cutset (MC) analysis, several design evolutions indicated and whose benefits have been assessed have been retained (Fig. 15). The CDF reduction obtained thanks to these improvements in close to 40. Moreover, the first lessons emerging for the design and for the demonstration of safety robustness are that DHR systems for pressurized situations should be made more robust. However, some kinds of dependencies for ensuring the mission success of the DHR system still exist, demonstrated by the contribution of

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

173

Fig. 16. Sketch of the DHR operation (DHR#1 in blue on Fig. 13, DHR#2 in green on Fig. 13, DHR#3 (dedicated means in CC) on Fig. 13). (For interpretation of the references to color in this figure legend, the reader is referred to the web version of the article.)

common cause failures (CCFs) for primary to secondary DHR circuits exchangers and loop isolating valves. This dependency is increased due to the dual convection scheme through these dedicated loops (i.e. valves and exchangers are common for the forced and natural convection modes). Some elementary (i.e. technological) and/or integrated (i.e. strategy improvement) solutions could be implemented: respectively increased diversification for valves and exchangers, and/or by incorporating the possibility of using the normal loops in the first place in the DHR strategy. This last option has been retained in order to not multiply the pipes plugged on the vessel and in order to lower the risk induced by flow path changes from a normal loop cooling operation to a dedicated DHR loop cooling operation. As a result, a new DHR strategy has been proposed for the so-called advanced design (Fig. 16). 5.2. PSA insights on the advanced design The use of the power conversion system (Fig. 16) to remove the residual power exhibits a reduction of CDF larger than a factor 1000 compared to the initial DHR strategy despite the consideration of all IEs in the PSA scope instead IEs affecting only the primary circuit in the first model. The PSA model permitted to study the possibility to simplify the RHP system (Fig. 2) and to replace the turbine driven blower by a motorized blower. The reduction of the technological uncertainty resulting from the innovative feature of the turbine driven blower compensates the increase of the CDF (Bassi et al., 2010) due to CCFs by adding another motorized RLP loop (Fig. 17). Finally, the gain is about 2% on the overall CDF. On the contrary, the suppression of a loop (the dual loop) on the RHP system has been assessed to induce an increase of the CDF of about 26%; this increase appeared acceptable considering the overall risk level and the simplification of the primary circuit. The interest to have a dual operating loop able to perform natural and forced convection does only reduce the risk of about 2%. Finally, the overall CDF is of the

same order of magnitude of that targeted for generation III reactors; more precisely, the mean reference value of the CDF is around 1.5 10–6/(y.r) including a well-balanced risk contribution of various IE families (Bassi et al., 2010) with the heaviest one being the SBLOCAs reaching 22% of the whole risk. 6. Design improvements achieved thanks to safety studies At the initial stage, a single loop operating in forced convection or thanks to a gas driven turbine was foreseen in case of failure of the CC. Only one loop being available in the RLP DHR system (Fig. 2), both for the powered forced convection as well as for the turbine driven blower, there was no redundancy in this system. Especially in case of failure to open this loop in case of failure of the CC, no system would remain available to cool the core. Therefore, a second loop has been added in the RLP that fulfils the single failure criterion knowing that, as soon as the depressurization is over, the flow rate in the loop would be equal to its nominal flow rate according to first transient calculations. Furthermore, considering the flow rate delivered by a broken DHR loop of the RHP system and the PSA insights regarding the risk evolution in case of removing of a RHP loop combined to the aforementioned statements regarding the RLP system, an improved design has been proposed (Fig. 17). 7. Prevention and preliminary study of severe accidents The first part of this section deals with the approach proposed and applied to identify and classify the possible initiators/situations leading to a severe accident (SA), that is to core degradation. In the following part of the section, the SA prevention capabilities of the GFR2400 in case of some particular beyond design challenging situations are assessed and finally some preliminary studies of the consequences of core degradation are provided.

174

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

Fig. 17. Design evolution obtained thanks to the safety analysis.

7.1. Identification and classification of initiators/situations inducing a severe accidents The severe plant conditions resulting from a SA could result from the presence of a possibly large source term of fission products (FP) that must be contained in the reactor building in order to avoid a large release. The various IEs/situations have been distinguished depending on: the integrity of the safety barriers, the “scale” of the phenomena induced by the accidents, the dynamics of the accident and the resulting phenomena, the linearity of the phenomena and the possible associated threshold effects. 15 situations have been roughly identified (see Bertrand et al., 2009 for further details) and can be classified in four families: – Fast dynamics scenarios (t ∼ less than 100 s) with possible loss of the first two barriers: - a fast and spatially coherent mechanical breaking of the claddings (cold thermal shock); - a fast power insertion (possibly due to water ingress); - the generalized core compaction or the local collapse of an assembly (ITB); - a sudden breaking of the reactor vessel. These situations should be prevented by design as far as possible because the grace period permitting the triggering of dedicated systems is very short. – Mean dynamics scenarios with partially degraded core (t ∼ from 100 to several hundreds of seconds). This scenario family deals mainly with the unprotected loss of “primary” cooling (ULOCA and ULOFA). The possibility to control the accidents of this family without having a SA is examined in Section 7.2. – Low dynamics scenarios (t ∼ from one to several hours). This family of scenarios consists mainly in the accidents associated to the loss of “secondary” cooling (no more heat is removed by the six IHX/DHX and/or loss of the ultimate cold source), the primary circuit being not affected and the shutdown having succeeded. The core degradation resulting from the accidents of this family would be driven by the kinetics of chemical interactions between materials of the core during the early phase of the accident. For this type of accident, an ultimate system for the decay heat removal should be foreseen (as a core catcher permitting to keep the sub-criticality when the core loses its geometry) as well as for the pressure control in the close containment. – Chemical reactions with external mass addition (t ∼ several hours): this last family consists in accidents inducing either air ingress, water ingress (without risk of criticality) or nitrogen ingress. CO and H2 are respectively generated by the air oxidation

and the steam oxidation of SiC. Thus, specific provisions must be foreseen in order to avoid the formation of flammable or explosible mixtures of these gases with air. The combustion of such mixtures could threat the integrity of the CC and of the CB. The capacity of core degradation prevention as well as the study of the consequences of core degradation presented in the rest of the chapter deals with several of the various situations aforementioned. 7.2. Prevention of core degradation in case of particular challenging situations for the GFR2400 The situations investigated in this part are specific of the GFR design and deals with the loss of all active means, a LOCA combined with the failure of the CC, the total rupture of a cross-duct and unprotected LOFAs and LOCAs. These transients are investigated independently of their likelihood in order to assess the core degradation prevention capability of the GFR. 7.2.1. Loss of all active means This situation corresponds to a so-called black-out. Thus, the core cooling relies only on natural convection to deliver a flow rate in the core and on the thermal inertia of the DHR pools to provide a cold source. The duration of the event considered is not here considered longer than several days, time duration after which, the pool should be externally fed. In case of pressurized transient, the natural convection regime is very efficient since each dedicated RHP loop can remove the decay heat. In case of LOCA combined with a black-out, as already explained in Section 4.5.1, the opening of nitrogen accumulators would enhance the natural convection capabilities and the core overheating would not exceed 1800 ◦ C for the larger break retained for DBAs, this temperature being reached only for several minutes (Bertrand et al., 2009). It even stays below 1600 ◦ C with the more recent design of the blowers (design of 2008) insuring a larger flow rate during the depressurization than in the aforementioned reference. This more favourable design permits to get rid of the excessive overheating that could be induced on the structures (this point has only been checked with a preliminary criterion for DBAs but is still to assess in more details for BDBAs thanks to a more accurate modelling in terms of structure inertia in particular). 7.2.2. LOCA combined with the failure of the CC No matter the detailed studies performed at CEA in order to dimension the CC in order to withstand the local effects that are possible due to the impingement of a helium jet on its wall, the

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

175

like the shift of the operating point on the performance map of the blowers due to the density change and the reduction of the head losses. Finally, due to a long term sufficient mass flow rate, the core is well cooled in this reference case. Even though the reference case should correspond to the most realistic modelling of a doubleended guillotine break (DEGB) of the cross-duct, several sensitivity studies have been performed in order to assess the impact of the uncertainties on the DEGB modelling with CATHARE2. The modelling variations have an influence on the nitrogen mass fraction in the primary circuit that directly defines the flow rate across the core (Table 5). As an improvement, a control of the accident by injecting nitrogen by means of accumulators can be foreseen in order to maximize the flow rate crossing the core. Finally, it can be concluded that if a limited overheating was confirmed in case of a quasi-instantaneous depressurization (for numerical stability the preliminary calculation presented here deals with a progressive opening of the break), the DEGB of a cross-duct could be managed by design, possibly by a nitrogen injection if the gas of the CC was not enough entrained in the primary circuit.

7.2.3. Total rupture of a cross-duct The specificity of this accident is the possible by-pass of the core by the CC once the depressurization is over since both the cold-duct and the hot-duct are assumed fully broken and separated. Among the various possible CATHARE2 modellings tested in order to represent the flow pattern, the reference one allows the flow path change thanks to six valves configurations (Fig. 18). During the blow-down phase the valves on the hot-duct and on the cold-duct are closed and the other valves are open, by this way putting in relation the cross-duct with the CC. As a result, the primary circuit is drained by the four openings of the primary circuit. After this initial phase of the transient, about 130 kg/s out of the 200 kg/s delivered by the DHR loops by-passes the core by the CC path flow. Such a large flow rate results from a large proportion of nitrogen in the primary inventory once the break is open. If all the primary inventory was filled with nitrogen, the ratio of the gas density (around 7) would lead to a flow rate of about 210 kg/s, this value being roughly equal to seven times the nominal flow rate of helium in case of DHR operation (about 30 kg/s). The proportion of nitrogen in the CC is actually 81% in the reference case, confirming the flow rate enhancement due to the nitrogen presence in the close containment; additional factors also lead to a flow rate increase

7.2.4. Unprotected loss of primary cooling These accidents correspond to LOFAs and LOCAs combined with the failure of the shutdown system of the reactor. The sequence of unprotected LOFA (ULOFA) results from all the primary blowers’ coast down followed by the stabilization of the flow rate at its back-up value delivered by pony-motors (cf. 4.6). The net reactivity being negative (dominated by the Doppler effect) during the major part of the transient, the core power is stabilized at a value near 500 MW. The maximum fuel temperature reaches 1700 ◦ C at the maximum, before reaching a value slightly below in the long term equilibrium. This value is largely below the allowed fuel temperature. The maximum cladding temperature slightly exceeds 1600 ◦ C but should be stabilized around this value for the long term transient. The overheating is very limited and quite acceptable versus severe accidents prevention. The heating in the upper plenum is above the decoupling criteria retained (1250 ◦ C) and thermomechanical calculations should be performed in order to demonstrate the resistance of the reactor vessel in the presence of the foreseen thermal protections. The prevention capability has been assessed for very unlikely situations resulting from a bounding small break LOCA (SB-LOCA) combined with the failure of the reactor scram (Bertrand et al., 2011b). Among the various strategies investigated in order to control this 3 in. unprotected LOCA (ULOCA) and to keep the operating parameters5 of the reactor within a realistic range, the minimization of the core overheating has been studied in order to fulfil the following criteria enabling the geometry of the core to be kept coolable: a long term cladding temperature remaining below 1850 ◦ C (eutectic cladding/liner) and a short term cladding temperature remaining below 2000 ◦ C (Bertrand et al., 2011b). The enhancement of the core cooling is obtained by: increasing the rotation speed of the main blowers of 20% once the break occurs, opening four accumulators (instead of three in the reference case) and increasing the power removed by the SG. This increase has been simulating by increasing the SG feed water and by reducing the SG outlet pressure from 150 to 100 bar. As soon as the power transferred by the turbomachineries (TM) to the alternators exceeds 14% of its nominal value, it is disconnected and the TMs keep its nominal speed thanks to a regulated opening of their by-pass lines (Figs. 13 and 19). As detailed in Bertrand et al. (2011b), the neutronic feedback induced by N2 injection has been taken into account because it has a drastic effect on the core power. The overheating of the fuel and of the cladding are respectively limited to 2000 and

4 Actually, as indicated on Fig. 4, the RLP system should be designed to cool the core in such a situation but it not yet dimensioned.

5 Flow rates in the primary circuit, turbomachinery speed, flow rate of steam generator (SG) feed water and quality of the steam.

Fig. 18. Flow path configurations in nominal and accidental situations for the CATHARE2 modelling of the total rupture of the cross-duct.

capability of the RHP loops to cool the core4 in an out-of-design regime has been assessed in details and has been already presented in a previous paper (Bertrand et al., 2009). The main finding is the necessity to inject nitrogen in the primary circuit thanks to accumulators as already shown earlier. This injection during the blow-down phase when the CC pressure reaches 5 bar permits to cool efficiently the core even in the case of a 10 in LOCA combined with a 10 in. break in the CC with one RHP blower under operation. This result is affected by uncertainties due to a possible surge phenomena induce by a regime with two blowers operating. The sizing of the RLP system would better take into this constraint. In the situation with nitrogen injection, the clad temperature does not exceed its nominal value and the final CB is about 3 bar assuming that it remains tight (Bertrand et al., 2009).

176

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

Table 5 Sensitivity of the DEGB calculation to the modelling. Break and CC modelling

Core flow rate (kg/s)

Peak of clad temperature (◦ C)

0% 65%

5–10 20–40

>2000 1800

81%

40–55

1310

100%

60–120

1100

N2 mass fraction in primary circuit

Link between cold-duct and CC (no by-pass by CC) Link between cold-duct and CC and between hot-duct and CC, 0-D CC Link between cold-duct and CC and between hot-duct and CC, 1-D CC: (reference case) Reference case plus nitrogen injection

4,00E+09

2000

3 Core_power

4000

SG_power

3,50E+09

1800

Secondary_alternator_power

Accumulator opening

3500 3,00E+09

1600

Turbine_normalized_flow_rate

3000

Compress_normalized_flow_rate

1400

2

2500

1200 1000

2000

Accumulator opening

800

Power (W)

2,50E+09

Q (kg/s)

T (°C)

2,5

TM_normalized_speed

2,00E+09

1,5

By-pass valve opening

1,50E+09

1500

600

Tfuel_max

1000

Tclad_max

400

Tupper_plenum

200

500

1 1,00E+09

Alternator disconnection

5,00E+08

0,5

Q_donwcomer

0 0

1000

2000

3000

4000

5000

6000

0 7000

Time (s)

0,00E+00 0

1000

2000

3000

4000

5000

6000

0 7000

Time (s)

Fig. 19. Transient behaviour of the GFR in case of 3 in. unprotected SB-LOCA (enhancement of cooling by increasing the speed of the primary blowers and SG operating adaptation).

1800 ◦ C in the hottest zone of the core (Fig. 19). Moreover, during the first hour, the 4th category criteria are not exceeded (upper plenum temperature <1250 ◦ C and cladding temperature <1600 ◦ C). However, this accident management with the relief of four accumulators would imply a reinforced dimensioning of the CC or its external cooling to lower its internal pressure, because it reaches 15 bar during a short period of the transient. As a conclusion, such a transient could be controlled in order to provide a comfortable grace delay available to actuate the reactor shutdown. However, the results presented before should be considered only as preliminary results that would be to confirm with a more refined modelling of the secondary and ternary loops of the GFR. The assessment of the material interactions taking place in the fuel assembly mentioned in Section 7.3 enabled the grace delay to be further assessed by considering the thermal evolution of Fig. 19.

7.3. Preliminary assessment of core degradation The R&D elements and preliminary studies presented in this part can be divided into two categories dealing respectively with the phenomena occurring in a coolable geometry (fluid channel are kept in the fuel assemblies) and the phenomena occurring when the coolable geometry is lost locally or at the core scale. Despite each phenomenon can be considered through the various scenarios able to induce a severe accident mentioned before, for concision and presentation purpose the common phenomenon are gathered here in two classes and only several illustrations on accident scenarios are presented. More presentations of scenarios studies (among the broader insights provided by internal CEA studies) are available in

(Bertrand et al., 2009) and (Bertrand et al., 2011b) fully devoted to beyond design accidents. 7.3.1. Core material interactions in coolable geometry 7.3.1.1. Analytical test insights. The material arrangement within the fuel assembly (Fig. 20) has been retained in order to decouple the mechanical integrity of the cladding insured by the composite SiCf/SiC whereas its tightness is insured by the metallic liner consisting in an alloy (W–5%Re) retained thanks to interaction test results. On the fuel side, the analytical tests did not exhibit any interaction between uranium carbide (UC) samples and the liner samples if the temperature does not exceed 2000 ◦ C (Berche et al., 2009). Thermodynamic equilibrium calculations performed with the “Thermocalc” software (Anderson et al., 2002) have predicted liquid formation for the same system at 2020 ◦ C, this value being consistent with the tests. On the cladding side, tests carried at a temperature ranging between 1000 and 1600 ◦ C have shown (Roger et al., 2008) that within this temperature domain, the material

Fig. 20. Sketch of fuel/liner/cladding arrangement.

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

interaction occurs at the solid state and enabled kinetics law to be determined (cf. 7.3.1.3). 7.3.1.2. Thermodynamic calculation insights. According to the calculations (Berche et al., 2009), the heating of the UPuC fuel would induce a liquid phase formation around 2200 ◦ C and the fuel would be fully liquid around 2400 ◦ C (liquidus temperature). Moreover, thermodynamic calculations simulating the equilibrium of the system U0.8Pu0.2C1.04/W–5Re indicate the formation of a liquid phase at 1880 ◦ C (Fig. 21). The system liner/cladding is stable up to 1845 ◦ C (Fig. 21), temperature at which a liquid phase appears. When the temperature of the system increases, the amount of solid SiC almost remains constant and the amount of liquid does not increase very much up to 2400 ◦ C (temperature bounding the calculation). Nevertheless, without tests representative of this whole system (fuel/liner/cladding) it is difficult to say beyond which temperature the direct interaction between the cladding and the fuel takes place. Such an interaction could also result from the loss of the core geometry mixing all the core materials. This interaction produces a liquid phase at 1600 ◦ C, that is at a lower temperature than the interactions occurring at both sides of the liner (Fig. 21). 7.3.1.3. Kinetics aspects, illustration on the bounding unprotected SBLOCA. The calculation of the material interactions is performed in this part for the 3 in. SB-ULOCA considering the thermal evolution calculated with CATHARE2 in the upper part of the core. The temperature calculated in the transient is used as an input parameter of the interaction models that provide the thickness of liner consumed on the fuel side as well as on the cladding side. The kinetics laws governing the material interactions versus temperature that are deduced from analytical tests are provided in Bertrand et al. (2011b). As a result, these calculations enable the grace delay available to keep the core geometry to be calculated (Fig. 22). In the hottest radial region of the core (central channels in the CATHARE2 modelling), the liner liquefaction at its interface with the fuel is reached after approximately 1.5 h at the hot spot whereas approximately 1/3 of the liner thickness is consumed by the interaction without any liquefaction in the outer radial region of the core. On the cladding side, at 7500 s the totality of the liner has been consumed at the hot spot of the core only by the liner/cladding interaction occurring in solid phase. Beyond the degradation of its mechanical properties due to the growth of the interaction zone, it would be interesting to assess its ability to remain tight and to keep the initial core geometry despite the absence of liquefaction before the total consumption of the liner. Finally, by considering the degradation of the liner from both sides, it has been fully consumed after 2 h when it is not liquefied before in its inner face. As a conclusion, the strategy proposed to control the bounding unprotected SB-LOCA enables to shutdown the reactor within a time period ranging from 1.5 to 2 h after the accident without any loss of a coolable geometry of the core. 7.3.2. Core material oxidation and nitriding in coolable geometry The analytical aspects drawn on oxidation by air and by steam and nitriding are first presented. Then an illustration of the use of the chemical behaviour of the clad materials in case of accident scenarios of the last category defined in Section 7.1 is provided. 7.3.2.1. Oxidation. Considering the filling of the CC with nitrogen, the oxidation by air is not the more likely event able to occur but it was historically investigated at CEA because the SiC cladding was derived from the VHTR concept whose a reference accident is the air ingress. The experimental studies and thermodynamic calculations have shown two oxidation features (Eck et al., 2008):

177

- a passive oxidation with the formation of a protective SiO2 layer at a low temperature and a high oxygen partial pressure resulting from the chemical reaction: SiC(s) + 3/2O2 (g) → SiO2 (s) + CO(g)

(1)

- an active oxidation with the formation of an unstable SiO layer at a high temperature and a low oxygen partial pressure resulting from the reaction: SiC(s) + O2 (g) → SiO(g) + CO(g)

(2)

For a temperature larger than 1600 ◦ C, the oxidation regime is essentially active and induces damages to the claddings. The transition temperature between the two oxidation regimes presented before can be deduced from thermodynamic calculation and can be written (Eck et al., 2008): Ttransition =

43292 lognep (5.1013/PO2 )

(3)

Ttransition is expressed in K, and PO2 the oxygen partial pressure is expressed in Pa. The SiC oxidation by steam is governed by a linear kinetics and its reaction rate is largely higher (factor 50) than that observed in case of passive oxidation by air. A kinetics law is proposed by Robinson and Smialek (1999) and has been applied to a specific scenario of the GFR despite an application domain different from its validation one corresponding to higher temperature than the GFR case. The transient calculated resulting from water ingress in a cold depressurized state, the cladding thickness oxidised in the GFR calculation does not exceed 1 ␮m but this exploratory result should be confirmed in more degraded cooling conditions (possible higher oxidation rate governed by the combination of the steam flow rate and of the reaction kinetics) if relevant in the frame of the not yet very well studied water ingress scenarios. 7.3.2.2. Nitriding. Thermodynamical calculations performed at CEA have shown that in case of nitrogen ingress or injection in the primary circuit, the claddings can react with nitrogen according to the reaction: 3SiC + 2N2 → Si3 N4 + 3C

(4)

Fortunately, the calculations also indicated that this reaction can take place only if the cladding temperature is below a transition temperature ranging between 1200 ◦ C (at a low nitrogen partial pressure) and 1600 ◦ C (at a higher nitrogen pressure). According to a literature survey carried out at CEA, the nitriding kinetics should be relatively low, especially when the reactor conditions correspond to a good cooling for which a “kinetics blockage” of the nitriding would occur. However, the data available are rare and results are not representative from the GFR. Therefore, experimental tests representative from the GFR accidental scenarios would be valuable because only one test result is available that indicates, nevertheless, that the nitriding should not be a threat for the core integrity. 7.3.2.3. Illustration of the cladding behaviour in case of external side chemical reactions. The sensitivity study of the 10–10 in. LOCA (10–10 in. means the respective size of the break in the primary circuit and of the break in the CC) case with a 30 000 m3 CB, and only one RHP loop consists in the bounding case in terms of overheating and in terms of oxygen partial pressure. The refilling of the pools cooling the DHR loops is triggered around 70 000 s and favours an overcooling of the primary circuit associated to air ingress in the core (Fig. 23) from the CC and from the CB. This result has to be considered no matter the overheating of the cladding, because only the oxidation potential is assessed here (Bertrand et al., 2009). The active oxidation regime is only reached

178

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

Molar fraction of phases Fig. 21. Molar fraction of compounds formed in case of interactions within the fuel assembly as a function of the temperature.

Hottest radial region of the core

Hottest radial region of the core 50

20 height Z=Hfiss/2

18

45

height Z=(7/12)*Hfiss

40

height Z=(8/12)*Hfiss

16

35

height Z=(10/12)*Hfiss

Thickness (µm)

Thickness (µm)

height Z=3Hfiss/4

14

height Z=(11/12)*Hfiss

12

height Z=Hfiss

10 8 6

30 25

height Z=Hfiss/2 height Z=(7/12)*Hfiss

20

height Z=(8/12)*Hfiss height Z=3Hfiss/4

15

height Z=(10/12)*Hfiss

4

10

2

5

height Z=(11/12)*Hfiss height Z=Hfiss

0

0 4210

0

10200

16300

22300

28300

34300

40400

0

4210

10200

16300

22300

28300

34300

40400

Time (s)

Time (s)

Liner/cladding interaction

Fuel/liner interaction Fig. 22. Thickness of liner consumed versus time in case of a bounding. SB-ULOCA in the hottest region of the core (horizontal plateau means the reach of liquefaction).

before 13 000 s (equation (3)) when the oxygen amount available for oxidation is very low (Fig. 23). In air ingress scenarios, the high temperature phase is not synchronized with a significant air amount in the core because the air ingress in the primary circuit

2200

700 Tmax_Clad

2000

600

T_transition

1800 Passive oxidation

PO2

1600

500

400

1200 1000

300

800 200

600 400

Active oxidation

200

100

0

P (Pa)

T (°C)

1400

can only occur in “cold” conditions with a not detrimental passive oxidation and a low kinetics. So, it can be retained that, on the basis of realistic scenarios, the air ingress would not have a detrimental influence on the core degradation. Regarding the scenarios able to induce nitriding, two cases have to be distinguished: accidental nitrogen ingress and a wilful injection enabling a better cooling of the core already mentioned in previous sections. The accidental ingress can result from a classical LOCA or from a break in an intermediate heat exchanger (the secondary loops include a fraction of nitrogen). In both cases, once the pressure is balanced between the primary circuit and the other side of the break, nitrogen will enter the primary circuit and will cross the core, in particular as soon as the core cooling induces a decrease of the primary pressure. Regarding the primary break, simplified analytical calculations using CATHARE2 results (providing the clad temperature and the N2 flow rate crossing the core) and assuming an infinite kinetics above 500 ◦ C6 and no reaction under 500 ◦ C

0

0

10000

20000

30000

40000

50000

60000

70000

80000

Time (s)

Fig. 23. Bounding scenario calculated for the air ingress assessment.

6 This assumption states that the limiting factor of nitriding is only the N2 flow rate.

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

(kinetics blockage) indicate that the clad thickness consumed by nitriding would not exceed 4% of its initial value. Considering the IHX break, the simplified very conservative assumptions aforementioned lead to a nitriding of about 40% of the SiC inventory incorporated in the claddings for a long transient in degraded cooling conditions (one RHP loop only). This very high value results from both the higher gas flow rate crossing the core (primary pressure around 20 bar instead of around 8 for a LOCA) and from the higher partial pressure of N2 in the flow. Thus, more detailed calculations (with a severe accident code possibly adapted from the PWR ones) are required by coupling the reaction kinetics, the thermodynamic possibility of nitriding, the core flow rate and the temperature distribution within the core. Of course, this requirement would be only to consider if analytical tests showed that a significant nitriding would take place in prototypical conditions. The wilful nitrogen injection situations could possibly lead to a large nitriding in the medium temperature range, where nitriding is governed by chemical kinetics, as soon as the cooling does not permit to maintain the clad temperature under 1000 ◦ C; the coupled calculation mentioned before would be necessary to reinforce the choice of nitrogen as a heavy gas enhancing the cooling (argon could be an alternative despite its poorer thermophysical properties). Finally, rough calculations performed by entering CATHARE2 results in a steam oxidation law have not put in evidence any oxidation concern in the transient considered caused by a break on a RHP loop. This result should be confirmed for other scenarios leading to water ingress that fortunately are not a priori associated to degraded cooling conditions that would enhance the oxidation kinetics.

Fig. 24. Vapour pressure of the core materials versus temperature (PC stands for carbon pressure, PU for uranium pressure, PC1SI1 for silicon carbide pressure, . . . and PTOT for the total pressure).

Neutronic protections Helium Voiding

7.3.3. Preliminary assessment of the consequences of accidents associated to a loss of core geometry This paragraph deals with the generic static studies carried out in order to assess the material phase formed in case of core degradation as well as the neutronic consequences of material relocation within the core. However, the trends drawn by these studies should be considered with care because the degradation process of a fuel assembly has not yet been experimentally investigated7 and thus remains largely unknown. Then, the assessment of core degradation initiated by a local loss of cooling (ITB) is presented as well as the preliminary very rough assessment of the consequences of generalized core degradation. 7.3.3.1. Phases and chemical compounds formed as a function of the temperature. Thermodynamic equilibrium calculations performed with the Thermocalc software (Anderson et al., 2002) by considering a homogeneous mixture of the atomic composition of a fuel assembly have shown that a liquid phase would appear around 1600 ◦ C (right side of Fig. 21). When the temperature exceeds 2200 ◦ C, the only phases that exist at the equilibrium are solid SiC plus a liquid phase including a lot of fissile materials. At the end of the material relocation process, the cladding materials would be segregated from the liquid phase due to buoyancy forces. This material redistribution process has an influence on the reactivity of the core (see next sub-section). Moreover, the vapour pressure of the Si resulting from the decomposition of the SiC is the main contributor of the total vapour pressure (Fig. 24) corresponding to the boiling of the core materials at a high temperature (this pressure exceeds 1 bar above 3000 ◦ C and reaches 100 bar around 5000 ◦ C). 7.3.3.2. Neutronic effects resulting from core materials relocation. ERANOS (Ruggieri et al., 2006) calculations have been performed in order to assess the reactivity insertion in case of axial collapse

179

Cladding materials (SiC)

FUEL

Fuel

Fig. 25. Illustration of the spatial distribution of the relocated materials (segregated configuration).

of fuel assemblies within the core. In order to take into account the lack of knowledge regarding the material relocation process, various assumptions have been retained in order to treat the possible configurations in the region of the collapsed assembly. Debris and pool geometries have been treated in the case of segregated phase’s configuration (Fig. 25 and Table 6) and in the case of a homogeneous phase (Table 6). If the material relocation generated a stratified pool, the melting of seven assemblies could induce a power excursion (reactivity insertion larger than 1$ able to lead to prompt criticality (Table 6)) but it would not induce a power excursion up to 19 assemblies collapsed in case of a homogeneous mixture. The effects would be lower for debris bed configuration Table 6 Reactivity effect of the instantaneous collapse of 1 and 7 fuel assemblies. Number of assemblies collapsed

∆ρ ($)

1

7

-0.03

-0.16

Numberof assemblies collapsed

∆ρ ($)

1

7

0,1

>1

7

As seen in Section 7.3.1, only separate effect tests have been performed up to now.

Homogeneous fuel/clad mixture

Segregated fuel/clad mixture

180

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

(assuming a porosity of 60%) because the final height of the collapsed material is higher and so the reduction of the radial neutron leaks is less important. The pin-type core is more favourable in terms of reactivity increase during its collapse for the same reason because it is flatter than the plate type (1.8 high instead of 2.35). As a consequence, by assuming 10% of the Pu vapourised during the heating experienced in the accident, the collapse of the whole core (pin-type) would not induce a power excursion at the beginning of the accident that is before the phase segregation due to gravity. 7.3.3.3. Preliminary illustration on representative scenarios. Instantaneous total blockage of an assembly (ITB) has been investigated as the bounding case of a local loss of cooling. It would lead to the full melting of the blocked assembly after approximately 40 s with an adiabatic assumption (Bertrand et al., 2009). The time to melt seven assemblies would be about 100 s after the occurrence of the accident. It corresponds to the minimum time able to cause a power excursion, because at the beginning of the transient, the material distribution should be homogeneous and after the fuel melting a segregation process would appear, leading the system towards a net reactivity insertion close to 1$ (Table 6). As a conclusion, it is worth noticing that the delay to shutdown the core in case of ITB before to induce a power excursion and before to induce an uncontrollable propagation is about several tenths of seconds, delay relatively comfortable for a fast reactor. Let us now consider a large core degradation supposed to be spatially coherent no matter the initiating event, thus leading to a large axial compaction of the core materials due to their relocation triggering a power excursion. This accident could be a LB-ULOCA since the pressure preceding the power excursion has been supposed to be around 5 bar in order to favour the core material boiling. Assuming a very rough modelling of the power evolution thanks to a single neutron group, the power evolution following a postulated reactivity insertion (insert ) around 2$ has been considered. By various simplifications of the Nordheim equation (Bussac and Reuss, 1985) and by neglecting the neutrons emitted by disintegrations due to their long time constant compared to the prompt neutrons, the power evolution versus time P(t) in case of high and sudden reactivity insertion can be approximated by8 :



P(t) = P0 exp

−ˇ t 



(5)

where P0 is the core power before the reactivity insertion (assumed here to be the nominal power),  the reactivity, ˇ the delayed neutrons fraction and the generation time of neutrons equal to 6 × 10−7 s. The only neutron feedback limiting the power excursion is conservatively assumed to be the Doppler effect because in case of fast and large reactivity increase, the fuel would melt at lower temperature than the cladding and would be dispersed only after cladding decomposition. As a result, the evolution of the reactivity during a time interval during which the mean temperature of the core increases from T up to T + dT can be expressed:  = insert − KD ln

 T + dT  T

(6)

with KD the Doppler constant of the GFR core equal to 895 pcm. By combining the power evolution assumed in equations (5) and (6) and the simplified 0-D thermalhydraulic simplified model presented in Bertrand et al. (2011b) as well as by representing the Si vapour pressure evolution by a law fitting the results of Fig. 24 by:

 B

Psat (T ) = A × exp −

8

T

(7)

“exp” stands for the exponential function and “ln” stands for Neperian logarithm.

where Psat is the Si vapour pressure, T the temperature and A and B two constants provided in Bertrand et al. (2011b), the power and pressure evolution in the reactor vessel during this generalized core collapse can be assessed (Fig. 26). The approximated pressure peak does not exceed the nominal pressure of the vessel according to our approximate calculation. The effect of the coupling between the pressure and the temperature loadings of the vessel before the pressure escalation would be interesting to assess in order to conclude on the capability of the vessel to withstand the pressure peak consequently to its prior overheating before the power excursion. The possible detrimental dynamics loadings should also be investigated in a next step approach. 7.4. Other issues regarding prevention and consequences of severe accidents The aim of the present paper being to present a synthesis of various safety studies carried out on the GFR developed at CEA, only illustrations of accident studies and useful physical phenomena supporting these accidents studies have been presented in the previous part of the paper. Other studies or a more detailed analysis of elements provided before are available in more specific papers and they are mentioned as references of this one. Nevertheless, other issues playing in important role in the severe accident approach have not been reported in any paper but it is worth mentioning briefly the main results obtained up to now in these fields not presented in detail in this paper. The studies of possible reactivity insertions have indicated on the basis of neutronic calculations performed with the ERANOS code and transient calculations: - considering that a control rod assembly (CRA) ejection should be practically eliminated by design9 the unprotected transient overpower investigated (UTOP) due to progressive withdrawal of a CRA would not lead to a core degradation before a time ranging from 15 to 30 mn; - in transient situations, the largest reactivity insertion due to the coolant depressurization (voiding effect) would not lead to a net reactivity exceeding 0.5 times the delayed neutron fraction (1$); - the bounding radial compaction of the core that would lead to the full closure of the gap separating the hexagonal can (large and total radial core compaction) would lead to a reactivity insertion of about 1$ but the core geometry should be possible to optimize in order to make impossible a prompt critical situation resulting from such a compaction should it occur; - the assessment of reactivity insertion in the core versus the water and steam proportion into the core have indicated that as soon as no liquid water enters the core the shutdown system of the reactor should avoid a power excursion. Regarding the post-accidental cooling of the core materials and the possibility to foresee an ultimate liquid to cool the core in very degraded situation the work was not really engaged up to now. Finally, simplified very conservative calculations have shown that the CO produced by an air oxidation of all the SiC of the core would not lead to an atmosphere able to cause a fast deflagration in the CC as well as in the CB. The same extreme assumptions applied to water ingress scenarios (steam available by the full draining of the secondary side of a DHR loop) producing both CO and H2 have not permitted to conclude in terms of acceptability of consequences and it would necessary to perform calculation

9 The rods are driven from the bottom of the vessel and a stop will be foreseen to stop their move in their safe position.

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

181

25

1,00E+06

20

1,00E+04

P (bar)

P(t) / P0

1,00E+05

1,00E+03

15

10

Boiling onset

1,00E+02 5

1,00E+01

SiC decomposition plateau 1,00E+00

0

0

0,01

0,02

0,03

0,04

0,05

0

0,01

Time (s)

0,02

0,03

0,04

0,05

Time (s)

Fig. 26. Core relative power (left side) and primary pressure evolution (right side).

coupling the thermalhydraulic conditions in the core and outside the vessel with a steam oxidation model. 8. Conclusion and prospects The analysis of the reference DBAs (including the most adverse aggravating failure) has shown margins up to the acceptance criteria, equal at least to 300 ◦ C for the category 3 situations and larger than 100 ◦ C for the category 4 situations. The dimensioning of the DHR loops and of the PCS loops have been assessed versus bounding degraded situations. As soon as the primary circuit keeps its integrity, only one DHR loop can cool the core in forced or natural convection with a margin of about 300 ◦ C up to the category 4 acceptance criteria. In depressurized and medium pressure situations, a single DHR blower is sized to cool the core with a more limited margin up to the category 4 acceptance criteria. Nitrogen injection in the primary circuit enhances the natural convection capability and performance; parametric calculations have indicated that this injection permits to fulfil the category 4 criteria in case of combination of a SB-LOCA (up to 3 in.) with the immediate loss of all the DHR blowers. Moreover, each PCS loop can remove the decay heat, either thanks to the steam generator of the loop, or either by means of a specific dedicated loop plugged on the secondary circuit and cooled with air. The main lessons learnt from the preliminary risk-informed analysis carried out at this early stage of the design has led to reinforce the redundancy in the signal elaboration able to actuate the safety systems and to prevent the wrong flow path configurations. Moreover, the lack of progressiveness of the initial safety architecture required improvements in order that the GFR be more “protected” from frequent events than from hypothetic events. The answer provided to this issue has led to retain provisions in order to remove the residual heat thanks to the PCS loops and to take benefit of nitrogen injection in the primary circuit in order to be able to control the SB-LOCA in a natural convection regime. Moreover, the extended PSA analysis carried out on the advanced stage of the design of the GFR2400 and on its evolved DHR strategy, permitted to confirm the design options retained but also allowed to simplify some sub-systems when possible and to reinforce some others when necessary. Transient calculations have been carried out in order to assess the possibility to prevent severe accidents in case of very degraded situations particularly challenging for the GFR2400: a LOCA combined with the loss of all active systems or of the back-up pressure, ATWSs (unprotected LOFA and unprotected SB-LOCA in particular) and the total rupture of the cross-duct. In some of these preliminary calculations, the cooling is achieved thanks to the DHR loops used out of their design domain and/or thanks to the PCS loops, the cooling being enhanced by nitrogen ingress or willful injection in the primary circuit. In all these situations except the SB-ULOCA (see later on), the

core geometry would not be degraded. According to the relatively realistic scenarios assumed, air ingress in the primary circuit would not induce core degradation, because of a cold thermal behaviour at the period of the air ingress in the core (passive oxidation at low kinetics). The nitriding issue is still to investigate in order to confirm that nitrogen can be used to supply and improve the cooling for BDBAs. Regarding the preliminary assessment of core degradation, analytical tests and thermodynamic calculations have shown that the fuel assembly liquefaction would occur when the temperature exceeds: 2200 ◦ C for the fuel, 1880 ◦ C for the internal face of the liner and 1850 ◦ C for its external face. Considering the kinetics of material interactions affecting the liner for an unprotected SBLOCA, it would be consumed in about 1.5 h at the hot spot of the core; this delay allows a comfortable time to scram the core. The time necessary to detect a bounding local loss of cooling (instantaneous total blockage of a sub-assembly) and to scram the reactor before obtaining a power excursion is at least of about 100 s. Moreover, if a large reactivity of about 2$ was suddenly inserted in the core caused by a hypothetic large scale material relocation (after an uncontrolled unprotected LOCA for instance), a pressurization of the vessel would occur but the pressure would remain lower than the nominal pressure of the primary circuit. This last preliminary assessment is aimed at filling the lack of a dedicated severe accident code for the GFR but should be further refined. Finally, preliminary insights on whole core degradation scenarios and on water ingress scenarios (chemical and neutronic aspects) had not still permitted to demonstrate the ability to control some situations that should be investigated in a next step with a severe accident calculation code. It would be necessary to develop and to introduce in this code, dedicated models elaborated thanks to analytical tests and which, should be validated by means degradation tests on fuel assembly samples. The FP release and the post-accidental cooling by means of a core catcher or of a reflooding fluid are still to investigate because up to now efforts have been mainly devoted to assessments of core degradation prevention capability and to the understanding of separated phenomena involved in severe accidents.

Acknowledgements The authors would like to thank the Nuclear Support and Innovation Division of CEA, AREVA and EDF which support this work as well as the RAGAZ project manager and all the engineers that contributed to the GFR design and safety.

References Anderson, J.O., Helander, T., Höglund, L., Shi, P.F., Sundman, B., 2002. Thermo-Calc and DICTRA, computational tools for materials science. Calphad 26, 273–312.

182

F. Bertrand et al. / Nuclear Engineering and Design 253 (2012) 161–182

Bassi, C., Azria, P., Saignes, P., Balmain, M., 2008. Application of PSA in support to the design of CEA 2400 MWth gas-cooled fast reactor. In: PSA08, Knoxville, TN, USA. Bassi, C., Marques, M., 2008. Reliability assessment of 2400 MWth gas-cooled fast reactor natural circulation decay heat removal in pressurized situations. In: Science and Technology of Nuclear Installations. Special Issue “Natural Circulation in Nuclear Reactor Systems”, vol. 2008. Bassi, C., Azria, P., Balmain, M., 2010. Level 1 probabilistic safety assessment to support the design of the CEA 2400 MWth gas-cooled fast reactor. Nucl. Eng. Des. 240 (11), 3758–3780. Bentivoglio, F., Messié, A., 2009. CATHARE simulation of transients for the 2400 MW gas fast reactor concept. In: ICAPP 2009, Tokyo, Japan. Berche, A., Rado, C., Rapaud, O., Guéneau, C., Rogez, J., 2009. Thermodynamic study of the U-Si system. J. Nucl. Mater. 389 (1), 101–107. Bertrand, F., Bassi, C., Bentivoglio, F., Messié, A., Tosello, A., Malo, J.Y., 2008. Preliminary safety analysis of the 2400 MW gas-cooled fast reactor. In: ICAPP 2008, Anaheim, CA, USA. Bertrand, F., Bentivoglio, F., Rimpault, G., Audubert, F., Journeau, C., Seiler, J.M., 2009. Preliminary transient analysis and approach of hypothetical scenarios for prevention and understanding of severe accidents of the 2400 MWth gas-cooled fast reactor. In: NURETH-13, Kanazawa City, Japan. Bertrand, F., Bassi, C., Bentivoglio, F., Messié, A., Azria, P., Balmain, M., 2011a. Riskinformed analysis as a support to the preliminary design of the CEA GFR2400. In: OECD/AEN/NEA Workshop on PSA for New and Advanced Reactors, Paris, France. Bertrand, F., Gatin, V., Bentivoglio, F., Gueneau, C., 2011b. Prevention and investigations of core degradation in case of beyond design accidents of the 2400 MWth gas-cooled fast reactor. In: NURETH-14, Toronto, Canada. Bussac, J., Reuss, P., 1985. Traité de neutronique. collection enseignement des sciences, Editions Hermann. Devictor, N., Saignes, P., Mathieu, B., Bassi, A., Bertrand, F., 2005. CEA program of work to carry out a level 1 PSA on the gas-cooled fast reactor. In: PSA05, San Francisco, CA, USA. Eck, J., Balat-Pichelin, M., Charpentier, L., Bêche, E., Audubert, F., 2008. Behavior of SiC at high temperature under helium with low oxygen partial pressure. J. Eur. Ceram. Soc. 28, 2995–3004. Epiney, A., Mikityuk, K., Chawla, R., 2010. Heavy-gas injection in the Generation IV gas-cooled fast reactor for improved decay heat removal under depressurized conditions. Nucl. Eng. Des. 240 (10), 3115–3125. Gorelov, I.N., Kiryushin, A.I., Kodochigov, N.G., Kuzavkov, N.G., Sukharev, Y.P., 1997. The gas turbine-modular helium reactor (GT-MHR) for electricity generation and plutonium consumption. In: Atomic Energy. Springer, New York, p. 83 (6). IAEA INSAG-12, 1999. Basic Safety Principle for Nuclear Power Plants. 75-INSAG-3 Rev. 1. IAEA Safety Report Series No. 46, 2005. Assessment of Defence in Depth for Nuclear Power Plants. Malo, J.Y., Alpy, N., Bertrand, F., Cadiou, T., Chauvin, N., Dumaz, P., Haubensack, D., Geffraye, G., Jonquères, N., Lorenzo, D., Morin, F., Nicolas, L., Ravenet, A., Richard, P., Studer, E., 2008. GFR, end of the pre-viability phase, design options selected. In: ICAPP 2008, Anaheim, CA, USA. Malo, J.Y., Alpy, N., Bentivoglio, F., Bertrand, F., Cachon, L., Geffraye, G., Haubensack, D., Messié, A., Morin, F., Peneliau, Y., Pra, F., Plancq, D., Richard, P., 2009. Gas cooled fast reactor 2400 MWth, status on the conceptual design studies and preliminary safety analysis. In: ICAPP 2009, Tokyo, Japan. Papazoglou, I.A., Aneziris, O.N., 2003. Master logic diagram: method for hazard and initiating event identification in process plants. J. Hazard. Mater. 97, 11–30. Robinson, R.C., Smialek, J.L., 1999. Recession caused by SiO2 scale volatility under combustion conditions, experimental results and empirical model. J. Am. Ceram. Soc. 82, 1817–1825.

Roger, J., Audubert, F., Le Petitcorps, Y., 2008. Thermal reaction of SiC films with tungsten and tungsten-rhenium alloys. J. Mater. Sci. 43, 3938–3945. Ruggieri, J.M., Tommasi, J., Lebrat, J.F., 2006. ERANOS 2. 1: international code system for GEN IV fast reactor. In: ICAPP 2006, Reno, NE, USA. Widlund, O., Geffraye, G., Bentivoglio, F., Messié, A., Ruby, A., Saez, M., Tauveron, N., Bassi, C., 2005. Overview of gas cooled reactor applications with CATHARE. In: NURETH-11, Avignon, France.

Glossary AFW: auxiliary feed water system ALARA: as low as reasonably achievable CB: containment building CC: close containment CCF: common cause failure CDF: core damage frequency CEA: Commissariat à l’énergie atomique CRA: control rod assembly (B)DBA: (beyond) design basis accident DEC: design extension conditions DEGB: double-ended guillotine break DHR: decay heat removal DHX: decay heat removal heat exchanger DiD: defense in depth EFR: European fast reactor FP: fission product GFR(2400): gas cooled fast reactor (2400 MWth) GT-MHR: gas turbine modular high temperature reactor HSS: helium supply service system HT: hexagonal tubes (V)HTR: (very) high temperature reactor IE: initiating event IHX: intermediate heat exchanger ILC: intermediate loop cooling ITB: instantaneous blockage of an assembly LB-LOCA: large break loss of coolant accident (U)LOCA: (unprotected) loss of coolant accident (U)LOFA: (unprotected) loss of flow accident LOOP: loss of off-site power MC: minimal cut-set MLD: Master logic diagram MWe: electrical megawatts MWth: thermal megawatts PCS: power conversion system PID: proportional integral derivative PSA: probabilistic safety assessment RHP: reactor high pressure cooling system RLP: reactor low pressure cooling system SA: severe accident SB-LOCA: small break loss of coolant accident SFR: sodium fast reactor SG: steam generator TM: Turbomachinery UC: uranium carbide (U)TOP: (unprotected) transient overpower