Fault tree analysis is a useful categorization tool with which the interrela­tionships between reactor components, their failures, and the reactor safety features can be defined. It provides a means for ensuring that safety analysis is all-inclusive, and it provides eventual potential for quantifying accident probabilities.

1.6.1 Definitions

A fault tree is a sequence of events which leads from one or more faults to the causes of those faults.

Systems analysts use such fault trees to: (a) define critical paths in the accident analysis; (b) calculate the probabilities of failures leading to given consequences or of consequences occurring in the system from one of a number of different initiating faults; and (c) specify safeguards against damaging consequences for each branch of the tree.

For different purposes the different trees available that will be discussed are: (a) a single-failure tree defined as a successive analysis of the causes of a single undesirable event; (b) a multiple-failure tree defined as an analysis of the consequences of a whole range of faults leading to a whole range of possible safe and unsafe terminations; and (c) an accident-process tree defined as a successive analysis of the consequences of a single fault. (This tree is a single branch of the multiple-failure tree and the reverse of the single-failure tree.)

All the systems to be assessed are closed-loop feedback systems.

A simple dynamic system (Fig. 2.28a), which has a response R to an input signal I, can be represented by a transfer function G(s) = R/I, where s is the Laplace variable, which is generally a complex variable. The response of this system to a steady sinusoidal input of frequency со of unit amplitude is R — G(ico), which is called the frequency response (7).

A simple feedback loop (Fig. 2.28b) has a forward function G(j), a feedback transfer function H(s), and a feedback signal F, which is the output R modified by the feedback function

F = RH(s) (2.9)

The input to the forward transfer function G(s) is now the difference be­tween the input signal I and the feedback F. It is clear that with the loop closed the response R is given by

R = G(j)[7— ВД] (2.10)

R/I=G(s)/[l +G(s)H(s)} (2.11)

and it should be noticed that the positive sign in the denominator is indica­tive of a negative feedback.

This is called the closed-loop transfer function.

The function G(s)H(s), the feedback response to unit amplitude F/I, lis called the open-loop transfer function.

Instability in the system is exhibited when the signals D, R, and F in the oop become self-sustaining without an input 7. Instability is indicated by the poles (where the function becomes infinite) of the closed-loop transfer function in the right half of the complex plane s, where the poles indicate exponentially increasing time functions in the time domain.

The number of poles is equal to the number of unstable modes in the system while the position of the pole gives information about the type of instability shown; the real s coordinate is the divergence rate while the imaginary s coordinate is the divergence frequency. There are several methods by which this information can be used to analyze the stability of the reactor system.

As can be seen from Fig. 1.31 the plant protective system (PPS) which detects a failure and shuts down the reactor is the most important safety system. In conjunction with the emergency core cooling system it provides protection against almost all faults. Section 3.1.5 has already outlined a number of trip signals and the trip values which might be used for a typical plant.

3.4.2.1 Scram Function

The prime function of the protective system is to ensure fast and reliable scram in response to a trip signal. To ensure that scram is obtained, the principle of redundancy is used, but to avoid spurious scrams, coincidence techniques are employed.

The logic of protective system action is as follows:

(a) A system acting on one signal from one monitor provides a minimum actuation but it does not provide safety against a failure in the single detec­tion or trip line.

(b) A system acting on one out of two trip lines provides redundancy against a single failure.

(c) A system acting on two out of three trip lines provides redundancy and coincidence and so protects against a spurious signal.

(d) A system acting on two out of four trip lines provides for one channel to fail or to be down for maintenance and still provides total safety.

Table 3.6 shows the scram channel redundancies and coincidences for a number of fast reactors. It can be seen that there is a divergence of opinion as to the correct way to instrument a reactor. Notice that EBR-II provides more trips in total although with less redundancy in some than the Fermi reactor.

TABLE 3.6

Reactor Safety System: Examples of Channel Redundancy and Coincidence

Techniques0

Trip EBR-II Dounreay RAPSODIE Fermi

Reactor scram in the fast system is accomplished by one of several methods: adding absorber material (Fermi), removing fuel material (DFR and EBR-II), and removing reflector material (CLEMENTINE).

The absorber is either boron carbide or tantalum. The former generates helium and requires replacement, while tantalum decreases the breeding by softening the spectrum, although it does increase the Doppler coefficient. The rod control drives are sometimes spring assisted either to increase the rate of fall throughout the fall or simply to give it an initial acceleration.

“ See Yevick and Amarosi (JO). b Based on 10% 10B burn-up.

" Limited by stress.

d Based on ASME Unfired Pressure Vessel Code where allowable fiber stress at 1200°F is 6800 psi.

Table 3.7 shows the characteristics of the Fermi control rods and Fig. 3.4 shows the reactivity change as a control rod is inserted. No reactivity change is experienced for 0.35 sec. This includes a trip delay time and an initial rod insertion time for the end of the control rod to reach about a third of the way into the core. The peak reactivity change is felt by the time the end

reaches the bottom of the core. The time dependence of the reactivity insertion is the usual S-shaped curve which is taken into account in transient studies.

Table 3.8 shows the comparison of safety rod drive systems in Fermi, EBR-II, and DFR.

TABLE 3.8

Comparison of Fermi, EBR-II, and Dounreay Fast Reactor Control and Safety Rod Drive Systems0

Peripheral fuel Central fuel backup

14 rods (12 peripheral control, 2 safety)

0.063-0.068

Double rotating

Up

On plug, in line with rods

Direct, relatively tight connection

14 in.

Peripheral fuel

Peripheral poison backup

12 rods (2 safety, 4 shutoff, 6 con­trol) 3 boron poison backup

More than 0.09

Double rotating

Down

Outside plug, offset actuator for rods

Located on carrier mating cone and pin

25 in.

See Yevick and Amarosi (70).

All control scram, pneumatic assisted

Safety rods only scram during start-up and refueling

Electromagnetic latch

About 0.32 sec

Electric motor—driving rack and pinion (external)

Selsyn system from pinion shaft

Fixed at 5 in/out

All rods scram. Control dropped with their drives, boron dropped with makeup piece only

Electromagnetic latch About 0.5 sec

Electric motor—gear to ball nut and screw (internal)

Special system from servo-arma­ture and search coil

Fixed at 0.18 out, 0.18 or 9 in Boron rods: 0.36

Aluminum gasket and reciprocating metal bellows

О-rings or other metal gaskets, no bellows. All seals static

The previous sections have outlined small parts of the whole picture: fuel failure, molten fuel jet impingement on adjacent pins, fuel fragmenta­tion, fuel velocities in channel, and voiding mechanics. It is now important to try to draw these pieces into a whole description of the sequence of events. The consequences of fuel failure should be determined in sufficient detail to establish what protection can be provided and what probability there is of a propagation of the failure.

Section 4.4.1.1 has shown that the propagation of failure due to fission — gas blanketing alone is unlikely and only in some certain circumstances could a secondary failure be caused. In this case for primary ruptures in the region of 10-4 in.2 area, a secondary rupture could be formed imme­diately opposite the primary one across the subchannel. The only place a third rupture could be formed would be back on the original pin. This A to В and В to A sequence is unlikely to spread the damage across the sub­assembly, especially since each rupture size must be that critical size to just give rise to the necessary conditions for continuing the process of failure.

Section 4.4.1.3 showed that molten fuel could eject out of a pin which already contained fuel and cause a jet failure on the next pin. However, again the failure sequence would be of the A to В and В to A type, which is unlikely to provide a tertiary rupture.

Section 4.4.1.4 has however discussed the voiding of the subassembly and the mechanism for failure throughout the subassembly is provided. Table 4.6 suggests a failure sequence using the information from the pre­vious sections (24a). (Essentially, it provides more detail for the earlier portions of Table 5.8, which describes the same sequence.)

TABLE 4.6

Overenriched Fuel Pin Failure Sequence0

Time

(msec)

Overenriched hot pin ruptures as molten fuel contacts cladding during minor reactivity transient

Subchannel voided around failed pin, pressure about 1000 psia

Whole assembly voided, pressure about 150 psia

(Failure of adjacent cladding due to molten fuel jet impingement)

Cladding failure on the adjacent enriched peak pin

Cladding failure on all enriched peak pins in assembly

Pins adjacent to original failure melt (about four or five of them)

Film on voided channels at maximum thickness following condensation

Film dry-out following reduction in thickness.

Molten fuel ejection ends following an intermittent ejection Sodium reentry into voided channels (vapor explosion?)

Enriched pins molten and start to slump in contact with assembly can Normally enriched pins molten and start to slump Assembly duct experiences heat fluxes up to 2 x 109 Btu/ft2 hr

° See Graham and Versteeg (23b).

b Cannot occur if the reentering flow reestablishes itself and is not blocked.

The overenriched hot pin is presumed to fail as molten fuel contacts the cladding due to some minor transient and the molten fuel is ejected. The subchannel voids rapidly in 1 msec with immediate pressures of 1000 psia. Then the void spreads more slowly across the subassembly, so that the whole subassembly is voided in about 8 msec and the pressures have been reduced to 150 psia. At about this time the molten fuel might also, by jet impingement on the adjacent cladding, have caused a secondary failure.

Due to the voiding, the cladding will fail on the adjacent enriched peak pins in about 25 msec and on all pins in the assembly in about 35 msec. However this is not significant since little molten fuel is present. Then the
pins nearest the failure begin to melt and molten fuel may appear from at most 4 or 5 near pins in about 80 msec.

As the void is growing, it is condensing on pins above the failure, and the film on these pins is growing and heating up those components. Later, however, the process reverses and the film dries out in about 200 msec. By 300 msec, the entire fuel ejection process is over from the primary failed pin as well as those near it that melted. Then the sodium vapor-liquid interface reenters in about 600 msec.

At this point, several things could occur, and although detailed calcula­tions might help to clarify this point, experimentation on fuel element failure propagation will be the only way to clarify the actual course of events. The following could occur:

(a) The sodium reentering could impinge upon the molten fuel which is in the channel and cause a sudden vapor explosion much more violent than the original vaporization. It is considered that evidence shows this to be unlikely.

(b) The flow could reestablish itself and normal flow conditions could maintain cooling of the subassembly, even though cladding has largely ruptured.

(c) Molten cladding could have blocked four or five subchannels and the condition changes to a treatment of a local blockage. In this case more than 8-10 subchannels should be blocked before further failure can occur and calculations (25) have shown that the blockage should be coher­ent. Even 1% seepage through the blockage could provide adequate cooling to avoid anything but a slow subsequent continuation of the damaging process.

During this voiding process, the reactivity feedback is small, limited to less that 100 for an entire voided subassembly. However, if the fuel melting results in gross slumping, then the reactivity changes are likely to be larger. These fuel movement reactivity changes could be of either sign, as can the voiding effects. Previous failures in both DFR and Fermi (26, 27) have been marked by negative changes of power, due to failure-induced reactivity feedbacks.

Neglecting the uncertainty of effects at this point, if the pins are now com­pletely deprived of cooling, the enriched pins will be completely molten at the midpoint cross sections in about 3.5 sec, while the unenriched pins will reach the same state in 5.0 sec if we presume this assembly to be made up of a mixture of enriched and nonenriched fuel. Thus the assembly duct would begin to see slumped fuel in contact with it at about this time or shortly afterwards.

Before a discussion of the functional requirements of reactor containment it is important to put radioactivity and its effects into perspective within our present environment.

5.1.1 Definition of Terms

The following are a set of definitions useful in any discussion of radio­activity :

a. Curie (Ci). A measure of radioactivity. A curie of any radioactive nuclide undergoes 37-109 transformations per second.

b. Roentgen (r). Named for William Roentgen, the discoverer of x rays, a roentgen is the quantity of x or у radiation which will produce one elec­trostatic unit of charge in 1 cc of air at STP. It corresponds to an energy of 83 ergs.

c. Radiation absorbed dose (rad). A quantity of radiation that delivers 100 ergs of energy to 1 gm of substance. In this case, body tissue is the substance of interest.

d. Roentgen equivalent, man (rem). This is the biological unit: the quan­tity of radiation equivalent in biological damage to 1 rad of standard x rays. This unit will be used most often in this chapter.

e. Relative Biological Effectiveness (RBE). This is the connection be­tween the biological unit of the rem and the radiative unit of the rad.+

RBE = 1 rem/1 rad (5.1)

f. Linear Energy Transfer (LET). The average amount of energy lost per unit of particle spur-track length. The linear energy transfer of course, depends on the particle, its energy, and on the material involved. Table 5.1 shows LET values for body tissue (/).

The biological effect of radiation on body tissue, the RBE, is therefore related to the LET value for the particle and for the energy of that particle.

The previous sections have discussed a number of possible CDA initiators. All of them have been shown to be most unlikely, and all but two may be ruled out as initiators. Attention would naturally be given to their absolute design prohibition. The two accidents that were not ruled out but further discussed were the local failure that might arise from an overenriched pin

or a blocked channel and the failure to scram in conjunction with another more likely event.

Analysis to date, combined with experiments on fuel-sodium interaction, transient destruction of fuel, and explosive testing of the fuel assembly wrappers, seems to indicate that propagation cannot occur following a local failure and therefore this case also should not be used to provide a CDA.

The scram failure case is analyzed as a direct result of licensing practice. It would be preferable to spend the technical effort in assessing reliability of the scram system, and this may well be done in the future. At that time a design basis for the containment may consist of a fuel handling mishap instead of a core disruptive accident. In that case the containment building will be reduced to the function of a roof for plant components.

A sodium fire is also used to evaluate containment design in many plants. Section 4.5 has shown how the sodium fire is analyzed and how its effect need not be restrictive to the design. Indeed the most sensible design solu­tion is to inert the sodium areas so as to rule out the sodium fire entirely.

In the future, the fast reactor may well consist of a covered rather than a contained plant. This will not be possible until a breakthrough comes in the analysis of initiating events or in the experimental program carried out in support of that analysis. Such a breakthrough will have to be accompanied by a breakthrough in the licensing attitude at the same time.

Table 6.3 lists the power conversion efficiencies for nuclear and fossil — fueled plants. It can be seen that something over 60% of the heat produced within a power plant is in excess of that which can be used in creating electricity. This inefficiency is suffered by all heat machines and the thermal nuclear plants, at present using lower temperature steam, are somewhat more inefficient than the fossil-fueled systems. However, the difference is

not significant and, size for size, the thermal effects of these competing systems are the same in magnitude. Fast reactors will eventually be capable of higher efficiencies in the large sizes. However, about 25% of the excess heat from a fossil-fueled plant is discharged directly from its stack along with gaseous pollutants; therefore the amount of excess heat to be removed by cooling water is relatively less than for the light-water-cooled nuclear plants. With fast reactors, however, the amount of heat released to the cooling water by the nuclear and fossil plants will be much the same (9a).

To put the excess heat position in perspective, by the year 2000, approx­imately 1250 billion gallons of water per day will be required to remove excess heat. About 30% of this will be discharged to the sea and the remain­der will require surface runoff water in some form for cooling. Since the total average daily runoff for the United States is about 1200 billion gallons, over 70% of this would be required to cool the power plants in existence at that time, or at least to transfer the excess heat to the ultimate heat sink of the atmosphere (9b).

Special effects, such as Wigner energy release [A cxp(BT)(dT/dt)] in graphite structure systems or uranium oxidation [а ехр(бТ’)] in metal — fueled systems, may have to be included in safety studies when adverse conditions are studied. However in sodium-cooled systems extra power production terms do not arise except when fuel is supposed to be ejected into the coolant channel. Then the coolant equation contains an extra heat production term. However, then it is also necessary to represent channel boiling (Section 1.3.4).

The favored fast reactor system in the United States, Great Britain, the USSR, and France—this reactor is now cooled by sodium although NaK systems have been used. Designs generally use mixed oxide fuels in a pin configuration cooled by upflowing coolant to remove anything between 12 to 16 kW/ft (7).

TABLE 2.1
Fast Reactor Types

Temperatures in the system range from 750°F at inlet to 1000°F at the mixed core outlet, while the coolant is kept at a low pressure of 1 atm or a little above.

The heat transfer systems are usually all three cycle systems with an inter­mediate or secondary system to insulate the radioactive primary sodium from the turbogenerator steam cycle. However, present designers are divided on whether the reactor should be a pool or a loop system. The former im­merses the core, heat exchanger, and primary pumps in a single pool of sodium, while the latter uses pipes to connect its primary components and its secondary components. There are advantages and disadvantages for both systems (see Section 4.1) but for the present discussion a loop system is assumed (Fig. 2.1). Table 2.1 shows the main characteristics of the liquid — metal fast breeder reactor (LMFBR).

Flow

/іб"з

Bypass circulators 51.5% Flow

Mam core circulators

3.1 Failure Criteria

The first two chapters have emphasized methods of safety evaluation and possible disturbances to the system. The next chapters go through a design process by setting design safety criteria, by reviewing the particular problems of a sodium-cooled design, by containing the system, and finally by licensing the plant.

Before reviewing the safety criteria that are set to define the design of a safe plant and detailing safety features that might be included, it is necessary to consider what failure means. In the previous chapter the system was evaluated to determine its response to a variety of disturbances; in particular to assess whether failure was possible. What is meant by failure?