12.206. We may define reliability as the probability that a system or component will perform a specified function (or not fail) for a prescribed time. Now, if in addition, we consider the consequences of failure, i. e., a financial loss or injury to people, we have the concept of risk. Mathematical reliability models as design tools evolved from statistical sampling proce­dures used for quality control and biological research. The underlying probability theory, of course, is centuries old.

12.207. The aircraft industry provided an early incentive for the de­velopment of reliability engineering since in aircraft, one cannot accept overly conservative design if additional weight would be required. In the German World War II missile program, the concept of integrated system reliability analysis was pioneered. In the United States during subsequent years, the requirements of both the space and military missile programs led to the development of sophisticated systems studies which included the fault tree concept.

12.208. The application of probabilistic risk assessment (PRA) to nu­clear reactor safety began in the 1960s in the United Kingdom with the study of advanced gas-cooled reactors [28]. As we shall see shortly, PRA is an analytical technique for modeling the possible failure of subsystems and components where there are complex interactions. Following the Brit­ish work, the U. S. Atomic Energy Commission sponsored a number of studies of reliability techniques applied to U. S. reactors. Next, a major advance in PRA development was made in a З-year effort known as the Reactor Safety Study, the Rasmussen Report, or WASH-1400, published in 1975 [6]. The performance of a PRA as a licensing requirement was instituted in 1982. Also, ongoing PRA studies applicable to existing plants have resulted in various modifications to improve reliability. We will discuss various PRA efforts after we have presented additional introductory material.

14.4. A commercial nuclear power plant station usually consists of one or more generating units connected to the utility’s electrical distribution grid, which is also supplied by other units at various locations. Intercon­nections with grids of neighboring utilities are also provided to meet emer­gency requirements as well as to provide a means to purchase or sell energy. In dispatching load to generating units, the utility’s objective is to provide electricity to its customers by operating individual units in such a manner that generating costs will be minimal.

14.5. As pointed out in §10.99 and §10.106, the capital costs of the entire utility system must be paid on a unit time basis, whether or not an individual generating unit is operating. However, fuel is expended only when a unit is operating and the rate of expenditure for a given power level depends on the efficiency of the generating unit. Therefore, neglecting transmission considerations, it is cost-effective to dispatch the grid electrical load so that the most efficient plants operate as much as possible. The load changes during the course of a day, being lightest during the late night and early morning hours. Also, there are seasonal changes with peak loads occurring during hot weather when many air-conditioning units are oper­ating. Thus, the most fuel-efficient units will be operated as much as pos­sible to meet the constant base load, while less efficient units will be as­signed to operate as needed to meet the variable peak load. As a result of balancing capital and fuel costs, it is common practice to use low-capital — cost but fuel-inefficient gas turbine generators to meet the peak loads of shortest duration, while high-capital-cost but fuel-efficient nuclear units are base-loaded.

15.45. A design option is to utilize the helium heated in the reactor as the working fluid in a closed-cycle gas turbine power conversion system. The resulting elimination of the steam generator and associated compo­nents leads to system simplification and potential cost savings. However, somewhat more development is required than would be necessary for the steam-generating approach.

12.248. Investor-owned electric utilities are regulated by state public utility commissions, which have the responsibility for approving rate struc­tures that will provide a fair rate of return on investment (§10.107). In most states, they also are required by statute to judge whether or not new generating facilities are indeed necessary. If approval is obtained, the is­suance of a Certificate of Public Convenience and Necessity (CPCN) as­sures that the needed investment will be added to the rate base. Generally, an electric utility will obtain a CPCN before initiating NRC application procedures.

12.249. State agencies also have various requirements that affect site selection, particularly within coastal areas, where land and water use might be affected. Also, such matters as cooling water supply and effluent discharges usually require state approval. In some states there are restrictions on nuclear plant construction on radiological health and safety grounds. Overlapping state and federal jurisdiction can result in regulatory complications.

14.38. Equipment maintenance is a very important plant operations activity, but is generally given little attention in engineering texts. In fact, accommodation of maintenance requirements is a vital plant design re­quirement. Components, piping, wiring, and auxiliary equipment must be arranged in such a manner that routine maintenance and component re­placement can be carried out efficiently. The presence of a radiation field can be an important design consideration.

14.39. Maintenance is usually planned during scheduled refueling shut­downs. Unscheduled shutdowns are expensive, with the economic penalty generally based on the cost of replacement energy. Therefore, measures to assure trouble-free equipment performance are justified and should be accomplished during planned shutdowns. During such shutdowns, careful work scheduling is necessary to avoid excessive outage time. Radiation exposure limits to personnel and the need for protective clothing require attention.

14.40. During the late 1980s, the NRC increased its involvement in nuclear plant maintenance. As a result, EPRI formed the Nuclear Main­tenance Applications Center (NUMAC) to improve maintenance effec­tiveness by coordinating information and developing technical repair guides for specific equipment. Also, the Institute of Nuclear Power Operations (INPO) has developed standards for maintenance. It is recognized that there is an optimum maintenance effort as a result of the cost of failures balanced by the expenses of preventive maintenance. A goal is to devote about 70 percent effort to preventive maintenance and 30 percent effort to corrective maintenance.

15.74. Compared with present large reactors having electrical gener­ating capacities in the 1000-MW range, we have seen that smaller passive reactors in the 600-MW(el) range have a number of attractive features. The new designs are simpler since the passive features eliminate the need for some active safety systems. They generally are more forgiving to op­erator and system failures and are designed to have longer plant lifetimes. They have generally received favorable public attention since press de­scriptions have emphasized that the industry has something new to offer in safety.

15.75. The smaller plants can be built faster, an attractive feature that reduces the indirect construction costs. Also, for a utility considering a restart of its nuclear program, a smaller reactor would require less financial exposure than a large plant and might be more commensurate with load growth requirements. Siting for a smaller plant is likely to be easier.

15.76. Opinions differ regarding whether or not the inherent economy of scale advantage of the large plant can be counteracted by the system simplification and manufacturing advantages of the smaller plant. Although cost estimates for the large evolutionary plants yield about the same results as those for the smaller passive plants, the former estimates are based on proven systems and are therefore likely to be more reliable. Furthermore, it has been pointed out that the large fraction of the capital cost required for the nonnuclear part of the plant is subject to the scaling factor, leading to the conclusion that on a unit energy basis, generating costs for the large plant are likely to be less than for the smaller plant. However, until more information becomes available, it appears that a size preference should be based on considerations other than the economy-of-scale issue.

13.39. An important feature of BWR operation is the coolant recir­culation system, shown schematically in Fig. 13.10. This system provides the forced convection flow through the core necessary to achieve the re­quired power density in a BWR. About 14 weight percent of the water passing through the core is vaporized and the remainder must be recir­culated. A portion of the coolant is withdrawn from the lower end of the shroud region and forced by a centrifugal recirculation pump into the jet pumps. Most BWRs have two recirculation pumps, each of which provides by way of a manifold the “driving flow” for 10 to 12 jet pumps. The flow of coolant from the pumps, up through the core and back by way of the annular region, is indicated in Fig. 13.10.

13.40. In the German KWU-BWR design, the recirculation pumps are within the reactor vessel. The electric drive motors, which are outside the vessel, are connected to the axial flow pumps by mechanical seals flanged to the bottom of the pressure vessel. By eliminating large external coolant circulation loops, the loss-of-coolant accident becomes less probable, and the coolant depressurization rate is reduced. This internal circulation pump arrangement has been adopted by the General Electric Co. for its evolu­tionary Advanced BWR design (§13.49).

Control System

13.41. The control rods in a BWR, driven by hydrostatic pressure, enter from the bottom of the core; this is both necessary and desirable. In the first place, the reactor vessel above the core is occupied by the steam — water separators and dryers; furthermore, movement of the controls in and out of the lower part of the core permits compensation for the reactivity decrease in the upper part arising from the steam voids. The absorber rods are used for reactor startup and shutdown and also to flatten the power distribution. Power adjustment during operation is commonly made by changing the coolant recirculation rate, as will be explained shortly. Boric acid solution is not used in BWRs because solid would be deposited on the fuel rods in the boiling region, thereby interfering with heat transfer. However, in newer designs for the advanced BWR, an electrical-hydraulic control rod drive system provides motion in fine steps suitable for power adjustment purposes.

13.42. Early BWR practice was to “scatter load” the core so that fuel assemblies having different burnups would be adjacent to partially inserted control rods. Since the influence of the neighboring absorber would cause
uneven burnup, particularly with fuel of higher enrichment, it was common practice to exchange or “swap” groups of control rods used for deep or shallow insertion during the operating cycle. In this way, the effects on adjacent assemblies would be reduced. However, in the newer control cell core (CCC) loading (§10.55), control rod groups intended for partial in­sertion service have only low enrichment assemblies in the adjacent four positions. Therefore, burnup effects are minimal and these rods may be used for reactivity and power distribution control throughout the operating cycle, with no need for rod pattern exchanges.

13.43. The excess reactivity of fresh fuel is partly compensated by the inclusion of gadolinium oxide (Gd203) as a burnable poison mixed with uranium dioxide in some of the fuel elements (§5.197). These rods are located where they will improve the uniformity of the power distribution.

13.44. The use of the coolant recirculation rate in the adjustment and automatic control of BWR power output is based on the following consid­erations. Let wf be the feedwater mass flow rate, wr the recirculation flow rate, and wc(= wr + wf) the core coolant mass flow rate. The reactor power P can then be represented by

P = wf(hr — hf) + (13

wc = wr + wf,

where hr, hf, and hvap are the enthalpies of the saturated recirculating water, the feed water, and of water vaporization, respectively; X is the quality (weight fraction of vapor) of coolant leaving the core. If the recirculation flow rate wr is increased without changing wf, the quality will be momen­tarily lowered, since there will not have been time for P to change. The reduction in steam voids will tend to increase the reactivity and hence the power; as a result, X will increase toward the original value and the reac­tivity will decrease. The reactor will thus become stabilized at a higher power level [5].

13.45. The foregoing behavior, which leads to a roughly linear de­pendence of the BWR power on the recirculation flow rate, is effective over a range of about 25 percent of the reactor design power without movement of the control rods. The coolant recirculation rate is determined by the injection rate into the jet pumps, and this is controlled by flow control valves at the recirculation pumps.

13.46. The critical heat flux (§9.99), at which DNB occurs, depends on the core coolant flow rate and the exit quality. Either a decrease in the flow rate or an increase in the quality (or both) tends to decrease the critical heat flux. Changes in the recirculation rate, wr, and consequently in the core flow rate wc (at constant uy), must therefore be such that the critical heat flux ratio (§9.179) is maintained above the design minimum of 1.90 at 120 percent of rated power. However, this classical figure of merit does not give a true picture of the thermal margin since the axial heat flux profile changes with power. Therefore, the critical power ratio (CPR), defined as the critical power divided by the operating bundle power at the condition of interest, is also used (§9.181).

15.20. Probabilistic risk analysis was used extensively in the design proc­ess to select the design options that would minimize the predicted core melt frequency. This approach contrasts with PR A studies of already built plants for which remedial options are limited. Defense in depth is provided by various redundant safety systems which would be effective before the passive features are called upon to control an accident. The response of all safety systems to every known transient and accident scenario has re­ceived consideration during the design process.

15.21. The design includes the MSHIM load-following strategy, which utilizes “gray” rods, thus avoiding the need for boron concentration ad­justment (§14.21). An advanced instrumentation and control system using multiplexing reduces the amount of wiring needed (§14.30). Plant layout has been planned to provide good access for construction and maintenance. Also, extensive use of prefabricated modules is expected to reduce con­struction time and improve economics.

15.22. The AP600 is designed for a 60-year operating life. Cost reduc­tion is achieved by the use of passive safety features, general design sim­plicity, and complete plant standardization, which requires 100 percent engineering prior to the start of construction. Such savings tend to com­pensate for the unfavorable economy of scale of the 600-MW(el) size com­pared with large plants. An estimate of $1370 per kilowatt (1990 dollars) is within the $1500/kW EPRI goal for advanced plants.

12.209. Before we introduce some PRA principles, it is desirable to clarify the difference between deterministic and probabilistic safety anal­ysis. The term deterministic has a philosophical basis which refers to the mechanical correspondence between causes and effects. For example, we could consider a small-break LOCA in a PWR as a “cause,” and by suitable analytical modeling determine the maximum fuel clad temperature as a function of the break area. The clad temperature would be the “effect” and when related to prescribed limits provides us with a “safety margin.” An evaluation of numerous safety margins is required in licensing appli­cations (§12.132). In contrast, probabilistic safety analysis utilizes statistical methods to evaluate failure probabilities resulting from various initiating events. Here we are concerned with binary states; i. e., an initiating event might be the transition of a given component from an operating state to
a nonoperating state. Then this state could affect the condition of related components, as we shall see.

Elementary Binary State Concepts

12.210. As an introduction to failure concepts, let us consider a com­ponent that is either functioning normally or failed. We define the relia­bility, R(t), as the probability of survival to age t. Then,

number surviving at t ‘ total sample (population)’

We can define unreliability, F(t), as the probability of failure up to age t (t not included):

, 4 number of failures before t

Fit) = ————- —————

7 population

Now, R(t) = 1 — F(t). If we consider the proportion of the population, or sample, that will fail between tx and t2, we can introduce the failure probability density, f(t), where

F(t2) ~ F(t0 = [‘7(0 dt,

J’ і

where f(t) dt is the probability of failure in dt about t:

We are also interested in the rate of failure, r(t), which is sometimes called the hazard rate. This is the probability of failure per unit time at age t i. e., the device must have survived to time t:

№ m

1 — Fit) R(ty

Here R(t) is the number of survivals at t divided by the initial population.

12.211.The behavior of r(t) for many devices is described by the classic “bathtub curve” shown in Fig. 12.15. Characteristically, there are signif­icant early failures during a burn-in period arising from poor manufacturing quality control. Subsequently, there is a flat period of random failures followed by a rising rate in the wear-out range. This concept provides only

BURN-IN

PERIOD

TIME, t

a “taste” of a discipline known as reliability engineering, in which com­ponent and system performance are analyzed.

14.6. The operating cycle length is the planned operating time before shutdown for refueling is required. It is an important fuel reload design parameter and sometimes is expressed in units of fuel burnup. For many years, operating cycles of 12 months were common. However, in recent years, longer cycles became economical as the cost of uranium and en­richment remained relatively low and the advantages of a higher capacity factor became more significant. Also, longer cycles offer more flexibility for generation management.

14.7. Generation management is important for a utility having several nuclear units so that overlapping refueling and maintenance shutdown periods will be avoided. Such outage periods are normally 1 to 2 months long. Also, less frequent refueling has the advantage of reduced radiation exposure to operating personnel. Therefore, many utilities have adopted operating cycles of 18 months and in some cases as long as 24 months [1]. The increase in permissible core peaking factors as a result of changes in 10 CFR 50 Appendix К tends to simplify reload core design for extended cycles.

14.8. Outage management requires long-range strategic planning to maximize plant availability by making the most efficient use of the time available for plant maintenance. For example, project priorities, many to meet NRC requirements, are generally established years in advance, with individual projects scheduled over a series of outages, as appropriate [2].