15.46. The inherent characteristics of the HTGR concept provide the safety basis for the MHTGR system. First of all, graphite is stable at high temperatures and has a high heat capacity, which assures that core tem­perature transients will be slow and readily controllable. Helium is inert both chemically and neutronically. Therefore, coolant interactions with materials during the course of an accident are not possible and coolant

changes do not affect reactivity. Thorium loading in the fuel enhances the negative temperature coefficient of reactivity. These characteristics cause the reactor inherently to shut down.

15.47. In the MHTGR, should both the primary and secondary shut­down cooling systems become inoperative, decay heat would be removed by the passive reactor cavity cooling system (RCCS). The decay heat path is from the core to the surrounding reflector, then to the walls of the uninsulated reactor vessel. Heat would then be transferred by radiation and convection to RCCS cooling panels placed around the vessel. Outside air moved by natural circulation then cools the panels. The annular core geometry limits local heat generation so that this passive system prevents the fuel from reaching a temperature that would damage the refractory coatings on the microspheres.

15.48. The response of the MHTGR to a wide variety of accident scen­arios has been studied extensively, but space does not permit even summary coverage here. However, a common question concerns the possibility of chemical reaction of graphite with water and air. The water-graphite re­action is endothermic and normally would have minor impact with no fission product release likely. A worst-case scenario involving a combi­nation of failures results in about a 5-Ci iodine release to the environment, which would result in an acceptable offsite dosage. Air ingress would result in only a small amount of oxidation, primarily because of the large resist­ance to flow that the cooling tubes provide.

15.49. Another scenario worthy of mention is a depressurization acci­dent, with failure of all forced cooling systems. The reactor would trip, but decay heat would be removed only by the RCCS. A peak core tem­perature of about 1600°C would occur after about 80 hours. A release to the environment of only about 1 Ci of iodine is predicted.

12.250. Deliberate destruction of a reactor by sabotage could have con­sequences similar to those of a severe accident; hence, prevention of sabo­tage is an aspect of nuclear safety. The owner-operator of a nuclear plant (or other nuclear facility) is required to develop a physical security plan for the plant. According to NRC regulations, details of the plan must be included in the application for an operating license but they are withheld from public disclosure. Specific guidance for implementing plant security criteria is provided by the NRC and by the American National Standards Institute. Although protection against possible sabotage is primarily an industrial security problem, it is also an aspect of the nuclear safeguards activity concerned with the prevention of unauthorized use of “special nuclear material” (§10.109).

14.41. When present nuclear power plants were put into service, a 40- year operating lifetime was projected, essentially on an arbitrary basis. However, a maximum of 40 years was established by Congress in 1954 as the duration of an operating license. With no new plants being built and some plants approaching 30 years of service, operating license renewal for an additional 20 years has been recommended by the U. S. Department of Energy [5]. To allow ample time for regulatory decisions, NRC has de­veloped rules for considering license renewal. Essentially, the principle applies that the present adequate level of safety must be maintained during any extended operating period [6].

14.42. Extended life studies have concluded that it is feasible to maintain safety levels, regardless of age, through repair, refurbishment, and re­placement. Degradation in component performance can be detected by extensive routine surveillance and testing. Various aging mechanisms were identified which fall into categories of fatigue, erosion, corrosion, service wear, radiation embrittlement, thermal embrittlement, chemical effects, material creep, and environmental degradation [7]. Among these, PWR pressure vessel radiation embrittlement is probably the most important and will be discussed further in the next section. Corrosion problems have required the replacement of some PWR steam generators. Although such replacement is expensive, with about a 6-month outage required, it is a proven procedure.

14.43. In 1985, the NRC added rule 10 CFR 50.61 entitled “Fracture Toughness Requirements for Protection Against Thermal Shock Events.” The rule establishes pressure vessel screening criteria and calculation meth­ods for a reference temperature for nil-ductility transition (§7.16). Of con­cern is the possibility of brittle fracture during a pressurized thermal shock transient as a result of the sudden injection of cold water during operation of the Emergency Core Cooling Systems. For plates and axial welds, the maximum NDT temperature is 132°C (270°F), while 149°C (300°F) is the limit for circumferential welds at the core beltline. Licensees are required to submit projected values up the time of license expiration. Should the criteria be exceeded, neutron flux reduction programs are required.

14.44. The pressure vessel wall fast-neutron flux exposure can be re­duced by lower power reactor operation, but a preferred approach is to use special reload core designs to provide very low neutron leakage. A number of design options are available but generally feature loading the most depleted fuel or special blanket assemblies around the periphery of the core (§10.26).

14.45. In-place thermal annealing of a reactor vessel to remove some or all of the effects of neutron embrittlement is a “last ditch” option being investigated [8]. A technique that has been used successfully in Russia on defueled PWRs involves the use of special heaters in the region of critical vessel welds to raise the metal temperature to 454°C for about 6 days. Wet annealing is another possibility but would lead to lesser benefits. In this technique, the vessel and primary cooling circuit is held for about 6 days at a temperature of 340°C using main reactor cooling pump friction heat. Regulatory considerations associated with annealing methods would re­quire resolution.

15.77. Although it has been possible to eliminate most of the active safety subsystems in the passive plants, the entire plant remains a very sophisticated complex system. Therefore, plant reliability and its effect on the plant availability factor is an issue. There are differences among the concepts described regarding the amount of design innovation involved. Proponents of the AP600 and the SBWR claim that the technology is sufficiently proven so that a “demonstration plant” is not required. On the other hand, there appears to be agreement that a “lead plant” to gain experience before other plants are constructed would be desirable. Since the MHTGR and the ALMR are more innovative, but are modular, the road to commercialization would clearly start with a “demonstration” mod­ule. Also, other designs are being proposed. For example, a hybrid system uses active systems to cope with non-LOCA events, with passive features available as a backup for serious accidents. This approach is claimed to result in a higher plant availability than in an all-passive design, since shutdowns would be shorter [12].

15.78. As a result of experience with the Fort St. Vrain plant, the MHTGR is claimed to be in an advanced state of development. However, as a result of various problems, the operation of the plant was uneconom­ical. Therefore, the operability of a modular plant with some advanced features still requires some demonstrations to assure utilities that their investment risk will be reasonable. As mentioned in §15.62, there is ample time for an ALMR demonstration, both to permit further development and provide a firmer basis for cost estimation.

13.47. The length of a fuel cycle in a BWR can be extended beyond that normally available from reactivity limitations by reducing the reactor feedwater temperature and hence its enthalpy. As can be seen from equa­tion (13.1), a decrease in hf will be accompanied by a decrease in the quality X, assuming other conditions are not altered. The thermal power of the reactor would thus remain unchanged, but the reactivity would be increased. This means that the useful life of a BWR fuel loading would be extended by reducing the feedwater temperature toward the end of the normal operating cycle, a practice known as “coast-down.”

13.48. The decrease in feedwater temperature is, however, accom­panied by a decrease in steam flow and in the electric power generated, for a given thermal power. For example, a reduction in feedwater tem­perature from the normal 216°C (420°F) to 12ГС (250°F) toward the end of a cycle permits an extension of 6 weeks to the regular fuel cycle length of about 18 months. However, during this period, the steam flow decreases to 82 percent of the normal value and the electrical power output to 91 percent. There is, nevertheless, a net cost benefit as a result of a reduction in the enrichment required for the reload fuel to achieve the same cycle length.

15.23. The Simplified boiling-water reactor (SBWR) is a 600-MW(el) reactor which features natural circulation and passive features to enhance safety and simplify system design. An assembly view of the vessel and internals is shown in Fig. 15.3. Noteworthy is a chimney section above the core to promote the natural circulation of the coolant. As a result, the reactor pressure vessel (RPV) is 2.6 m higher than that required for the 1356-MW(el) ABWR (Table 13.4).

15.24. A summary of some design specifications is given in Table 15.2. The power density has been reduced by about 25 percent compared with present BWRs to increase safety margins. The relatively short (2.44 m) core consists of 732 fuel assemblies of the standard 8×8 lattice type. However, advanced fuel assembly designs can be accommodated. A 7.0- m-i. d. vessel is then needed to accommodate this geometry. A large water inventory for a reactor of this power rating provides an inherent damping of transient disturbances.

12.212. Fault tree analysis, which is essentially a graphical communi­cation tool based on Boolian algebra, is a key ingredient of reliability analysis and risk assessment. It has the value of identifying weak links in complex system interactions as well as providing insight into system be­havior. Since risk is determined by relating the system failure probability to consequences, fault tree analysis is the first stage of risk assessment.

12.213. A system fault tree is a logic diagram which depicts the com­ponent failure modes (or, in general, faults[26]) that combine to produce a failure of the system. First, an undesired event or failed state of a system is postulated; this is called the top event. The latter is then traced back, step by step, to identify the combinations of sequences of other events or failures that could lead to the top event. After proceeding through a number (often in the tens) of secondary stages, a set of primary failures is reached which can not (or need not) be traced further. In many cases, the failure of a complex system depends on the failures in several subsystems. Fault trees for the latter can then be analyzed separately, and the results provide part of the “primary” input to the system fault tree.

12.214. The first few stages of a fault tree are shown in Fig. 12.16, for which the top event is an insufficient flow of water from the spray intended to cool the containment atmosphere of a PWR. There are two redundant systems, A and B, either of which alone is capable of providing the nec­essary cooling. Hence, both systems must fail in order for the top event to occur; this is indicated by the AND logic gate, with a rounded top, relating the second level events to the undesired (top) event. The most immediate cause of the failure of the spray system would be insufficient water to the header to which the spray nozzles are attached; hence, this is regarded as the second level of the fault tree.

12.215. The third level identifies four different faults, each of which is sufficient to cause the second level event. The third level is therefore related to the second level by an OR gate, with a pointed top. Events within circles or diamonds need not be developed further. A circle indicates the failure of a component for which the probability of occurrence is available or can be determined. An event in a diamond is a fault, in its general sense, which is not developed either because of its minor significance or because of lack of information. An event within a rectangle in a fault tree is one that must

be traced down to a lower level (or levels). Levels beyond the third are not shown in Fig. 12.16, although they have been traced in some instances through more than 20 stages.

12.216. Fault tree analysis has both qualitative and quantitative aspects. From the qualitative standpoint, the analysis can often identify a critical subsystem or component where a failure could have a marked influence on the failure of the entire system. Similarly, in a complex network, one event path may be found to have a controlling effect on the total failure. In these circumstances, it would be desirable to introduce redundant elements.

14.9. In Chapter 5 we introduced reactor kinetics and some features of the control system. However, in a nuclear power plant, we must deal with the control of the entire plant, not just the nuclear reactor component. All aspects of plant control emphasize safety, with all operations conducted according to written procedures approved by the NRC. Normal operations are those routinely performed, such as starting up and shutting down the plant, as well as changing power levels. In contrast, an abnormal condition is one in which an unplanned transient requires corrective action to prevent serious problems. Some of these were considered in Chapter 12. We will consider here only normal operations as a way of introducing some of the features of plant control. However, we will not deal with detailed plant procedures necessary to carry out the operations. Also, a description of corrective actions for a wide variety of abnormal conditions is beyond our scope.

15.50. The MHTGR concept benefits from the same advantages of standardization, factory fabrication, and system simplification that apply to other advanced designs having about the same electrical capacity. Al­though estimated capital cost requirements are slightly higher than for the other designs, they are probably within the error range associated with all such estimates. It should be noted that the MHTGR produces steam at the same conditions as used in fossil-fueled power plants, an advantage. A busbar cost of electricity of about 10 percent less than that from an equivalent-sized modern coal-fired plant has been claimed which appears to justify further attention being given to the potential of the MHTGR.

12.251. In order to provide protection against possible sabotage, the reactor installation must be enclosed within at least two separate barriers with a “protected area” between them. An isolation zone, clear of all objects, must surround the protected area. Both the protected area and the isolation zone must be illuminated at night and continuously monitored to detect the presence of unauthorized persons or vehicles. Access to the protected area must be strictly controlled, and packages delivered to the area must be checked. Barriers are provided to control access by vehicles to vital plant areas. Alarms must be located at important points to indicate any unauthorized entry.

12.252. The capability of continuous communication must be main­tained between guards at the nuclear plant and a central alarm station. In addition, the alarm station must maintain communications contact with local law enforcement authorities. The owner of the plant is required to maintain liaison with these authorities so that they can be called upon to provide assistance should it be necessary.

12.253. Safeguards for the protection of nuclear installations are under continuous study and review by the NRC. As better techniques are de­veloped, plant licensees are required to adopt them. If the requirements are properly implemented, the hazard to the general public from sabotage of a nuclear reactor (or a spent-fuel reprocessing) plant should be extremely small.

INTRODUCTION

13.1. The practice of nuclear engineering is focused on the design and operation principles of commercial nuclear power plants. In previous chap­ters we have discussed many such principles that apply particularly to light — water reactors (LWRs). A brief overview of pressurized-water (PWR) and boiling-water reactors (BWR) was given in Chapter 1 to provide a general background and the material in subsequent chapters tended to further develop an understanding of such systems.

13.2. The purpose of this chapter is to provide additional details of some typical commercial LWRs as well as the Canadian heavy-water mod­erated reactor (CANDU). Although no new reactors have been ordered in the United States for some years, vendors do offer various improvements for operating reactors from time to time, particularly in fuel assembly design. The specifications listed here are primarily for orientation purposes, and are not necessarily representative of the latest trend.

13.3. Space limits the discussion of details of reactor technology, which are available in other sources [1]. Descriptive information is included with

safety analysis reports submitted to the NRC and available as public doc­uments. Reactor vendors also generally provide technical brochures in response to commercial inquiries.

13.4. So-called evolutionary designs have been developed by reactor vendors for new commercial LWRs in the lOOO-MW(el) size class. These incorporate many improvements, particularly in the safety and cost re­duction area, which will be discussed in this chapter. Advanced reactors, many with passive safety features, will be covered in Chapter 15.