Scribd
Upload
11 views

Lecture 5 Safety Functions - Shutdown Systems

CANDU reactors have two independent shutdown systems - a solid absorber rod system and a liquid poison injection system. The systems are designed to be rapidly effective, highly reliable, and able to shut down the reactor on their own for any accident scenario. Both systems employ diverse designs, sensors, logic, and actuation methods to minimize the chances of common-cause failure.

Uploaded by

Lazarescu Elena
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
11 views

Lecture 5 Safety Functions - Shutdown Systems

CANDU reactors have two independent shutdown systems - a solid absorber rod system and a liquid poison injection system. The systems are designed to be rapidly effective, highly reliable, and able to shut down the reactor on their own for any accident scenario. Both systems employ diverse designs, sensors, logic, and actuation methods to minimize the chances of common-cause failure.

Uploaded by

Lazarescu Elena
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

CANDU Safety

#5 - Safety Functions - Shutdown Systems

Dr. V.G. Snell


Director
Safety & Licensing

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 1


Location of
Shutdown Systems
Relative to the
Reactor and
Reactivity
Mechanisms

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 2


Shutdown System 1
λ 28 spring-assisted gravity-drop
absorber elements
λ poised above core
λ supported by cable
λ held against spring by clutch; loss
of power to clutch causes rods to
fall into moderator
λ guide tubes guide the absorbers as
they fall in
λ full insertion in < 2 seconds

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 3


Shutdown System #2
λ 6 perforated nozzles
run horizontally
across the moderator
λ each nozzle is
connected to a liquid
tank full of GdNO3
λ a high-pressure
helium tank forces the
“poison” into the
moderator in < 2 sec.

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 4


Performance Requirements
λ insertion speed and initial negative reactivity
– set by the large LOCA
– turn over the power increase before the fuel or sheath melts
– significant negative reactivity within 0.6 seconds of trip
λ reactivity depth
– set by a fuel channel rupture (in-core break) on startup after
a long shutdown
– moderator contains boron / gadolinium and after rupture is
displaced by “unpoisoned” coolant
– some shutoff rod guide tubes may be damaged

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 5


Reactivity Balance for In-Core Break
Reactivity Change Due to: Reactivity (mk) at
15 minutes
Moderator poison displacement 10.5

Coolant void 13.3

Coolant Temperature 0.3

Fuel Temperature 4.1

Downgrading Moderator Purity -4.8

Moderator Temperature -0.1

Total to be compensated by shutdown 23.3

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 6


Flux Detectors
λ SDS1 uses vertical self-powered
fast-response platinum flux
detectors in core
λ they are not shared with the
control system nor with SDS2
λ they are used for local overpower
protection and for bulk overpower
λ SDS2 uses separate horizontal in-
core detectors

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 7


Ion Chambers
λ SDS1 and SDS2 use
(separate) ion chambers
on the side of the core
λ the main purpose is to
generate a low-level
power signal and a high-
rate signal

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 8


Typical SDS1 Trip Parameters
Parameter Purpose - examples
High Neutron Power Loss of reactivity control, LOCA
High Rate of Rise of LOCA, loss of reactivity control
Neutron Power from low power
High Coolant Pressure Loss of flow, loss of heat sink
Low Coolant Pressure Small LOCA
High Building Pressure LOCA, steam line break
Low Steam Generator Steam and feedwater line breaks
Level
Low Pressurizer Level Small LOCA
High Moderator Loss of service water
Temperature
Low Coolant Flow Loss of flow
Low Steam Generator Steam line break
Pressure
24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 9
Typical SDS2 Trip Parameters
Parameter Purpose - examples
High Neutron Power Loss of reactivity control, LOCA
High Rate of Rise of LOCA, loss of reactivity control
Neutron Power from low power
High Coolant Pressure Loss of flow, loss of heat sink
Low Coolant Pressure Small LOCA
High Building Pressure LOCA, steam line break
Low Steam Generator Steam and feedwater line breaks
Level
Low Pressurizer Level Small LOCA
Low Header ∆p Loss of flow
Low Steam Generator Steam line break
Pressure
24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 10
SDS1 Two- Out-of-Three Logic
Reactor Trip Signal

Channel D
D
Instruments
Reactor E
Parameter

Channel
Process

F D
Logic
Other
Parameters
E 2/3

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 11


2 out of 3 Logic
λ allows one channel to be tested without tripping the reactor
λ allows one channel, if it is known to be faulty, to be put in a
safe (tripped) state without tripping the reactor
λ permits comparison of the three signals and alerts the
operator if any seem inconsistent

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 12


Shutdown System Design Requirements
λ each shutdown system is effective for all accidents
λ they do not share sensing, logic or actuation devices with
each other or with the reactor control system
λ the design of the two shutdown systems is diverse
– solid absorber rods and liquid poison injection
– logic microprocessors programmed by different groups of
people in different languages
λ where practical, each shutdown system has two diverse trip
parameters which are effective for each accident
λ in a few cases SDS1 and SDS2 trips are diverse
– e.g., low flow and low ∆p
24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 13
Shutdown System Design Requirements - More
λ the two shutdown systems are oriented differently
– vertical rods and horizontal nozzles, also for flux detectors
λ the cables and instrumentation are physically separated
λ each SDS is controlled from a different control room
λ each SDS is designed to meet an unavailability of 1 in 1000
λ each SDS is tested during operation to show that this
unavailability is met:
– each channel is testable up to the final 2 / 3 logic
– any shutoff rod can be partially dropped
– any poison valve can be opened without firing SDS2

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 14


Shutdown System Design Requirements - More
λ most process parameters are directly testable: e.g., a shutter
can be moved in an ion chamber to test the log rate trip for
that channel
λ the systems are fail safe as far as possible:
– loss of power to clutches or poison valves trips the system
– loss of power to a channel trips the channel
– loss of power supply trips the channel
– watchdog timers trip the channel if the logic is not routinely
operating
λ the operator cannot easily prevent tripping the systems nor
change the logic
24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 15
Lesson Learned from Chernobyl
λ the shutdown systems in Chernobyl were adequate according
to the safety analysis
λ the designers assumed the operator would not operate the
plant in an unusual configuration
λ he did, and the shutdown systems made the accident worse
λ in CANDU:
– the reactor state does not change much once equilibrium
fuelling is reached
– the shutdown system effectiveness does not depend much
on reactor state

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 16


Summary
λ CANDU Shutdown Systems are:
– effective, acting alone; therefore they are fully redundant
– diverse in design
– designed to numerical reliability target
– testable during operation to show the reliability target is
met
– separated so that a hazard in a local area will not affect
both systems

24/05/01 CANDU Safety - #4 - Safety Functions - Shutdown Systems.ppt Rev. 0 vgs 17

You might also like