Boiling water reactor safety systems
Encyclopedia
Boiling water reactor safety systems are nuclear safety systems
Nuclear safety systems
The three primary objectives of nuclear reactor safety systems as defined by the Nuclear Regulatory Commission are to shut down the reactor, maintain it in a shutdown condition, and prevent the release of radioactive material during events and accidents...

 constructed within boiling water reactors in order to prevent or mitigate environmental and health hazards in the event of accident or natural disaster.

Like the pressurized water reactor
Pressurized water reactor
Pressurized water reactors constitute a large majority of all western nuclear power plants and are one of three types of light water reactor , the other types being boiling water reactors and supercritical water reactors...

, the BWR reactor core continues to produce heat from radioactive decay
Radioactive decay
Radioactive decay is the process by which an atomic nucleus of an unstable atom loses energy by emitting ionizing particles . The emission is spontaneous, in that the atom decays without any physical interaction with another particle from outside the atom...

 after the fission
Nuclear fission
In nuclear physics and nuclear chemistry, nuclear fission is a nuclear reaction in which the nucleus of an atom splits into smaller parts , often producing free neutrons and photons , and releasing a tremendous amount of energy...

 reactions have stopped, making a core damage
Nuclear meltdown
Nuclear meltdown is an informal term for a severe nuclear reactor accident that results in core damage from overheating. The term is not officially defined by the International Atomic Energy Agency or by the U.S. Nuclear Regulatory Commission...

 incident possible in the event that all safety systems have failed and the core does not receive coolant. Also like the pressurized water reactor, a boiling water reactor has a negative void coefficient
Void coefficient
In nuclear engineering, the void coefficient is a number that can be used to estimate how much the reactivity of a nuclear reactor changes as voids form in the reactor moderator or coolant...

, that is, the neutron (and the thermal) output of the reactor decreases as the proportion of steam to liquid water increases inside the reactor.

However, unlike a pressurized water reactor which contains no steam in the reactor core, a sudden increase in BWR steam pressure (caused, for example, by the actuation of the main steam isolation valve (MSIV) from the reactor) will result in a sudden decrease in the proportion of steam to liquid water inside the reactor. The increased ratio of water to steam will lead to increased neutron moderation, which in turn will cause an increase in the power output of the reactor. This type of event is referred to as a "pressure transient".

Safety systems

The BWR is specifically designed to respond to pressure transients, having a "pressure suppression" type of design which vents overpressure using safety relief valves to below the surface of a pool of liquid water within the containment, known as the "wetwell" or "torus". There are 11 safety overpressure relief valves on BWR/1-BWR/6 models (7 of which are part of the ADS) and 18 safety overpressure relief valves on ABWR models, only a few of which have to function to stop the pressure rise of a transient. In addition, the reactor will already have rapidly shut down before the transient affects the RPV (as described in the Reactor Protection System section below.

Because of this effect in BWRs, operating components and safety systems
Nuclear safety
Nuclear safety covers the actions taken to prevent nuclear and radiation accidents or to limit their consequences. This covers nuclear power plants as well as all other nuclear facilities, the transportation of nuclear materials, and the use and storage of nuclear materials for medical, power,...

 are designed to ensure that no credible scenario can cause a pressure and power increase that exceeds the systems' capability to quickly shutdown the reactor before damage to the fuel or to components containing the reactor coolant can occur. In the limiting case of an ATWS (Anticipated Transient Without Scram) derangement, high neutron power levels (~ 200%) can occur for less than a second, after which actuation of SRVs will cause the pressure to rapidly drop off. Neutronic power will fall to far below nominal power (the range of 30% with the cessation of circulation, and thus, void clearance) even before ARI or SLCS actuation occurs. Thermal power will be barely affected.

In the event of a contingency that disables all of the safety systems, each reactor is surrounded by a containment building
Containment building
A containment building, in its most common usage, is a steel or reinforced concrete structure enclosing a nuclear reactor. It is designed, in any emergency, to contain the escape of radiation to a maximum pressure in the range of 60 to 200 psi...

 consisting of 1.2–2.4 m (4–8 ft) of steel-reinforced, pre-stressed concrete designed to seal off the reactor from the environment.

However, the containment building does not protect the fuel during the whole fuel cycle. Most importantly, the spent fuel resides long periods of time outside the primary containment. A typical spent fuel storage pool can hold roughly five times the fuel in the core. Since reloads typically discharge one third of a core, much of the spent fuel stored in the pool will have had considerable decay time. But if the pool were to be drained of water, the discharged fuel from the previous two refuelings would still be "fresh" enough to melt under decay heat. However, the zircaloy cladding of this fuel could be ignited during the heatup. The resulting fire would probably spread to most or all of the fuel in the pool. The heat of combustion, in combination with decay heat, would probably drive "borderline aged" fuel into a molten condition. Moreover, if the fire becomes oxygen-starved (quite probable for a fire located in the bottom of a pit such as this), the hot zirconium would rob oxygen from the uranium dioxide fuel, forming a liquid mixture of metallic uranium, zirconium, oxidized zirconium, and dissolved uranium dioxide. This would cause a release of fission products from the fuel matrix quite comparable to that of molten fuel. In addition, although confined, BWR spent fuel pools are almost always located outside of the primary containment. Generation of hydrogen during the process would probably result in an explosion damaging the secondary containment building. Thus, release to the atmosphere is more likely than for comparable accidents involving the reactor core.

A spent fuel pool accident releasing radioactive material to the atmosphere happened in a Mk-1 type BWR reactor in Fukushima, Japan, on March 14, 2011.

Reactor Protection System (RPS)

The Reactor Protection System (RPS) is a system, computerized in later BWR models, that is designed to automatically, rapidly, and completely shut down and make safe the Nuclear Steam Supply System (NSSS – the reactor pressure vessel, pumps, and water/steam piping within the containment) if some event occurs that could result in the reactor entering an unsafe operating condition. In addition, the RPS can automatically spin up the Emergency Core Cooling System (ECCS) upon detection of several signals. It does not require human intervention to operate. However, the reactor operators can override parts of the RPS if necessary. If an operator recognizes a deteriorating condition, and knows an automatic safety system will activate, they are trained to pre-emptively activate the safety system.

If the reactor is at power or ascending to power (i.e. if the reactor is supercritical; the control rods are withdrawn to the point where the reactor generates more neutrons than it absorbs) there are safety-related contingencies that may arise that necessitate a rapid shutdown of the reactor, or, in Western nuclear parlance, a "SCRAM
Scram
A scram or SCRAM is an emergency shutdown of a nuclear reactor – though the term has been extended to cover shutdowns of other complex operations, such as server farms and even large model railroads...

". The SCRAM is a manually triggered or automatically triggered rapid insertion of all control rod
Control rod
A control rod is a rod made of chemical elements capable of absorbing many neutrons without fissioning themselves. They are used in nuclear reactors to control the rate of fission of uranium and plutonium...

s into the reactor, which will take the reactor to decay heat power levels within tens of seconds. Since ~ 0.6% of neutrons are emitted from fission products ("delayed" neutrons
Prompt neutron
In nuclear engineering, a prompt neutron is a neutron immediately emitted by a nuclear fission event, as opposed to a delayed neutron decay which can occur within the same context, emitted by one of the fission products anytime from a few milliseconds to a few minutes later.-Principle:Using U-235...

), which are born seconds/minutes after fission, all fission can not be terminated instantaneously, but the fuel soon returns to decay heat power levels. Manual SCRAMs may be initiated by the reactor operators; while automatic SCRAMs are initiated upon:
  1. Turbine stop-valve or turbine control-valve closure.
    1. If turbine protection systems detect a significant anomaly, admission of steam is halted. Reactor rapid shutdown is in anticipation of a pressure transient that could increase reactivity.
    2. Generator load rejection will also cause closure of turbine valves and trip RPS.
  2. Loss of offsite power (LOOP)
    1. During normal operation, the reactor protection system (RPS) is powered by offsite power
      1. Loss of offsite power would open all relays in the RPS causing all rapid shutdown signals to come in redundantly.
      2. would also cause MSIV to close since RPS is fail-safe; plant assumes a main steam break is coincident with loss of offsite power.
  3. Neutron Monitor Trips – the purpose of these trips are to ensure an even increase in neutron and thermal power during startup.
    1. Source range monitor (SRM) / intermediate-range monitor (IRM) upscale:
      1. The SRM, used during instrument calibration, pre-critical, and early non-thermal criticality, and the IRM, used during ascension to power, middle/late non-thermal, and early/middle thermal stages, both have trips built in that prevent rapid decreases in reactor period when reactor is intensely reactive (e.g. when no voids exist, water is cold, and water is dense) without positive operator confirmation that such decreases in period are their intention. Prior to trips occurring, rod movement blocks will be activated to ensure operator vigilance if preset levels are marginally exceeded.
    2. Average power range monitor (APRM) upscale:
      1. Prevents reactor from exceeding pre-set neutron power level maxima during operation or relative maxima prior to positive operator confirmation of end of startup by transition of reactor state into "Run".
    3. Average power range monitor / coolant flow thermal trip:
      1. Prevents reactor from exceeding variable power levels without sufficient coolant flow for that level being present.
  4. Low reactor water level indicative of:
    1. Loss of coolant contingency (LOCA)
    2. Loss of proper feedwater (LOFW)
    3. etc.
  5. High drywell (primary containment) pressure
    1. Indicative of potential loss of coolant contingency
  6. Main steam isolation valve closure (MSIV)
    1. Redundant backup for turbine trip
    2. Indicative of potential main steam line break
  7. High RPV pressure:
    1. Indicative of MSIV closure.
    2. Decreases reactivity to compensate for boiling void collapse due to high pressure.
    3. Prevents pressure relief valves from opening.
    4. Serves as a backup for several other trips, like turbine trip.

Emergency core-cooling system (ECCS)

While the reactor protection system is designed to prevent contingencies from happening, the ECCS is designed to respond to contingencies if they do happen. The ECCS is a set of interrelated safety systems that are designed to protect the fuel within the reactor pressure vessel, which is referred to as the "reactor core", from overheating. These systems accomplish this by maintaining reactor pressure vessel (RPV) cooling water level, or if that is impossible, by directly flooding the core with coolant.

These systems are of 3 major types:
  1. High pressure systems: These are designed to protect the core by injecting large quantities of water into it to prevent the fuel from being uncovered by a decreasing water level. Generally used in cases with stuck-open safety valves, small breaks of auxiliary pipes, and particularly violent transients caused by turbine trip and main steam isolation valve closure. If the water level cannot be maintained with high pressure systems alone (the water level still is falling below a preset point with the high-pressure systems working full-bore), the next set of systems responds.
  2. Depressurization systems: These systems are designed to maintain reactor pressure within safety limits. Additionally, if reactor water level cannot be maintained with high-pressure coolant systems alone, the depressurization system can reduce reactor pressure to a level at which the low-pressure coolant systems can function.
  3. Low-pressure systems: These systems are designed to function after the depressurization systems function. They have extremely large capacities compared to the high-pressure systems and are supplied by multiple, redundant power sources. They will maintain any maintainable water level, and, in the event of a large pipe break of the worst type below the core that leads to temporary fuel rod "uncovery", to rapidly mitigate that state prior to the fuel heating to the point where core damage could occur.

High-pressure coolant injection system (HPCI)

The high-pressure coolant injection system is the first line of defense in the emergency core cooling system. HPCI is designed to inject substantial quantities of water into the reactor while it is at high pressure so as to prevent the activation of the automatic depressurization, core spray, and low pressure coolant injection systems. HPCI is powered by steam from the reactor, and takes approximately 10 seconds to spin up from an initiating signal, and can deliver approximately 19,000 L/min (5,000 US gal/min) to the core at any core pressure above 6.8 atm (690 kPa, 100 psi). This is usually enough to keep water levels sufficient to avoid automatic depressurization except in a major contingency, such as a large break in the makeup water line.

Versioning note: The BWR/6 replaces HPCI with high-pressure core spray (HPCS); ABWRs and (E)SBWRs replace HPCI with high-pressure core flooder (HPCF), a mode of the RCIC system, as described below.

Isolation Condenser (IC)

Some reactors, including notably the (E)SBWR series of reactors, have a passive system called the Isolation Condenser. This is a heat exchanger located above containment in a pool of water open to atmosphere. In operation, decay heat boils steam, which is drawn into the heat exchanger and condensed; then it falls by weight of gravity back into the reactor. This process keeps the cooling water in the reactor, making it unnecessary to use powered feedwater pumps. The water in the open pool slowly boils off, venting clean steam to the atmosphere. This makes it unnecessary to run mechanical systems to remove heat. Periodically, the pool must be refilled, a simple task for a fire truck. The (E)SBWR reactors provide three days' supply of water in the pool. Some older reactors also have IC systems, including Fukushima Dai-ichi reactor 1, however their water pools may not be as large.

Under normal conditions, the IC system is not activated, but the top of the IC condenser is connected to the reactor's steam lines through an open valve. Steam enters the IC condenser and condenses until it is filled with water. When the IC system is activated, a valve at the bottom of the IC condenser is opened which connects to a lower area on the reactor. The water falls to the reactor via gravity, allowing the condenser to fill with steam, which then condenses. This cycle runs continuously until the bottom valve is closed.

Reactor core isolation cooling system (RCIC)

The reactor core isolation cooling system is not a safety-related system proper, but is included because it can help cool the reactor in the event of a contingency, and it has additional functionality in advanced versions of the BWR.

RCIC is a feedwater pump meant for emergency use. It is able to inject cooling water into the reactor at high pressure. It injects approximately 2,000 L/min (600 gpm) into the reactor core. It also takes less time to start than the HPCI system, approximately 5 seconds from an initiating signal. It has ample capacity to replace the cooling water boiled off by residual decay heat, and can even keep up with small leaks.

The RCIC system operates on high pressure steam from the reactor itself, and thus is operable with no electric power other than battery power to operate the control valves. Those turn the RCIC on and off as necessary to maintain correct water levels in the reactor. (If run continuously, the RCIC would overfill the reactor and send water down its own steam supply line.) During a station blackout (where all off-site power is lost and the diesel generators fail), the reactor may vent steam into the containment's wetwell (torus) where it condenses. The RCIC can make up this water loss, from either of two sources: a makeup water tank located outside containment, or the wetwell itself. The RCIC also uses the wetwell as the "condenser" for its own steam supply.
Versioning note: RCIC and HPCF are integrated in ABWRs and (E)SBWRs, with HPCF representing the high-capacity mode of RCIC.

Automatic depressurization system (ADS)

The Automatic depressurization system is not a part of the cooling system proper, but is an essential adjunct to the ECCS. It is designed to activate in the event that the RPV is retaining pressure, but RPV water level cannot be maintained using high pressure cooling alone, and low pressure cooling must be initiated. When ADS fires, it rapidly releases pressure from the RPV in the form of steam through pipes that are piped to below the water level in the suppression pool (the torus/wetwell), which is designed to condense the steam released by ADS or other safety valve activation into water), bringing the reactor vessel below 32 atm (3200 kPa, 465 psi), allowing the low pressure cooling systems (LPCS/LPCI/LPCF/GDCS), with extremely large and robust comparative coolant injection capacities to be brought to bear on the reactor core.

Low-pressure core spray system (LPCS)

The low-pressure core spray system is designed to suppress steam generated by a major contingency. As such, it prevents reactor vessel pressure from going above the point where LPCI and LPCS would be ineffective, which is above 32 atm (3200 kPa, 465 psi). It activates below that level, and delivers approximately 48,000 L/min (12,500 US gal/min) of water in a deluge from the top of the core.

Versioning note: In ABWRs and (E)SBWRs, there are additional water spray systems to cool the drywell and the suppression pool.

Low-pressure coolant injection system (LPCI)

The low-pressure coolant injection system, the "heavy artillery" in the ECCS, can be operated at reactor vessel pressures below 465 psi. The LPCI consists of 4 pumps driven by diesel engines, and is capable of injecting a mammoth 150,000 L/min (40,000 US gal/min) of water into the core . Combined with the CS to keep steam pressure low, the LPCI is designed to suppress contingencies by rapidly and completely flooding the core with coolant.

Versioning note: ABWRs replace LPCI with low-pressure core flooder (LPCF), which operates using similar principles. (E)SBWRs replace LPCI with the DPVS/PCCS/GDCS, as described below.

Depressurization valve system (DPVS) / passive containment cooling system (PCCS) / gravity-driven cooling system (GDCS)

The (E)SBWR has an additional ECCS capacity that is completely passive, quite unique, and significantly improves defense in depth. This system is activated when the water level within the RPV reaches Level 1. At this point, a countdown timer is started.

There are several large depressurization valves located near the top of the reactor pressure vessel. These constitute the DPVS. This is a capability supplemental to the ADS, which is also included on the (E)SBWR. The DPVS consists of eight of these valves, four on main steamlines that vent to the drywell when actuated and four venting directly into the drywell.

If Level 1 is not resubmerged within 50 seconds of the timer starting, DPVS will fire and will rapidly vent any pressure contained within the reactor pressure vessel into the drywell. This will cause the water within the RPV to gain in volume (due to the drop in pressure) which will increase the water available to cool the core. In addition, the depressurization will cause a lower boiling point, and thus more steam bubbles will form, decreasing moderation; this, in turn, decreases decay heat production, while still maintaining adequate cooling. (In fact, both the ESBWR and the ABWR are designed so that even in the maximum feasible contingency, the core never loses its layer of water coolant.)

If Level 1 is still not resubmerged within 100 seconds of DPVS actuation, then the GDCS valves fire. The GDCS is a series of very large water tanks located above and to the side of the Reactor Pressure Vessel within the drywell. When these valves fire, the GDCS is directly connected to the RPV. After ~50 more seconds of depressurization, the pressure within the GDCS will equalize with that of the RPV and drywell, and the water of the GDCS will begin flowing into the RPV.

The water within the RPV will boil into steam from the decay heat, and natural convection will cause it to travel upwards into the drywell, into piping assemblies in the ceiling that will take the steam to four large heat exchangers – the Passive Containment Cooling System (PCCS) – located above the drywell – in deep pools of water. The steam will be cooled, and will condense back into liquid water. The liquid water will drain from the heat exchanger back into the GDCS pool, where it can flow back into the RPV to make up for additional water boiled by decay heat. In addition, if the GDCS lines break, the shape of the RPV and the drywell will ensure that a "lake" of liquid water forms that submerges the bottom of the RPV (and the core within).

There is sufficient water to cool the heat exchangers of the PCCS for 72 hours. At this point, all that needs to happen is for the pools that cool the PCCS heat exchangers to be refilled, which is a comparatively trivial operation, doable with a portable fire pump and hoses.

GE has a computerized animation of how the ESBWR functions during a pipe break incident on their website.

Standby liquid control system (SLCS)

The standby liquid control system is used in the event of major contingencies as a last measure to prevent core damage. It is not intended ever to be used, as the RPS and ECCS are designed to respond to all contingencies, even if a quite a few of their components fail, but if a complete ECCS failure occurs, during a limiting fault, it could be the only thing capable of preventing core damage. The SLCS consists of a tank containing borated water
Borate
Borates are chemical compounds which contain oxoanions of boron in oxidation state +3. The simplest borate ion, BO33−, has a trigonal planar structure. Other borates are made up of trigonal BO3 or tetrahedral BO4 structural units, sharing oxygen atoms...

 as a neutron absorber
Nuclear poison
A neutron poison is a substance with a large neutron absorption cross-section in applications, such as nuclear reactors. In such applications, absorbing neutrons is normally an undesirable effect...

, protected by explosively-opened valves and redundant battery-operated pumps, allowing the injection of the borated water into the reactor against any pressure within; the borated water can and will shut down a reactor gone out of control. The SLCS also provides an additional layer of defense in depth against a ATWS derangement, but this is an extreme measure that can be avoided by numerous other channels (ARI and use of redundant hydraulics).

Versioning note: The SLCS is a system that is never meant to be activated unless all other measures have failed. In the BWR/1 – BWR/6, its activation could cause sufficient damage to the plant that it could make the older BWRs inoperable without a complete overhaul. With the arrival of the ABWR and (E)SBWR, operators do not have to be as reticent about activating the SLCS, as these reactors have a Reactor Water Cleanup System (RWCS) – once the reactor has stabilized, the borated water within the RPV can be filtered through this system to promptly remove the soluble neutron absorbers that it contains and thus avoid damage to the internals of the plant.

Containment system

The ultimate safety system inside and outside of every BWR are the numerous levels of physical shielding that both protect the reactor from the outside world and protect the outside world from the reactor.

There are five levels of shielding:
  1. The fuel rods inside the reactor pressure vessel are coated in thick Zircaloy
    Zircaloy
    Zirconium alloys are solid solutions of zirconium or other metals, a common subgroup having the trade mark Zircaloy. Zirconium has very low absorption cross-section of thermal neutrons, high hardness, ductility and corrosion resistance...

     shielding;
  2. The reactor pressure vessel itself is manufactured out of 6 inches (152.4 mm) steel, with extremely high temperature, vibration, and corrosion resistant surgical stainless steel grade grade 316L plate on both the inside and outside;
  3. The primary containment structure is made of steel 1 inch thick;
  4. The secondary containment structure is made of steel-reinforced, pre-stressed concrete 1.2–2.4 meters (4–8 ft) thick.
  5. The reactor building (the shield wall/missile shield) is also made of steel-reinforced, pre-stressed concrete 0.3 m to 1 m (1–3 feet) thick.


If every possible measure standing between safe operation and core damage fails, the containment can be sealed indefinitely, and it will prevent any substantial release of radiation to the environment from occurring in nearly any circumstance.

Varieties of BWR containments

As illustrated by the descriptions of the systems above, BWRs are quite divergent in design from PWRs. Unlike the PWR, which has generally followed a very predictable external containment design (the stereotypical dome atop a cylinder), BWR containments are varied in external form but their internal distinctiveness is extremely striking in comparison to the PWR. There are five major varieties of BWR containments:
  • The "premodern" containment (Generation I); spherical in shape, and featuring a steam drum separator, or an out-of-RPV steam separator, and a heat exchanger for low pressure steam, this containment is now obsolete, and is not used by any operative reactor.
  • the Mark I containment, consisting of a rectangular steel-reinforced concrete building, along with an additional layer of steel-reinforced concrete surrounding the steel-lined cylindrical drywell and the steel-lined pressure suppression torus below. The Mark I was the earliest type of containment in wide use, and many reactors with Mark Is are still in service today. There have been numerous safety upgrades made over the years to this type of containment, especially to provide for orderly reduction of containment load caused by pressure in a compounded limiting fault. The reactor building of the Mark I generally is in the form of a large rectangular structure of reinforced concrete.
  • the Mark II containment, similar to the Mark I, but omitting a distinct pressure suppression torus in favor of a cylindrical wetwell below the non-reactor cavity section of the drywell. Both the wetwell and the drywell have a primary containment structure of steel as in the Mark I, as well as the Mark I's layers of steel-reinforced concrete composing the secondary containment between the outer primary containment structure and the outer wall of the reactor building proper. The reactor building of the Mark II generally is in the form of a flat-topped cylinder.
  • the Mark III containment, generally similar in external shape to the stereotypical PWR, and with some similarities on the inside, at least on a superficial level. For example, rather than having a slab of concrete that staff could walk upon while the reactor was not being refueled covering the top of the primary containment and the RPV directly underneath, the Mark III takes the BWR in a more PWRish direction by placing a water pool over this slab. Additional changes include abstracting the wetwell into a pressure-suppression pool with a weir wall separating it from the drywell.
  • Advanced containments; the present models of BWR containments for the ABWR and the ESBWR are harkbacks to the classical Mark I/II style of being quite distinct from the PWR on the outside as well as the inside, though both reactors incorporate the Mark III-ish style of having non-safety-related buildings surrounding or attached to the reactor building, rather than being overtly distinct from it. These containments are also designed to take far more than previous containments were, providing advanced safety. In particular, GE regards these containments as being able to withstand a direct hit by a tornado of Old Fujitsa Scale 6 with winds of 330+ miles per hour. Such a tornado has never been measured on earth. They are also designed to withstand seismic accelerations of .2 G, or nearly 2 meters per second2 in any direction.

Hydrogen management

During normal plant operations and in normal operating temperatures, the hydrogen generation is not significant. When the nuclear fuel overheats, zirconium
Zirconium
Zirconium is a chemical element with the symbol Zr and atomic number 40. The name of zirconium is taken from the mineral zircon. Its atomic mass is 91.224. It is a lustrous, grey-white, strong transition metal that resembles titanium...

 in Zircaloy
Zircaloy
Zirconium alloys are solid solutions of zirconium or other metals, a common subgroup having the trade mark Zircaloy. Zirconium has very low absorption cross-section of thermal neutrons, high hardness, ductility and corrosion resistance...

 cladding used in fuel rods oxidizes in reaction with steam:
Zr + 2H2O → ZrO2 + 2H2

When mixed with air, hydrogen is flammable, and hydrogen detonation or deflagration may damage the reactor containment. In reactor designs with small containment volumes, such as in Mark I or II containments, the preferred method for managing hydrogen is pre-inerting with inert gas—generally nitrogen—to reduce the oxygen concentration in air below that needed for hydrogen combustion, and the use of thermal recombiners. Pre-inerting is considered impractical with larger containment volumes where thermal recombiners and deliberate ignition are used.

The safety systems in action: the Design Basis Accident

The Design Basis Accident (DBA) for a nuclear power plant is the most severe possible single accident that the designers of the plant and the regulatory authorities could reasonably expect. It is, also, by definition, the accident the safety systems of the reactor are designed to respond to successfully, even if it occurs when the reactor is in its most vulnerable state. The DBA for the BWR consists of the total rupture of a large coolant pipe in the location that is considered to place the reactor in the most danger of harm—specifically, for older BWRs (BWR/1-BWR/6), the DBA consists of a "guillotine break" in the coolant loop of one of the recirculation jet pumps, which is substantially below the core waterline (LBLOCA, large break loss of coolant accident) combined with loss of feedwater to make up for the water boiled in the reactor (LOFW, loss of proper feedwater), combined with a simultaneous collapse of the regional power grid, resulting in a loss of power to certain reactor emergency systems (LOOP, loss of offsite power). The BWR is designed to shrug this accident off without core damage.

The description of this accident is applicable for the BWR/4, which is the oldest model of BWR in common service.

The immediate result of such a break (call it time T+0) would be a pressurized stream of water well above the boiling point shooting out of the broken pipe into the drywell, which is at atmospheric pressure. As this water stream flashes into steam, due to the decrease in pressure and that it is above the water boiling point at normal atmospheric pressure, the pressure sensors within the drywell will report a pressure increase anomaly within it to the reactor protection system at latest T+0.3. The RPS will interpret this pressure increase signal, correctly, as the sign of a break in a pipe within the drywell. As a result, the RPS immediately initiates a full SCRAM, closes the main steam isolation valve (isolating the containment building), trips the turbines, attempts to begin the spinup of RCIC and HPCI, using residual steam, and starts the diesel pumps for LPCI and CS.

Now let us assume that the power outage hits at T+0.5. The RPS is on a float uninterruptable power supply, so it continues to function; its sensors, however, are not, and thus the RPS assumes that they are all detecting emergency conditions. Within less than a second from power outage, auxiliary batteries and compressed air supplies are starting the Emergency Diesel Generators. Power will be restored by T+25 seconds.

Let us return to the reactor core. Due to the closure of the MSIV (complete by T+2), a wave of backpressure will hit the rapidly depressurizing RPV but this is immaterial, as the depressurization due to the recirculation line break is so rapid and complete that no steam voids will likely collapse to liquid water. HPCI and RCIC will fail due to loss of steam pressure in the general depressurization, but this is again immaterial, as the 2,000 L/min (600 US gal/min) flow rate of RCIC available after T+5 is insufficient to maintain the water level; nor would the 19,000 L/min (5,000 US gal/min) flow of HPCI, available at T+10, be enough to maintain the water level, if it could work without steam. At T+10, the temperature of the reactor core, at approximately 285 °C (550 °F) at and before this point, begins to rise as enough coolant has been lost from the core that voids begin to form in the coolant between the fuel rods and they begin to heat rapidly. By T+12 seconds from the accident start, fuel rod uncovery begins. At approximately T+18 areas in the rods have reached 540 °C (1000 °F). Some relief comes at T+20 or so, as the negative temperature coefficient and the negative void coefficient slows the rate of temperature increase. T+25 sees power restored; however, LPCI and CS will not be online until T+40.

At T+40, core temperature is at 650 °C (1200 °F) and rising steadily; CS and LPCI kick in and begins deluging the steam above the core, and then the core itself. First, a large amount of steam still trapped above and within the core has to be knocked down first, or the water will be flashed to steam prior to it hitting the rods. This happens after a few seconds, as the approximately 200,000 L/min (3,300 L/s, 52,500 US gal/min, 875 US gal/s) of water these systems release begin to cool first the top of the core, with LPCI deluging the fuel rods, and CS suppressing the generated steam until at approximately T+100 seconds, all of the fuel is now subject to deluge and the last remaining hot-spots at the bottom of the core are now being cooled. The peak temperature that was attained was 900 °C (1650 °F) (well below the maximum of 1200 °C (2200 °F) established by the NRC) at the bottom of the core, which was the last hot spot to be affected by the water deluge.

The core is cooled rapidly and completely, and following cooling to a reasonable temperature, below that consistent with the generation of steam, CS is shut down and LPCI is decreased in volume to a level consistent with maintenance of a steady-state temperature among the fuel rods, which will drop over a period of days due to the decrease in fission-product decay heat within the core.

After a few days of LPCI, decay heat will have sufficiently abated to the point that defueling of the reactor is able to commence with a degree of caution. Following defueling, LPCI can be shut down. A long period of physical repairs will be necessary to repair the broken recirculation loop; overhaul the ECCS; diesel pumps; and diesel generators; drain the drywell; fully inspect all reactor systems, bring non-conformal systems up to spec, replace old and worn parts, etc. At the same time, different personnel from the licensee working hand in hand with the NRC will evaluate what the immediate cause of the break was; search for what event led to the immediate cause of the break (the root causes of the accident); and then to analyze the root causes and take corrective actions based on the root causes and immediate causes discovered. This is followed by a period to generally reflect and post-mortem the accident, discuss what procedures worked, what procedures didn't, and if it all happened again, what could have been done better, and what could be done to ensure it doesn't happen again; and to record lessons learned to propagate them to other BWR licensees. When this is accomplished, the reactor can be refueled, resume operations, and begin producing power once more.

The ABWR and ESBWR, the most recent models of the BWR, are not vulnerable to anything like this incident in the first place, as they have no liquid penetrations (pipes) lower than several feet above the waterline of the core, and thus, the reactor pressure vessel holds in water much like a deep swimming pool in the event of a feedwater line break or a steam line break. The BWR 5s and 6s have additional tolerance, deeper water levels, and much faster emergency system reaction times. Fuel rod uncovery will briefly take place, but maximum temperature will only reach 600 °C (1,100 °F), far below the NRC safety limit.

Prior to the Fukushima Daiichi nuclear disaster
Fukushima Daiichi nuclear disaster
The is a series of equipment failures, nuclear meltdowns, and releases of radioactive materials at the Fukushima I Nuclear Power Plant, following the Tōhoku earthquake and tsunami on 11 March 2011. The plant comprises six separate boiling water reactors originally designed by General Electric ,...

 (involving BWR 3 and BWR 4 reactors) caused by the March 2011 Tōhoku earthquake and tsunami
2011 Tōhoku earthquake and tsunami
The 2011 earthquake off the Pacific coast of Tohoku, also known as the 2011 Tohoku earthquake, or the Great East Japan Earthquake, was a magnitude 9.0 undersea megathrust earthquake off the coast of Japan that occurred at 14:46 JST on Friday, 11 March 2011, with the epicenter approximately east...

, no incident approaching the DBA or even a LBLOCA in severity had occurred with a BWR . The Fukushima incidents are still ongoing and it would be premature to draw conclusions on their ultimate severity, but they already exceed the severity of the DBA in several respects. For example, the primary containment vessels have had to be flooded with seawater containing boric acid, which is likely to preclude any resumption of operation. Nothing similar to the chemical explosions that have occurred at the Fukushima Daiichi reactors was anticipated in the DBA scenario.

Before this incident there had been minor incidents involving the ECCS, but in these circumstances it had performed at or beyond expectations. The most severe incident that had previously occurred with a BWR was in 1975 due to a fire caused by extremely flammable urethane foam
Foam
-Definition:A foam is a substance that is formed by trapping gas in a liquid or solid in a divided form, i.e. by forming gas regions inside liquid regions, leading to different kinds of dispersed media...

 installed in the place of fireproofing
Fireproofing
Fireproofing, a passive fire protection measure, refers to the act of making materials or structures more resistant to fire, or to those materials themselves, or the act of applying such materials. Applying a certification listed fireproofing system to certain structures allows these to have a...

 materials at the Browns Ferry Nuclear Power Plant; for a short time, the control room's monitoring equipment was cut off from the reactor, but the reactor shut down successfully, and, as of 2009, is still producing power for the Tennessee Valley Authority
Tennessee Valley Authority
The Tennessee Valley Authority is a federally owned corporation in the United States created by congressional charter in May 1933 to provide navigation, flood control, electricity generation, fertilizer manufacturing, and economic development in the Tennessee Valley, a region particularly affected...

, having sustained no damage to systems within the containment. The fire had nothing to do with the design of the BWR – it could have occurred in any power plant, and the lessons learned from that incident resulted in the creation of a separate backup control station, compartmentalization of the power plant into fire zones and clearly documented sets of equipment which would be available to shut down the reactor plant and maintain it in a safe condition in the event of a worst case fire in any one fire zone. These changes were retrofitted into every existing US and most Western nuclear power plants and built in to new plants from that point forth.

Notable activations of BWR safety systems

General Electric defended the design of the reactor, stating that the station blackout caused by the 2011 Tōhoku earthquake and tsunami
2011 Tōhoku earthquake and tsunami
The 2011 earthquake off the Pacific coast of Tohoku, also known as the 2011 Tohoku earthquake, or the Great East Japan Earthquake, was a magnitude 9.0 undersea megathrust earthquake off the coast of Japan that occurred at 14:46 JST on Friday, 11 March 2011, with the epicenter approximately east...

 was a "beyond-design-basis" event which led to Fukushima I nuclear accidents. According to the Nuclear Energy Institute, "Coincident long-term loss of both on-site and off-site power for an extended period of time is a beyond-design-basis event for the primary containment on any operating nuclear power plant".

The reactors shut down as designed after the earthquake. However, the tsunami disabled all diesel backup generators which operated the emergency cooling systems and pumps. Pumps were designed to circulate hot fluid from the reactor to be cooled in the wetwell, but they did not have any power. The reactor cores overheated and likely melted. Radioactivity was released into the air as fuel rods were damaged due to overheating by exposure to air as water levels fell below safe levels. As an emergency measure, operators resorted to injecting seawater into the drywell to cool the reactors, but would also ruin them for future operation. Reactors 1–3, and by some reports 4 all suffered violent hydrogen explosions March 2011 which damaged or destroyed their top levels or lower suppression level (unit 2). Fires in spent fuel ponds also released radiation.

As emergency measures, helicopters attempted to drop water from the ocean onto the open rooftops. Later water was sprayed from fire engines onto the roof of reactor 3. A concrete pump was used to pump water into the spent fuel pond in unit 4.

The accident released up to 10,000 terabecquerels of radioactive
iodine-131 per hour in the initial days, and up to 630,000 terabequerels total, about one tenth the 5.2 million terabecquerels released at Chernobyl.
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK