Although
there are some features of the BWR that contributed to the current problems at
Fukushima, the fundamental problem was the automatic tripping of the four
operating reactors on detection of the earthquake and the shutdown condition of
the other two reactors, which together with the presumed loss of a grid
connection, meant that the sole means of control and residual core fission and
heat removal was the standby diesel generator system.
Assuming that the control rods were fully lifted – they come up from under the
reactor in the case of the BWR - and had there been a means of residual heat
removal there might have been no severe consequences of the earthquake and
tsunami. Under normal circumstances there would have been no need for the
standby generators as there would always have been one at least
operating reactor able to maintain supplies to others shutdown and to maintain a
filtered, cooled circulation of the spent fuel ponds. There may have been only
one standby generation system for the entire complex.
The loss of station power and of the standby diesel generation backup, not just
for an emergency shutdown, but also during a routine fuel change must therefore
be a concern for the UK new build. But the release of hydrogen and the
consequent explosions when venting the reactor vessels because of a rising and
dangerous build up of pressure is the main concern.
Consideration of the consequences of the incident at Fukushima in respect
of the designs of the EPR and the AP1000, the sole candidate reactors for the
UK, currently
under HSE/NII-EA GDA assessment, follows.
In
the case of the EPR there are two separate diesel generator facilities, sited at
opposite sides of the reactor.
The EPR is provided with four standby diesel generators systems, so that
in the event of a reactor trip coinciding with a loss of external power,
provided to least one system operates, the normal shutdown procedure can be
maintained. There are also two additional generators to deal with a station
black-out.
The Emergency Core Cooling System (ECCS) is a comprehensive Safety Injection/Residual Heat Removal system
with four independent “trains”
deploying pumps, accumulators and heat exchangers to deal with a range of
coolant problems.
However, the following statement
appears in the process description:-
“A dedicated set of valves
for depressurising the primary circuit is installed on the pressuriser, in
addition to the usual relief and safety valves, to prevent the risk of a high
pressure core melt accident”
The depressurising of the coolant circuit
needs to keep in step with a reduction in the saturation temperature in order to
avoid the coolant flashing to steam, reducing the heat transfer and raising the
can cladding temperature and leading to the ion exchange between the zirconium
and the steam and the production of hydrogen.
It is not clear in what circumstances the depressurising valves would
come into operation. It may be that the safety injection system pressure is
unable to match the decaying pressure in the cooling circuit in circumstances
where there is a small but significant loss of coolant and the depressurisation
is activated. This activation could develop unnecessarily into a similar
situation to that which at Fukushima led to a hydrogen explosion.
The
EPR has a "active" emergency system, which is quite different to the
"passive" AP1000 emergency sytem as it is devised to cool a melted core in the corium "catcher"
under the reactor vessel assuming melt avoidance methods have failed
The
containment is designed to take a hydrogen deflagration pressure of 5.5 bar. The
system arranges to spray the containment internally. There are also hydrogen
"recombiners" in the containment to keep its concentration below 10%.
(Explosive limits by volume are 18.3% to 59%) Presumably this measure is to
avoid a hydrogen detonation which the containment might not hold.
The route of a release from the reactor vessel pressure
relief valve is not shown and the valve may vent into the containment. It
would be advisable to vent the release externally as it could contain
hydrogen. At Fukushima the overpressure was vented into the buildings and
considerable damage to the buildings and the spent fuel ponds was caused.
The design philosophy therefore seems to be
in need of scrutiny. Rather than preventing a core melt, it could cause it.
The key reference document is the AP1000 Plant
Description.
See http://www.ne.doe.gov/pdfFiles/AP1000_Plant_Description.pdf
Westinghouse
claims that the automatic AP1000 passive core cooling system (PCCS) operation
needs no standby generation. There are standby generators, but not provided with
the same redundancy as normally assumed to be necessary.
From
the Westinghouse Plant Description:-
“Off-site power has no
safety-related function due to the passive safety features incorporated in the
AP1000 design. Therefore, redundant off-site power supplies are not required.
The design provides a reliable offsite power system that minimises challenges to
the passive safety system.”
As part of the AP1000 pressurised
water reactor design certification program, a series of integral systems tests
of the nuclear steam supply system was performed at the APEX-1000 test facility
at Oregon State University. The APEX-1000 facility is a 1/4-scale pressure and
1/4-scale height simulation of the AP1000 nuclear steam supply system and
passive safety features.
See http://article.nuclear.or.kr/jknsfile/v39/JK0390287.pdf
The
heat in the core was represented by an electrical heater, but otherwise the
plant items were similar and appropriately sized to the smaller scale.
The
operation of the passive core cooling system following a loss of coolant is
described in the APEX test facility report as follows:-
“The break opens at time zero, and the pressuriser
pressure begins to fall as mass is lost through the break. The depressurisation
rate is largely determined by critical two-phase flow through the break.
When the pressuriser pressure falls below the safety
signal set point, a safety systems actuation signal is issued, which causes the
reactor to trip. The signal also causes the opening of the core makeup tanks and
the passive residual heat removal heat exchanger isolation valves. Once the
residual fissions decrease, core power is defined by the decay heat model.
The reactor coolant pumps trip after a short delay, and
the rapid coast down expected from the AP1000 canned motor reactor coolant pumps
is simulated.
After the pumps coast down, the primary reactor coolant system is cooled by natural circulation, with energy removed from the primary system by heat up of the steam generators, recirculation flow to the core makeup tanks, and fluid loss through the break. Stored energy from the metal in the primary system is transferred to the coolant.
The
liquid in the upper plenum and upper head may flash, and as the primary system pressure continues to fall, the upper
head will begin to drain.”
The initial leak is described as "critical
two-phase flow" which is presumably a mixture of water and steam. Once the
reactor trips, i.e., the control rods drop, there will be some residual heat
that needs to be removed. (In the actual AP1000 there will also be residual
fission and residual heat.) The reactor coolant pumps trip after a short
delay and then "coast down", presumably powered by the flywheel
energy. The energy is removed from the primary system by heat up of the steam
generators by pumped circulation.
The APEX test facility report then assumes that liquid
in the reactor vessel upper plenum and upper head may flash, in which it assumes
that the flash steam appears on the surface of the water. This is incorrect. As
the pressure of hot water under pressure falls, bubbles of steam will appear
throughout the water. This phenomenon is confirmed by the release of the
"two-phase flow".
This means that at the surface of the cans the
heat transfer rate will rapidly deteriorate and the surface temperature
will rise. It is this phenomenon that splits the steam into hydrogen and
water by ion exchange of oxygen from the water to the zirconium cans.
Zirconium
See Wikipedia:-.
http://en.wikipedia.org/wiki/Zirconium_alloy#Oxidation_of_zirconium_by_steam
“Zirconium ... reacts with steam at high temperature. Oxidation by water
is accompanied by release of hydrogen gas. This oxidation is accelerated at high
temperatures, e.g. inside a reactor core if the fuel assemblies are no longer
completely covered by liquid water and insufficiently cooled. Metallic zirconium
is then oxidized by the protons of water to form hydrogen gas according to the
following redox reaction: Zr + 2 H2O = ZrO2 + 2 H2”
There does not appear to be any monitoring of the
heater surface temperatures in the APEX test facility simulation and the report
does not state when the power to the heater is switched off. It may be that the
electric heater does not adequately simulate the residual fission and heat in a
reactor core after the control rods have been applied. It could have been
arranged for the power to the heater to have been initially reduced to 7% of the
full power, simulating the residual heat. Moreover, the heater elements
may well have been clad in Inconel and not in zirconium.
Normal re-fuelling shutdown
In a normal PWR shut down the coolant pumps and steam
generators take off the first tranche of heat as steam which is passed to the
turbine bypass condenser, followed then by the residual heat removal cooling
circuits. The residual heat removal system is not brought into operation until
the temperature has dropped to 180°C and the reactor vessel pressure to 3 Mpa.
This is well below the saturation temperature of 234°C, so that there is no
potential for flash steam production in the coolant circuit.
The turbine bypass can then be closed and the reactor
coolant pumps progressively stopped from running. It then takes up to 24 hours
for the residual heat removal system to reduce the water temperature to 60°C.
During this shutdown process it is essential to maintain the reactor vessel
pressure above that corresponding to the saturation temperature to avoid the
production of flash steam and the consequent production of hydrogen. For a
normal shut down, standby power of at least 25 MW is required. The four coolant
pumps each take 6000 kW.
The AP1000 Passive Core Cooling System (PCCS)
For an animated diagram of the PCCS see:-
See
http://www.ap1000.westinghousenuclear.com/ap1000_psrs_pccs.html
Westinghouse claims that the AP1000 passive core cooling system will “maintain
core cooling
and containment integrity for an indefinite period of time following design
basis events assuming the most limiting single failure, no operator action and
no onsite and offsite ac power sources.”
The
plant description does not specifically state that the PCCS is powered by the dc
batteries, but “no … ac power sources” infers a resort to dc
sources. There could be some functions that could be operated by exigent
pressures and temperatures, but not, for example, explosive squib valves. The
control of the PCCS was assumed to be a programmable logic controller with an
inverted uninterruptible ac supply from the batteries or dc also from the
batteries, which appear in the plant description.
However,
Westinghouse UK (by email) denied that any power supply, ac or dc, is necessary
for the PCCS operation as follows:-
“For
an event involving a complete loss of ac power without a LOCA such as what
occurred at Fukushima, dc power is not required for operation of the AP1000 PCCS.
There are three flow paths from the PCCS water storage tank to provide cooling
of the containment in the event of an accident. Two flow paths are
isolated by air operated valves and one flow path is isolated by a motor
operated valve. On a loss of all ac power, the air operated valves fail
open and PCCS cooling is initiated. The batteries provide the power to
open the redundant flow path isolated by the motor operated valve; however, one
flow path is sufficient to provide cooling. … also note for response
to abnormal or accident conditions, the AP1000 does not rely on operation of
either the (turbine bypass) condensers or main feedwater pumps.”.
It
appears from the plant description, that in an event causing a reactor trip
coinciding with a loss of external power, as happened at Fukushima, the standby
power would be insufficient to power a normal shutdown and the PCCS would be
applied. However, the AP1000 control rod mechanisms are designed to drop the
rods by gravity with a loss of power. (This offers an advantage over the GE
ESBWR, which requires an hydraulic “scram” system to lift the rods from
under the reactor vessel in a claimed 1.1 seconds.)
The report of the APEX simulation includes a dimensionless plot of a “AP1000 Typical SBLOCA Pressure Transient” (SBLOCA = small break loss of coolant accident).
This
shows (self-evidentially) that before the gravity or compressed gas water
injection can enter the reactor vessel or coolant circuit the initial pressure
has to be relieved to a third or so of its former working pressure. This means
that the contents of the circuit will flash to a mixture of water and steam.
Whether or not the reactor has tripped, as showed at Fukushima, the fission or
residual fission heat and the concomitant poor heat transfer means that the
zirconium can surface temperature will rapidly rise and produce hydrogen from
the steam. This means that the “two-phase flow” venting from the “small
break” will carry hydrogen and if it is above its auto-ignition temperature it
will explode.
The
PCCS therefore is of little use for a “small break” and it would be better
to ensure that the reactor trips and its residual heat be reduced by allowing
the pressure in the circuit to be relieved through the “small break”, which
may allow the reduction in pressure to match the equivalent saturation
temperature and avoid too much flash steam arising. It would also be advisable
that sufficient standby power was made available to operate the turbine bypass
condenser and its coolant as there may still be sufficient pressure and
temperature in the vessel to make use of the steam generators and the
“coasting down” coolant pumps.
In
the event of a “large break” at full reactor power the PCCS may be of use,
because the pressure in the coolant circuit would have reduced drastically, the
core will be beginning to melt and the gravity and pressure injection essential.
It
may well be that had the standby generators been operable at Fukushima and the
control rods properly tripped, there would have been little consequences
resulting from the earthquake. So post-Fukushima, the lack of full AP1000
standby generation appears to be a mistaken design philosophy. The application
of the PCCS when there is no leak is inadvisable, as if there was sufficient
standby power a normal shutdown procedure could be followed. An unwarranted PCCS
operation would create an incident
and possible hydrogen explosion when none would otherwise have occurred.
The light water
reactor (LWR)
The PWR and the BWR are both of the generic LWR type and both rely on the maintenance of the coolant pressure to avoid the formation of flash steam and the consequent reduction in the heat transfer from the fuel cans.
The construction of the reactor pressure vessels is appropriately massive in regard to the vessel walls, especially in the case of the PWR which works at a higher pressure than that of the BWR. However, in both cases the vessels have "penetrations" to accommodate the control rod drive mechanisms (CRDMs). In the PWR they are in the vessel head, in the BWR on the underside of the vessel. On the EPR head there are penetrations (branches) for 89 CRDMs, while on the AP1000 head there are penetrations for 69 CRDMs. In comparison with wall thicknesses of 200 mm, the branch walls are but 15 mm thick. The complexity and multiplicity of the attachments on the top of the head and the consequent inaccessibility for inspection under an insulated cover needed to keep the mechanisms cool represents the most sensitive points for a loss of coolant.
The most likely “small break” would be from a
circumferential crack occurring in a control rod drive mechanism penetration as nearly happened
with a PWR reactor vessel head at Davis-Besse, Ohio, 2002. (The crack in the
penetration was fortunately not circumferential, but allowed boric acid to leak
and attack the ferritic shell). If this happened the severed control rod housing
would fly off and the violent pressure release could damage neighbouring control
rod mechanisms. It could well blast the vessel head cover off and stop some of
the rods dropping. It could mean that none or not all the control rods would
drop and the core would certainly then melt.
A similar severance of a control rod penetration under
a BWR reactor vessel could also be catastrophic as it might prevent rods from
lifting while initiating a loss of coolant.
A “big break” occurrence would mean an instant loss
of pressure and an immediate flash steam production and with the concomitant
hydrogen production could result in an explosion and core meltdown. In this
case, if not damaged by the explosion, an ECCS would offer some remedy as the
circuit pressure would be relieved and the gravity and compressed gas water
injection would meet little resistance, but the scenario is not described in the
APEX test report.
The UKAEA scientists had at one time considered that the security of the LWR
containment could not be guaranteed. It was this aspect that led to the adoption
of the advanced-gas cooled reactor (AGR) in the UK, which it was considered
could cope with a loss of coolant better, because the heat transfer rate is
intrinsically lower from metal to gas and the cooling circuit is designed
accordingly.
Conclusions
To avoid a hydrogen explosion it is necessary in an
emergency to follow a normal shutdown procedure as near as possible to avoid the
formation of flash steam. This means that in the event of simultaneously losing
an external power supply an adequate standby power system is instantaneously
required. This cannot be guaranteed.
The Fukushima incident showed that venting before the
residual core heat has been reduced causes hydrogen to be produced and it is
likely to be above its auto-ignition temperature and explode. Because of the
propensity to then lead to a core meltdown, the generic light water reactor
should no longer be adopted for the UK’s power generation..
It also appears that the AP1000’s passive core
cooling system (PCCS) offers no real security to it. The APEX-1000 simulation
tests shows a rapid de-pressurisation, which should in all circumstances be
avoided.
Spent fuel ponds
The automatic tripping of the four
operating reactors by the detection of the earthquake and the shutdown condition
of the other two reactors, together with the presumed loss of a grid connection
meant that the means of control and residual core heat management was lost by
failure of the standby diesel generator system.
Assuming that the control rods were fully lifted, had there been a means of
residual heat removal there might have been no severe consequences of the
earthquake and tsunami. Under normal circumstances there would have been no
need for the standby generators as there would always have been one at least
operating reactor able to maintain supplies to others shutdown and to maintain a
filtered, cooled circulation of the spent fuel ponds. There may have been only
one standby generation system for the entire complex.
The loss of the standby diesel generation must therefore be the principle
concern for the UK new build. It is noted that in the case of the EPR there are two
separate diesel generator facilities, sited at opposite sides of the reactor. It
is claimed that the AP1000 passive core cooling safety system is independent of
ac standby supplies or dc batteries for its operation, but which is taken up as
an issue above. But external supplies or standby generators would be needed for
the spent fuel pond cooling..
However, what is of concern in regard to any type of reactor associated with the
new build is the situation at the end of the claimed operational life of 60
years. Assuming that some of the new build is commissioned in 2020, then 60
years takes the decommissioning to commence in 2080. Thereafter residual heat
removal will be needed, but the main problem will be the maintenance of
cooling and filtering the contents of the spent fuel ponds for a further 10 to
20 years. Depending on how long it takes for the last spent fuel to be cool
enough to be transferred to the dry casks, there could be a need to require an
alternative electricity supply or standby generation to be available until the
turn of the century in 2100.
The review of the Fukushima event and
its consequences for the UK’s new build, should consider carefully the
situation in 2080 or before then, because (as is a huge problem in the US) there
will be a number of filled or in transition spent fuel ponds requiring
a secure electricity supply with no associated nuclear generator. There
will also be a need for electricity for cranage for placing the spent fuel in
the dry casks. This will also need to be continuity of supply for the Sizewell B
spent fuel pond until perhaps 2050.
BP's Statistical Review of 2011 recorded a global "plateau" in "all-oils"
production from 2008 to 2010, while the normal "swing" producer, Saudi Arabia
experienced its national peak in 2005, so the availability of diesel fuel in the
near future, let alone in 2080, must be a cause of concern. It means that because,
as in the case of Fukushima all available normal supplies were lost, the
fuelling of the standby generators needs consideration.
An analysis of the uranium market
shows that its supply may not match the demands of the current new build,
let alone enable the retiring new build fleets to be replaced in 2080. The
diesel stored in tanks on the station sites for the next 80 years or so may
be subject to degradation. As it will be very expensive throughout the period,
it could be the subject of theft. Coal is anticipated to last a little
longer than oil and natural gas, but it may be impossible to maintain a heap of
coal and an associated coal-fired generator on the site, nor a suitable
biomass alternative, because of general fuel shortages of any sort at the turn
of the century.
The situation exigent at the time of the closure of the new build is
indeterminable. Ageing may not allow the operation to endure for the claimed 60
years without substantial component renewal, but even if just the 40 years
current lifespan is attained, it is still over-optimistic to be able to
determine the situation in 2060.
In short the inability to determine the fate of the new build from
2060 to 2080 and beyond is reason enough for the new build to be abandoned. The
insecurity of the LWR coolant containment and the potential for a hydrogen
explosion and core meltdown adds another more compelling reason for its
abandonment.
John Busby
6 April 2011