PRELIMINARY FUNCTIONAL SAFETY ASSESSMENT FOR MOLTEN SALT FAST REACTORS IN THE FRAMEWORK OF THE SAMOFAR PROJECT

Transcription

1 PRELIMINARY FUNCTIONAL SAFETY ASSESSMENT FOR MOLTEN SALT FAST REACTORS IN THE FRAMEWORK OF THE SAMOFAR PROJECT Anna Chiara Uggenti 1, Delphine Gérardin 2, Andrea Carpignano 1, Sandra Dulla 1, Elsa Merle 2, Daniel Heuer 2, Axel Laureau 2, Michel Allibert 2 (1) NEMO group, DENERG, Politecnico di Torino, C.so Duca degli Abruzzi 24, Torino, Italy anna.uggenti@polito.it, andrea.carpignano@polito.it, sandra.dulla@polito.it (2) LPSC-IN2P3-CNRS, UJF, Grenoble INP, 53 rue des Martyrs, Grenoble, France gerardin@lpsc.in2p3.fr, merle@lpsc.in2p3.fr, daniel.heuer@lpsc.in2p3.fr, laureau.axel@gmail.com, mallibert@orange.fr

2 OUTLINE Introduction and objective of the work Description of the system Methodology Results List of postulated initiating events Design open points, procedures and phenomena Conclusions and perspectives 2

3 INTRODUCTION AND OBJECTIVE OF THE WORK Sustainability Safety and Reliability GENERATION IV GOAL AREAS Economic competitiveness Proliferation resistance and physical protection OBJECTIVES OF THE WORK Define and use a new method based on functional analyses that allows to study systems whose design is still at the preliminary phase Identify functional deviations able to compromise system safety (in terms of Postulated Initiating Events PIEs, the most challenging conditions for the safety of the plant) Recognize criticalities, lack of information and potential limitations in the current design and to suggest the eventual need of supplementary safety provisions This methodology aims at influencing the direction of the concept and design development since its earliest stages BUILT-IN 3

4 DESCRIPTION OF THE SYSTEM The MSFR is characterized by a circulating liquid fuel playing also the role of coolant D1.1 Description of initial reference design and identification of safety aspects, SAMOFAR_D1.1._v3_15feb2016 The MSFR is an iso-breeder reactor with a fast neutron spectrum Three closed circuits are involved in power generation (the fuel circuit, the intermediate circuit and the power conversion circuit -BoP-) and an open circuit acting as heat sink The selected fuel salt is a molten binary fluoride salt with 77.5 mol% of lithium fluoride; the remaining 22.5 mol% are a mix of heavy nuclei fluorides (fissile and fertile matters) Auxiliary and safety systems complete the power plant; in particular, two types of draining systems: the Emergency Draining System (EDS) and the routine draining system Its design is still preliminary 4

5 FUEL CIRCUIT DESCRIPTION Torus shaped core enclosed in a vessel which serves as the container for the fuel salt with tanks located around the vessel + 16 sectors are arranged circumferentially in the vessel, inserted from the top D1.1 Description of initial reference design and identification of safety aspects, SAMOFAR_D1.1._v3_15feb sector = a heat exchanger, a circulation pump, a bubble injector and a gas separator, a blanket salt tank and cooling equipment D1.1 Description of initial reference design and identification of safety aspects, SAMOFAR_D1.1._v3_15feb2016 5

6 SYSTEM SAFETY PECULIARITIES D1.1 Description of initial reference design and identification of safety aspects, SAMOFAR_D1.1._v3_15feb2016 Circulating molten salt Possibility of a passive reconfiguration of the core Emergency Draining System (EDS) Frequent/daily adjustment of the fuel salt composition low reactivity reserves in core BUT risk of reactivity insertion during loading Significant part of the fuel inventory located outside the core in the recirculation sectors Reduced fraction of delayed neutrons Continuously mixed fuel homogeneous composition and fuel irradiation reasonably uniform Atmospheric pressure in the fuel circuit Structures at higher temperatures; HX, pumps and fuel circuit instrumentation in direct contact with the fuel 6

7 THE ISAM (Integrated Safety Assessment Methodology) Because of the unique characteristics of the MSFR and its preliminary design, the safety assessment of the reactor has to rely on the basis of nuclear safety and technological neutral methodologies. FFMEA and MLD Lines of Defence 7

8 POSTULATED INITIATING EVENT IDENTIFICATION Postulated Initiating Events (PIEs) The most representative accident initiators, in terms of radiological consequences, among a set of elementary events challenging the plant in similar way and producing equivalent fault plant conditions Two methodologies have been selected for the identification of PIEs: Functional Failure Mode and Effect Analysis (FFMEA) Identification of the system functions and study of the consequences of the loss of each function Bottom-up approach Master Logic Diagram (MLD) Selection of a hazard (top event) and identification of all possible causes Top-down approach Use of two complementary approaches with the goal to be as exhaustive as possible in the PIEs identification. 8

9 FFMEA: DESCRIPTION OF THE METHODOLOGY Main steps of the methodology Subdivision of systems into subsystems functionally independent Identification of subsystems main functions, operational states and failure modes Analysis of functional failure modes, effects, detectability and safeguards Identification of PIEs to be assessed in the next steps of design Plant Breakdown Structure (PBS) Functional Breakdown Structure (FBS) FFMEA table compilation 9

10 MLD: DESCRIPTION OF THE METHOD Main steps of the methodology Identification of a hazard to be prevented Precise definition of the hazard for each operational mode or for each zone Building of sub-events and identifications of the elementary causes of the hazard, considering all possible phenomena for each operational mode or for each zone Identification of PIEs to be assessed in the next steps of design Top Event MLD Fault Tree compilation 10

11 IDENTIFICATION POSTULATED INITIATING EVENTS How to select a list of PIEs? List of elementary failures that compromise process functions and induce consequences of safety concern from both methods List of initiating events Grouping of the events that induce similar consequences in the plant Selection of the most severe elementary failures that will constitute the PIEs for each group of events 11

12 LIST OF POSTULATED INITIATING EVENTS Loss of Liquid fuel Breach the upper reflector with rupture of the structure cooling system (without damages to the expansion vessel system) Breach in the upper reflector with rupture of a radial fuel outlet pipe (without damages to the structure cooling system) Rupture of a pipe of the reactivity control system Breach in the lower reflector (with rupture of the structure cooling system) Rupture of the lower reflector (with rupture of the structure cooling system) Loss of integrity of the core cavity Loss of pressure/volume control in the core cavity Reactivity insertion accident Loss of liquid fuel flow Overcooling Loss of criticality control Loss of chemistry control Loss of heat sink Mechanical degradation 12

13 EXAMPLE: Loss of Liquid fuel in the upper part of the core cavity- Breach of the upper reflector with rupture of the structure cooling system (without damages to the expansion vessel system) CONSEQUENCES Fission products go outside from the core cavity through the breach; Mixing of the fuel salt with the intermediate salt cooling the structures; Possible leakage of the fuel salt and consequent solidification outside the core cavity; Shut down of the chain reaction; Etc. PREVENTIVE ACTIONS MITIGATION ACTIONS FEEDBACK FOR THE DESIGN Preventive maintenance; To monitor the corrosion rate, the thermal and mechanical fatigue. To design as SIC SSC (Safety Important Component); Valves to isolate the cooling circuit for the structures; Is the pressure of the fuel circuit higher, equal or lower than the pressure INPUTS of the inert FOR gas THE in the reactor vessel? Do we use the controlled DESIGN routine draining tanks or the EDS in order to drain the fuel? 13

14 DESIGN OPEN POINTS, PROCEDURES AND PHENOMENA This analysis is helpful to determine the lack of information, to point out the potential limitations of the design and to make suggestions to enhance the safety of the concept. Components Valves should be foreseen to isolate systems in case of malfunction Intermediate circuit to isolate each sector Cooling circuit for the structures Fission product removal systems Phenomena Absence of chemical reactions between the fuel salt and other fluids of the reactor Role of natural convection (of the fuel, fertile and intermediate salts) in accidental situations Procedures Use of the EDS (Emergency Draining System) What are the different variables to trigger the EDS (fuel temperature, electrical power loss, pressure?) All deviations from normal operation Parameters/variables Pressure in the core vessel higher/equal/lower than in the reactor vessel 14

15 DESIGN OPEN POINTS, PROCEDURES AND PHENOMENA - Example Systems HX between intermediate fluid and fertile blanket Intermediate fluid HX between intermediate fluid and walls FISSILE MATTER ACTIVE CORE FISSILE MATTER ACTIVE CORE Intermediate fluid Intermediate fluid HX between intermediate fluid and fertile blanket HX between intermediate fluid and walls Intermediate fluid Advantages from the thermodynamics point of view Advantages from the regulation point of view 15

16 CONCLUSIONS AND PERPECTIVES A list of Postulated Initiating Events is produced INPUT for the successive deterministic analyses. ( SAMOFAR WP 4) For each PIE, the transient evolution (consequences, the involved components and some mitigation actions) is supposed. Open questions about the design, the involved phenomena, the procedures and the operating conditions are highlighted and where different options are available, both are considered with their advantages and drawbacks. A collateral issue that emerged from the application of the methodology is the definition of safety barriers and consequently the definition of the severe accident. Since the very peculiar design of the MSFR, the traditional list of barriers of solid fuelled reactors cannot be directly applied to the MSFR but it must be adapted Different options with advantages and drawbacks. The next step of the analysis is the application of the Lines of Defence method whose objective is to guarantee that every accidental evolution of the reactor state is always prevented by a minimum set of homogenous (in number and quality) safety features. 16

17 THANK YOU FOR YOUR ATTENTION 17

18 BIBLIOGRAPHIC REVIEW OF THE METHODOLOGY The ISAM tools are reviewed, completed and adapted, when needed, to better reflect the International standards/rules and to better suit the peculiar case of the MSFR. Three methods among the most usual risk analysis practices: Functional Failure Mode and Effect Analysis (FFMEA) INPRO Master Logic Diagram (MLD) Lines of Defence (LoD) 18

19 FFMEA: DESCRIPTION OF THE METHODOLOGY Main steps of the methodology Subdivision of systems into subsystems functionally independent Identification of subsystems main functions, operational states and failure modes Analysis of functional failure modes, effects, detectability and safeguards Identification of PIEs to be assessed in the next steps of design Plant Breakdown Structure (PBS) Functional Breakdown Structure (FBS) FFMEA table compilation List of possible systems and main components of the plant. Definition of the main functions (process functions, safety functions, investment protection functions, etc.) of the system. Compilation of the FFMEA table, postulating the loss of functions, rather than specific failures of systems and components Selection of a set of postulated initiating events (PIEs) from the complete list of IEs 19

20 THE 1 ST STEP OF THE FFMEA METHODOLOGY: THE PBS The Plant Breakdown Structure (PBS) is a hierarchical structure, created early in the project life cycle, which highlights what has already been designed and what has to be completed. Extract of PBS of MSFR 1. Fuel salt circuit 1.1 Core Cavity Torus shaped core Injection zone (openings in the bottom of the core) Flowing salt zone (central part of the cavity) Extraction zone (openings in the top of the core) Reflectors Upper reflector Lower reflector Expansion vessel Expansion batches Lateral pumping system Radial pipes

21 THE 2 nd STEP OF THE FFMEA METHODOLOGY: THE FBS The function is defined as the specific purpose or objective to be accomplished that can be specified or described without reference to the physical means of achieving it (IEC 61226). The Functional Breakdown Structure (FBS) hierarchically organizes the functions. Process functions Its main objective is to operate the plant and to demonstrate the feasibility of the power production from the system. Safety functions They should be guaranteed by the physical provisions and barriers, in order to prevent or mitigate nuclear and nonnuclear hazards (radiological, chemical, electrical, magnetic, etc.) for workers, public and environment. Investment protection functions Its main objective is to ensure that operations are performed safeguarding investments such as machinery and equipment, as well as minimizing operational costs. 21

22 THE 2 nd STEP OF THE FFMEA METHODOLOGY: THE FBS Extract from the FBS of the MSFR 1. To perform process function 1.1 To realize fission in the core cavity To maintain the criticality within the core cavity To maintain the fuel salt inventory in the core cavity To keep and preserve the integrity and leak-tightness of the core cavity To maintain the fuel salt critical composition in the core cavity To ensure safety 2.1 To provide confinement of radiotoxicity and toxic compounds To provide first confinement barrier of radioactivity and toxic compounds To confine within the fuel circuit To maintain integrity and leak-tightness of cooling systems To confine within the bubbling unit To maintain integrity and leak-tightness of the bubbling unit

23 FFMEA: DESCRIPTION OF THE METHODOLOGY Main steps of the methodology Subdivision of systems into subsystems functionally independent Identification of subsystems main functions, operational states and failure modes Analysis of functional failure modes, effects, detectability and safeguards Identification of PIEs to be assessed in the next steps of design Plant Breakdown Structure (PBS) Functional Breakdown Structure (FBS) FFMEA table compilation Extract of PBS of MSFR Extract of FBS of MSFR 23

24 EXAMPLE OF A PART OF THE COMPILED TABLE Process function P0 To perform process functions P1 To generate electricity P1.1 To generate heat by realizing fissions in the core cavity P1.1.1 To provide fuel salt inventory in the core cavity P To keep and preserve the integrity and leak-tightness of the core cavity PBS elements Core vessel Op. Md. Nop-P Failure Cause Failure Consequences PIE Loss of Rupture in containment the core leak tightness vessel The fissile fuel flows outside from the core cavity; The chain reaction shuts down; The fissile fuel is collected in the collector; The fissile fuel is drained in the EDS; The fissile fuel is cooled down by natural convection in the EDS in order to remove the residual heat; 24 LOLF (Loss Of Liquid Fuel)

25 THE 3 rd STEP OF THE FFMEA METHODOLOGY: THE COMPILATION OF THE TABLE The FFMEA table is a specific table that is suggested to report the results of the analysis, following these steps: 1. Negation of a function; 2. Identification of systems and/or main equipment and/or components performing that function; 3. Reference to the operating mode of interest; 4. Identification of failure modes, possible causes for the loss of function for each failure mode and possible consequences for the plant deriving from the loss of functions; 5. Possible preventing and mitigating actions; 6. Identification of a representative PIEs for the elementary failure. The higher-level functions are automatically analysed through the lower level ones, since the failure of a lower-lever function causes the failure of the related higher-level function. 25

26 MLD: APPLICATION TO MSFR Fault tree for the top event degradation of the fuel circuit structures Selected top event: Degradation of the core vessel (Simplified tree presented above) Degradations are distinguished in function of the involved phenomenon: thermal, chemical, mechanical, etc. 26

27 MLD: APPLICATION TO MSFR Example of a sub-tree for the event «Overcooling accident» 27

28 LIST OF POSTULATED INITIATING EVENTS Loss of Liquid fuel Breach the upper reflector with rupture of the structure cooling system (without damages to the expansion vessel system) Breach in the upper reflector with rupture of a radial fuel outlet pipe (without damages to the structure cooling system) Rupture of a pipe of the reactivity control system Breach in the lower reflector (with rupture of the structure cooling system) Rupture of the lower reflector (with rupture of the structure cooling system) Loss of integrity of the core cavity Complete (internal + external) rupture of the pressurised sampling device Breach of a heat exchanger plate/channel Rupture of blanket tank wall between fuel and fertile salt with rupture of the cooling circuit for internal structures Loss of pressure/volume control in the core cavity Obstruction of the vertical inlet pipe for the fuel from the core to the expansion vessel Rupture of the connection between the free surface of the fuel storage tank and the free surface of the core for the gas in the part between the core cavity and the valve Reactivity insertion accident Accidental insertion of fuel Loss of liquid fuel flow Complete rupture of the pump 28

29 LIST OF POSTULATED INITIATING EVENTS Overcooling Over-working of the pump of the intermediate circuit Overworking of one of the fuel salt pump Conversion circuit pump overworking Loss of criticality control The welded joints taking the recirculation sectors in the correct position collapse Rupture/obstruction of reactivity bubble injector Loss of chemistry control Rupture of horizontal bubble injector for salt cleaning External rupture of the gas separation chamber from the liquid part External rupture of the gas separation chamber from the gases part Chemical reaction between different fluids (e.g. hot part of intermediate circuit and water) Loss of heat sink Leakage of intermediate salt complete rupture of one or more than one intermediate pump Total loss of electric power Mechanical degradation external aggression (e.g. earthquake) Ejection of a conversion system component in direction of the fuel circuit 29

30 PERSPECTIVES: LINES OF DEFENCE METHOD Functional analysis of the system, identification of hazards and PIE during the preliminary stages of design Functional Failure Mode and Effect Analysis (FFMEA) Master Logic Diagram (MLD) Identification the hazards and possible initiating events of a nuclear plant, through a deductive approach (top-down) List of Postulated Initiating Events (PIEs) Set of the most severe elementary failures that compromise plant functions and induce consequences of safety concern Lines of Defences (LoD) Guarantee that every accidental evolution of the reactor state is always prevented by a minimum set of homogenous (in number and quality) safety features 30

31 PERSPECTIVES: LINES OF DEFENCE METHOD To define a set of PIEs (from FFMEA and MLD) To define the quality and the quantity of LoD To integrate the results in the safety architecture of the plant TYPES Measures aimed at preventing the occurrence of the initiating event; Measures aimed at limiting the consequences of the initiating event by means of specific equipment; Intrinsic behaviour and natural resistance to the progression of the accident. QUALITY Strong LoD, type a (unreliability/unavailability of approximately 10-3 /year): e.g. active system with redundancy, passive systems according to the safety standard, intrinsic behaviour of the plant. Medium LoD, type b (unreliability of approximately 10-1 /year): e.g. active systems without redundancy, intervention of the operator. QUANTITY For a severe accident or loss of one of the main safety functions: 2*a+b How to define the severe accident? 31