ML19003A416

From kanterella
Jump to navigation Jump to search
SECY-89-350: Canadian Candu 3 Design Certification
ML19003A416
Person / Time
Issue date: 11/21/1989
From: Taylor J
NRC/SECY
To:
References
SECY-89-350
Download: ML19003A416 (24)
v  d  e


Text

November 21, 1989 POLICY ISSUE SECY-89-350 (Information)

The Collillissioners James M. Taylor Acting Executive Director for Operations

Subject:

CANADIAN CANDU 3 DESIGN CERTIFICATION

Purpose:

To provide background information, a discussion of technical.

issues, and a proposed plan to process a CANDU 3 nuclear power plant (CANDU 3) application in response to Atomic Energy of Canada Limited (AECL) Technologies' intent to seek design certification under 10 CFR Part 52.

, Summary: AECL Techno1ogies informed the Nuclear. Regulatory Commission of its intent to seek design certification of the CANDU 3 under the provisions of 10 CFR Part 52 in a letter to Chairman Lando Zech, dated May 25, 1989. The staff responded to AECL Technologies' letter of intent in a letter, dated July 6, 1989.

In this letter, the staff requested that AECL Technologies develop (1) a licensing review bases document to address the scope, content, and format of the Safety Analysis Report (SAR) to be submitted, (2) submittal schedules, (3) brief descriptions of selected technical aspects of the design, (4) key design parameters, and (5) proposed ac:ceptance criteria to be more fully addressed in the SAR.

Depending on th~ priority assigned the CANOU 3 review, the staff could review the CANOU 3 design beginning in FY 90 and concluding in FY 95, assuming adequate staff resources are provided. The review would be conducted within the existing organizationa1 structure of NRR, with a licensing project manager assigned full time to the project. Although no resources, either staff personnel or technical assistance funds, have been budgeted for the CANDU 3 review in FY 90, the staff will apply 1 FTE to the CANDU 3 review in FY 90. Because of the unique technical aspects of the CANDU design, the staff anticipates that new CONTACT:

D. Persinko, PMAS/NRR X21278

The Commissioners 2 regulatory guidance will be necessary and that existing regulatory guidance will have to be modified. The guidance will be developed through research and with assistance from contractors and will be overseen by RES and NRR. In response to Staff Requirements Memorandum dated August 18, 1989, the staff recommended priorities for review of standard plant designs in SECY-89-334 dated October 27, 1989. The CANDU 3 design was included in that prioritization.

Background:

AECL Technologies is a division of AECL, Incorporated, a newly formed American company. AECL Technologies would like to develop with the NRC a schedule of anticipated filings related to the CANDU 3. AECL Technologies also requested that the NRC review of the CANDU 3 application be given the same priority as other advanced nuclear plants being reviewed by the staff.

The CANDU 3 design is a single-loop pressurized heavy water reactor rated at 450 MWe with two steam generators and two heat transport pumps connected in series. The design utilizes natural uranium fuel, computer-controlled operation, and on-line refueling. The CANDU 3 design is an evolution of the CANDU 6 design (600-640 MWe), which has been approved by the Atomic Energy Control Board (AECB), the Canadian government agency responsible for regulating atomic energy in Canada. Four CANDU 6 units are currently in operation. Three of these units went into operation in 1983 and one in 1984. The CANOU 3 contains many features and components already in use in the CANDU 6 design. For example, key components, such as the steam generators, coolant pumps, and pressure tubes, are identical to those currently in use in CANOU 6 plants that are operating. Construction of a CANOU 3 plant at the New Brunswick Electric Power Commission's Point Lepreau Generating Station is to begin in the near future.

The CANOU 3 design contains features that are different from light water reactors licensed in the United States. Because of these features, the staff anticipates that the review of this design will require more time and resources than a review of an evolu-tionary pressurized light water reactor would require. Additional time and resources would be necessary for the NRC staff to become familiar with the CANOU design through extensive interaction with technical representatives of AECL Technologies and to resolve technical matters that have not been previously reviewed and approved for use in the U.S. AECL Technologies anticipates providing licensing submittals to the NRC staff on the CANDU 3 design over a 2-year period.

Discussion: Canadian Regulatory Philosophy The Canadian regulatory philosophy, as that of the United States, is based upon the licensee bearing the basic responsibility for

The Commissioners 3 safety. The AECB mainly sets safety objectives and some per-formance requirements and audits licensee compliance with them.

The regulations are less prescriptive than in the U.S. An overall safety objective is to ensure that the likelihood of a serious release of fission products is negligibly small and that the risk to the public presented by nuclear power plants is lower than that from alternative sources of electrical energy.

As a result of this risk-based approach, the regulatory require-ments have emphasized numerical goals and objectives and minimized specific design or operational rules, which have resulted in the separation of systems into process and special safety systems.

These goals are specified in the basic requirements shown in Table 1. The basic requirements set limits on the frequency of serious process failures and the unavailability of the special safety systems, and on the maximum permissible doses to the public for any serious process failure and for any combination of a serious process failure and failure of a special safety system.

The four special safety systems consist of shutdown system No. 1 (shutoff rods), shutdown system No. 2 (liquid poison), emergency core cooling, and containment.

llith the exception of the basic protection regulations, AECB regulations are primarily procedural and general, with specific regulatory requirements imposed through the plant-specific licensing process. Some regulatory guides have been produced.

The policy has been that while some written statements are necessary for design, construction, and operation, the estab-lishment of detailed requirements should be handled in other ways. One method has been the gradual establishment of accepted safety-related features. A second method has been the develop-ment of consensus nuclear standards for particular topics. These standards are produced by the Canadian Standards Association

. (CSA), which is composed of organizations representing different industries in Canada. Representatives from the AECB participate in developing CSA standards.

CANDU 3 Design In the CANDU 3 design, heavy water is used for both coolant and moderator, and the moderator is separate from the coolant. The moderator is contained in a horizontal cylindrical tank known as the calandria, which is at atmospheric pressure and approximately 160°F. There are 232 fuel channel assemblies placed horizon-tally in the c:alandria. Each fuel channel assembly consists of pressure tubes concentrically placed inside a calandria tube.

The pressure tube houses the fuel bundles and contains reactor coolant at approximately 1500 psi and 518°F. Two shutdown systems penetrate the calandria. Reactivity control units (control rods) and mechanical shutoff units (shutoff rods) enter

. -**--*--*-- ~ -- -- . -- ----- --*-- --

The Commissioners 4 the calandria from the top, and liquid poison injection tubes penetrate the calandria from the side. Both systems communicate only with the moderator and each system can bring the reactor to subcriticality under normal or accident conditions. The reactor assembly is shown in Figure 1. There are two steam generators and two electrically-driven coolant pumps to circulate the coolant. The steam generators are inverted, vertical U-tube bundles. A reactor building sectional view is shown in Figure 2.

Reactor fuel bundles are changed almost continuously owing to the low excess reactivity of the natural uranium fuel. The process is automated and is controlled from the main control room.

Four diesel generators supply backup AC power to specific station loads. Two diesel generators can supply the total safe shutdown load following a combination of worst events, including an earthquake.

Plant control is automated with signals generated by a Distributed Control System (DCS), using programmable microprocessors to implement the control logic. Plant operators monitor plant parameters and can take control of the plant if necessary.

The containment is a reinforced concrete structure with a steel liner similar in structure to large dry containments used in the United States. It is designed to withstand the pressure and temperature that would follow the largest postulated loss-of-coolant accident (LOCA).

A more detailed description of the CANDU 3 design is provided in Enclosure 1.

Important Features of CANDU 3 While the CANDU 3 design is not new in that it is based on CANDU 6 technology, some features of the CANDU 3 design are funda-mentally different from light water reactors already licensed in the United States. The following discussion describes the fea-tures that may present unique challenges, both technically and from a regulatory perspective, during staff review of the CANDU 3.

This discussion is not intended to be all inclusive. A more detailed description of these issues is provided in Enclosure 2.

1. Reactor Physics/Fuel Design/Reactivity Coefficients CANDU 3 uses natural uranium fuel and heavy water as coolant and moderator. A potential for flux tilts exists in the CANDU 3 because it has a larger core than a light water reactor core which generates the same power. This results in an overall lower power density. A postulated LOCA results

The Commissioners 5 in a positive reactivity excursion because of a positive void coefficient of reactivity.

2. Reactor Control and Shutdown Emergency shutdown can be achieved by using either shutoff rods or liquid poison.
3. Refue 1ing The CANDU 3 is refueled almost continuously while at power.

Potential accidents associated with this refueling scheme exist.

4. Reactor Coolant Pressure Boundary and Thermal Hydraulic Design The high temperature, high pressure coolant circulates through 232 pressure tubes approximately 4 inches in dia-meter that contain fuel bundles. Technical concerns regarding this design include pressure tube integrity, use of moderator as a backup heat sink, flow blockage potential, seismic capability, emergency core cooling system (ECCS) performance, flow characteristics and distributions, heat transfer parameters, and pressure tube inspections. Computer codes used in the thermal hydraulic analysis and ECCS analysis were developed specifically for the CANDU design.

U.S. reactor safety analysts are, in general, not familiar with the Canadian analyses and U.S. thermal hydraulic codes may require significant revision to be applied to the CANDU configuration.

5. Control of Tritium Generation of tritium in the heavy water moderator and coolant will provide the potential for tritium releases and will increase the potential for plant operational and maintenance personnel to be exposed to radiation. A tritium removal plant has been built at the Darlington Nuclear Generating Station but is not yet operational. Currently, tritiated heavy water is controlled through heavy water management.
6. Safeguards Use of natural uranium fuel provides the potential to generate weapons grade plutonium.

The Commissioners 6

7. Computer Control and Human Factors CANDU 3 utilizes a computer to control process systems and to actuate safety systems. The reliability of this system and the human interaction with this system are aspects to be explored.
8. Safety Philosophy The Canadian safety analysis philosophy assumes an initiating event in combination with a single failure in a process system while one of the- four special safety systems is unavailable.
  • The Canadian philosophy to protect against common mode failures relies on the two-group separation concept in which structures and systems are divided into two groups that are functionally and spatially separated.
9. Seismic Design The CANDU design is based on a design basis earthquake (DBE) similar to the U.S. safe shutdown earthquake.

However, the site design earthqua'ke, a lesser magnitude earthquake than the DBE, is assumed to occur in the long term after a LOCA *.

10. Classification of Pressure Retaining Systems Safety-related pressure-retaining systems are designed per the ASME Code*to the extent possible, however, classification criteria are different from and may be less conservative in some cases than criteria for U.S. light water reactors.
11. Standards Differences exist between some codes and standards used in Canada and those used in the United States primarily because of the unique materials and features of the CANDU design.
12. Electric Power System The electric power system is based on the two-group concept, with four classes of electric power. Four diesel generators are used to supply backup AC power.
13. Materials Many components of the heat transport (reactor coolant) system are carbon steel rather than stainless steel.

The pressure tubes are a zirconium-niobium alloy.

The Commissioners 7

14. Effects of Heavy Hater/Light Water Interface Heavy water is used as coolant whereas light water is used in the ECCS. Measures used to prevent the ECCS system from inadvertently injecting and contaminating the expensive heavy water and their effect on ECCS reliability is an area to be considered.
15. Containment Adequacy The CANDU 3 containment is similar to a U.S. large dry reinforced concrete containment. It is designed for a loss-of-coolant accident and to maintain structural integrity for a main steamline break.

In addition to the above design features, a significant database exists of CANDU operational history for transients, transient response, corrosion, accidents, fuel handling problems, and pressure tube integrity. The staff will consider this operating history in its review of the CANDU 3.

Staff Review of the CANDU 3 The NRC staff will conduct the CANDU 3 review with technical assistance from contractors. The review will be conducted within the existing organizational structure of NRR with a licensing project manager assigned full time to the project.

Using this approach will permit the reviewers to obtain technical input from others in their specific functional discipline more readily and will allow the reviewers to work on non-CANDU issues during periods when the CANDU information required to perform the review is not available. This approach is similar to what has been employed on issues related to Fort St. Vrain, a high-temperature gas cooled reactor, and evolutionary light water reactors.

NRR will have lead responsibility in conducting the review. RES will assist NRR in determining technical areas where research is necessary and will oversee this research. RES will also assist NRR, as needed, in providing technical assistance in reviewing the SAR. Because of the unique features of the CANDU 3 design, new regulatory guidance will be needed and existing regulatory guidance may need to be modified. Mote specifically, guidance will be needed in the areas of core physics, thermal hydraulics, computer control, severe accidents, and designs based on Canadian codes and standards that have no U.S. equivalent. The staff anticipates that research will be necessary in developing or modifying regulatory guidance.

The Commissioners 8 The staff would review the application according to the requirements of 10 CFR Part 52. As required by 10 CFR Part 52, the staff would review the applicant's technical submittals, which will include the technical information required by 10 CFR Part 20, Part 50 and its appendices, Part 73, and Part 100.

The staff would also review the applicant's submittals describing site parameters postulated for the design, analysis of the design for the site parameters, the design specific probabilistic risk assessment, other information described in 10 CFR Part 52.47, and, to the extent applicable, compliance with Three Mile Island requirements set forth in 10 CFR 50.34(f), and technical resolutions of Unresolved Safety Issues and medium- and high-priority Generic Safety Issues identified in NUREG-0933.

The applicant will provide technical descriptions of the CANDU 3 design to the staff and assist the staff as necessary in under-standing the design features of the CANDU 3. Before the applicant submits the SAR and before the staff begins its review of the SAR, the applicant and the staff will agree upon a licensing review basis document, which will describe the scope, content, and format of the information that will be provided to the staff in the SAR and the schedules for the submittals. The final portion of the SAR is expected to be submitted to the staff in mid-FY 1991.

The staff will brief the ACRS on the staff's review of the CANDU 3 design at appropriate stages of the review.

Recent staff requirements memoranda concerning evolutionary and advanced reactors indicate that the Commission may desire to be involved in the review process during development of the licens-ing review basis and safety evaluation reports. In SECY-89-311 dated October 10, 1989, the staff recommended that the Commission provide guidance on whether the staff's approach to the review of evolutionary light water reactors, including aspects concerning Commission review of safety evaluation reports, is appropriate.

Staff review of the CANDU 3 will follow the guidance provided by the Commission in response to SECY-89-311.

While the CANDU 3 design differs significantly from light water reactor designs currently licensed and operating in the United States and evolutionary light water designs, it is based on heavy water technology that has been proven in Canada. As such, the CANDU 3 represents an evolutionary heavy water design.

However, for the purposes of licensing in the United States, the CANDU 3 design should be considered an advanced reactor as discussed in 10 CFR Part 52. Because the CANDU 3 design is based on proven heavy water technology and because plans exist to construct a commercial CANDU 3 at Point Lepreau, the staff does not anticipate that construction of a prototype will be required.

AECL Technologies requested that the NRC staff proceed with the review and design certification of the CANDU 3 on a priority

The Commissioners 9 equal to that assigned other advanced reactor reviews. Major mi1estones and activities to complete the review include 0

preliminary planning meetings with AECL (already in progress) 0 site visits by NRC management and staff 0

discussions with AECB 0

AECL Technologies' submittal of technical descriptions of CANDU 3 and conducting NRC information exchange sessions to develop NRC staff expertise in the CANDU 3 design 0 .

AECL Technologies' submittal of a licensing review basis document to inform the staff of the scope, content, format, and submittal schedules of the Safety Analysis Report (SAR) to be provided 0

completion of an acceptable licensing review basis document after staff interaction wtth AECL and after Commission approval 0

staff determination of technical issues that may require research to be performed 0

development of regulatory guidance 0

staff review of the application 0

issuance of Final Design Approval 0

rulemaking per 10 CFR Part 52 A proposed schedule and schematic of the staff review is provided in Figures 3 and 4. This schedule assumes that adequate staff .

resources are provided, as discussed below. As discussed in Staff Requirements Memorandum M890801, dated August 18, 1989, the staff was directed by the Commission to consider how to assign priorities for the review of design certification submittals. The staff responded to this request in SECY-89-334. In that response, the staff included the CANDU 3 review in the prioritization.

The staff estimates that the review will require 10 FTE per year in FY 91 through FY 94, and 5 FTE in FY 95 to perform the CANDU review and rulemaking. Technical assistance will be required at a level of approximately $4 million per year for FY 91 through FY 94, and approximately $t million in FY 95. These estimates are preliminary and are based on resources required to perform reviews of evolutionary light water reactors, the Clinch River Breeder Reactor, and the Modular High Temperature Gas Cooled Reactor. They have been modified to account for the unique

The Commissioners 10 technical aspects of the CANDU 3. Th.e FY 91 through FY 94 estimates are included in the FY 90-94 five year plan. These estimates will be reexamined after technical information reports are submitted, the licensing review basis is developed, and schedules for submitting the Safety Analysis Report are defined.

No resources, either staff personnel or technical assistance funds, have been budgeted for the CANDU 3 review in FY 90.

However, the staff will apply 1 FTE to the CANDU 3 review in FY 90 and currently has no technical assistance funds allocated.

m s M. Taylor, Acing Executive Director for Operations

Enclosures:

As stated DISTRIBUTION:

Commissioners OGC GPA EDO ACRS ASLBP ASLAP SECY

TABLE 1 OPERATING DOSE LIMITS AND REFERENCE DOSE LIMITS FOR ACCIDENT CONDITIONS Assumed Meteorology Maximum Maximum Maximum to be Used in Individual Total Situation Frequency Calculation Dose Limits Population Dose Limits Normal Weighted according to 5 mSv /yr( 500mR/yr) 100 man-Sv/yr(l0 4R/yr)

Operation effect, i.e. frequency whole body times dose for unit release 30 mSv/yr(3R/yr) 100 thyroid-Sv/yr(10 4R/yr) to thyroid Serious Process 1 per 3 Either worst weather 5 mSv(500mR) 100 man-Sv(10 4R)

Equipment Failure years existing at most 10% whole body (Single Failure) of time or Pasquill F condition if local data 30 mSv(3R) 100 thyroid-Sv(l0 4R) incomplete to thyroid Process Equipment 1 per 3xl03 Either worst weather 250 mSv(25R) 10 4 man-Sv(l0 6R)

Failure plus years existing at most 10% whole body Failure of any of time or Pasquill Special Safety F condition if local 2500 mSv(250R) 10 4 thyroid-Sv(10 6R)

System data incomplete to thyroid (Dual Failure)

CANDU 3 REACTIVITY MECHANISMS DECK ELEVATION 115.1 m CONCRETE

/

OVERPRESSURE PROTECTION PIPE SHIELD COOi.iNG PlPINGINLET SEMI FLEXIBLE JOINT FEEDER PIPES OUTLET MODERATOR PIPING SYSTEM FEEDER___jl.---,--111r:tii!J PIPE INLET IJOUID INJECTION SHUTDOWN UNIT 74 TD

CANDU 3 BLOWOUT PANELS HEAT TRANSPORT PUMP ANO MOTOR BLEED CONDENSER r

EL 113SO B EL 107.SO

=i B

A REACTOR

~

A CONNECTING STRUCTURE TO TURBINE BUILDING illECTION e-e 74 TO 1CM

llVIIAV 89 (Q)C"lf' 89 (Q)C"lf' 90 (Q)C"lf' 911 (Q)C"lf' 92 (Q)C"lf' 93 (Q)C"lf' 94 (Q)IC"lf' 95 (Q)C"lf' 96 CAINl[))IUJ 3 PIROGRAM fV 90 fV 911 fV 92 fV 93 fV 94 fV 95 fV 96

@ AIECR. !Letter of Dll1ltell1lt V INl!Rl© IRlempOll'llS to AECR. V Site vUslt IPHckerUll'll§ll/ V IIJlar!lll'llgtOll'll

@ II\Jllall'll11J§lleme1111t site '7 visit/meet wltlhl AEC!Bl

@ $11J1bmffl111I of topical reports by AECR./deveiop staff ' '

expertise

@ 1Fill'll11181ze liooll'llslll'll§ll ll'evlew !ml basis (INIIRIR/IRES)

IDleveiop 1'eclhlll'lllcal lss11J1es 1--1 (INIIRIR/IRIES)

$11J1bmlttllli @fl sppilcatioll'll by AIECl l!ilevelop re§ll11J1i!lltory

§lllUlidance (IRIES/INIIRIR)

Staff review of 111ppllc111tlon (INIIRIR) l!ileslgn Certiflc!lltlon

!R11J1lem111klng FiGURE 3 AUG 1 4 1989

CAII\IIDlUJ 3l lPIRlOGIRAll\lll Submittal NRC/AECL of topical Interaction Submittal of reports on CANDU3 byAECL/

develop

.... licensing review basis by i-to reach a mutual agreed upon LAB staff AECL e=rtlse NRA/RES Submittal Prellmln8J11 NRC Rulemaklng AECI. l.sttar Planning Site visit to of license i-, Staff review of Intent f==<, Response Pickering/ I= I-<> appllcatlon of AECL "- per 5/25/89 Meetings wlthAECL """" toAECL """" Darlington byAECL submlttals 10CFR52 I "'""' ' **a" ' """' C MOO

' Meeting

    • -- NRA with Atomic Energy Management

._ Control Board to site visit Plci<erlng/

Discuss Darlington AECB Point LePreau review of I n,nn CANDU3 NRA Determine Develop I-.,, Technical Regulatory Issues Guidance Cmcomp!a FIGURE 4 AUG 1 4 1999

ENCLOSURE 1 CANDU 3 Design The Canadian Atomic Energy Control Board defines permissible dose levels for two classes of accidents: (1) a single failure in any system required for normal operation {process systems) and (2) a *single failure when one of the special safety systems is unavailable. The four special safety systems consist of Shutdown System No. 1 (shutoff rods), Shutdown System No. 2 (liquid poison),

Emergency Core Cooling, and Containment.

All systems in the CANDU 3 are assigned to one of two groups, which is consistent with the Canadian safety philosophy. The systems in each group are capable of shutting down the reactor, maintaining cooling of the fuel, and providing plant monitoring capability in the event that the other group of systems is unavailable. A list of the systems in each group follows:

Function GrOU()_l Grdup 2 Shutdown Reactor~lating Shut ownSystem System No. 2 Shutdown System No. 1 Heat Removal Steam Generator Group 2 Feedwater System Feedwater System Electric Power Shutdown Cooling System System Raw Service Water Group 2 Electric System ,Power System Recirculated Cooling Group 2 Raw Service Water System Water System Monitoring and Main Control Room Secondary Control Control Area Electric Power System Post-Accident Monitoring Instrument Air System Group 2 Electrical System Group 2 Instrument Air System ECCS Emergency Core Cooling System Containment Containment System Local Air Coolers

2 Group 1 systems are primarily dedicated to normal plant power production and, for the most part, are not seismically or environmentally qualified. Group 2 systems include safety and safety support systems, are seismically and environmentally qualified, and have the additional role of mitigating the effects of any postulated accident. To the extent possible, the two systems are located in separate areas of the station.

The CANDU 3 design contains features that are fundamentally different from pressurized water reactors currently operating in the United States. There is no reactor pressure vessel, heavy water is used for both coolant and moderator, and the moderator is separated from the coolant. The reactor assembly consists of the calandria vessel, end shields, fuel channel assemblies, reactivity control units, and the shield tank. The calanoria is a horizontal cylindrical stainless steel vessel containing heavy water moderator, which is at atmospheric pressure and approxi-mately 160°F. The shield tank is also a horizontal cylindrical structure which, together with the end shields, protects adjacent areas from radiation. Running horizontally through the calandria between the vertical faces are 232 fuel channel assemblies.

Each fuel channel assembly includes a pressure tube, a calandria tube, extensions at each end of the calandria tube, and end fittings at each end of the pressure tube. The pressure tube is made of a zirconium-niobium alloy and is concentrically spaced inside the calandria tubes by four garter springs so that an annulus space is maintained between the two tubes. Heavy water coolant at approximately 1500 psi and 518°F flows unidirec-tionally through the core inside the pressure tube and between the fuel elements. The annulus is filled with CO gas, which provides thermal insulation between the pressure tube containing high pressure, high temperature coolant, and the calandria tube that is surrounded by low pressure and the low temperature moderator. Within each pressure tube are 12 fuel bundles. Each fuel bundle is 495 rmn (20 inches) long and 102 rmn (4 inches) in diameter and consists of 37 fuel tubes made of zircaloy 4. Each tube contains approximately 30 fuel pellets.

Penetrating the calandria from the top are vertical guide tubes, which house mechanical shutoff units (shutoff rods) used to shutdown the reactor and are part of Shutdown System No. 1 and reactivity control units (control rods) used to control reactiv-ity and are part of the Reactor Regulating System. Horizontal tubes penetrate the calandria and are used to inject liquid poison into the low-pressure moderator. This system comprises Shutdown System No. 2. The Reactor Shutdown Systems are inde-pendent of each other and either can bring the reactor subcrit-ical under normal or accident conditions.

3 The moderator system contains the heavy water moderator and, with auxiliary support systems, it cools, purifies, and con-trols soluble poisons in the system. The system is independent from the heat transport system and consists of two 50-percent pumps and two 50-percent heat exchangers. The heavy water moderator in the calandria also functions as a heat sink in the event of a loss of heat transport coolant accident with coincident failure of the ECCS.

The major components of the heat transport system are the reactor fuel channel pressure tubes, two steam generators, two electrically driven coolant pumps, reactor inlet and outlet headers, and the interconnecting piping. The steam generators transfer the heat from the heavy water reactor coolant on the primary side to the light water on the secondary side. The steam generators are inverted vertical U-tube bundles in a cylindrical shell.

The fuel handling system includes equipment for storage of new fuel, for fuel changing, and for storage of irradiated fuel.

Reactor fuel is changed routinely and almost continuously with the reactor at power. The fueling machine that refuels the fuel channels at the reactor face and the fuel transfer system that transfers new fuel into the reactor building and irradiated fuel out of the reactor building are fully automated and are operated from the main control room.

The station service power supplies are classified as follows:

1. Class IV alternating current to Group 1 systems that can tolerate long duration interruptions without endangering personnel or station equipment.
2. Class III - alternating current to both Group 1 and Group 2 systems that are necessary for the safe shutdown of the reactor and turbine and can tolerate short interruptions (1-3 minutes).
3. Class II uninterruptible alternating current channelized to match redundancy of station instrument and control systems in Group 1 and Group 2 systems.
4. Class I uninterruptible direct current channelized to match redundancy requirements of control logic and reactor safety circuits of Group 1 and Group 2 systems.

4 Four diesel generators supply backup AC power to specific Group 1 and Group 2 station loads connected to the Class III system. Two diesel generators, powering Group 1 loads, are sized to supply the total safe shutdown load of the unit following loss of Class IV power. Two other diesel generators, powering Group 2 loads, are seismically qualified and are sized to power the total safe shutdown load following a combination of worst events, including an earthquake. In the event of failure of Class IV power, all standby diesel generators start automatically. If the Group 1 diesels run successfully, both Group 1 and Group 2, Class III, electrical systems will be fed by the Group 1 diesels. If the Group 1 diesels fail to operate, or in the case of an earthquake, the Group 2 diesel generators will power the Group 2, Class III, buses.

Most Group 1 control functions are implemented by a Distributed Control System (DCS) that uses data-highways for signal trans-mission and programmable microprocessors to implement the control logic. The DCS consists of a number of channelized local stations distributed throughout the plant outside of the reactor building.

Major control functions such as reactor regulation, heat transport pressure and inventory control, and steam generator pressure and level control are distributed among a number of small DCS micro-processors. The Overall Plant Control System uses digital processors to perform all major control functions.

In the normal mode of operation, the reactor follows the turbine to maintain constant steam generator secondary side pressure. In the alternate mode, the turbine follows the reactor to maintain the secondary side pressure constant. The turbine bypass system permits 100 percent of full power steam flow to the condenser for a short period of time and a continuous flow to the condenser of up to 60 percent of full power steam flow.

The Safety Systems consist of Shutdown System No. 1 (shutoff rods), Shutdown System No. 2 (liquid poison), the emergency core cooling system (ECCS), and containment. The ECCS removes residual and decay heat from the fuel following a failure of the heat transport system pressure boundary. ECCS operation consists of short-term injection of light water and long-term recirculation.

Short-term injection consists of a high-pressure injection stage where water from accumulator tanks is injected by pressurized gas and a low-pressure injection stage where water is injected via ECCS pumps from a grade-level tank. When this water is depleted, long-term recirculation of light water and heavy water from the reactor building floor back to the heat transport system via heat exchangers begins. The containment is a reinforced concrete structure with a steel liner on the inside. It is designed to withstand the largest postulated loss-of-coolant accident and to maintain structural integrity following a post-ulated main steamline break.

ENCLOSURE 2 Special Features of CANDU 3

1. Reactor Physics/Fuel Design/Reactivity Coefficients CANDU 3 uses natura 1 uranium fuel and heavy water coolant and moderator. The high-pressure, high-temperature coolant is separate from the low-pressure, low-temperature moderator.

The core is larger than an LWR core generating the same power, which leads to a lower overall core power density, but provides the potential for flux tilts. The fuel is contained in bundles, each of which contains 37 fuel rods. There are 12 bundles in each pressure tube which is concentrically surrounded by a calandria tube. There are 232 fuel channel tubes running horizontally through the core.

The use of low-temperature, heavy water moderator and natural uranium fuel creates reactivity conditions unlike U.S.

commercial UJRs. In U.S. L\./Rs, all of the reactivity coef-ficients are negative at full power, providing inherent stability against power increases. In the CANDU design, for small variations about nominal operating conditions, the power coefficient (i.e. the sum of the individual reactivity coefficients) is slightly negative and close to zero.

However, following a postulated LOCA, a positive reactivity excursion will occur owing to a positive void coefficient of reactivity. Review of the reactivity coefficients in the CANDU design may require reestablishment of technical criteria and would be closely integrated with the assess-ment of reactivity control during normal and off-normal conditions.

2. Reactor Control and Shutdown In the CANDU design, reactivity control devices (control rods) used for normal operating control are physically and functionally separate from mechanical shutdown devices (shutoff rods) used for reactor shutdown. All of these devices are inserted into the low-temperature, low-pressure moderator. Also, in the CANDU design, emergency shutdown of the core can be achieved by either shutoff rods or liquid poison. In U.S. LWRs, only the control rods are available to quickly shut down the reactor during accident conditions.

Alternate shutdown means via poison injection are available to mitigate ATWS events. Review of the reactor control and shutdown performance will require careful consideration of the reactivity coefficient conditions that are possible.

3. Refueling The CANDU reactor must be fueled almost continuously because of the burnup of the natural uranium fuel, which has low ex-cess reactivity. This is done while at power and requires

2 unique fuel handling equipment and fuel management schemes.

While refueling accidents at U.S. plants are low energy events, the at-power refueling capability of the CANDU design elevates refueling accidents to a full power acci-dent and has the potential for creating a small break LOCA.

Certain accidents specific to this at-power refueling are postulated in the safety analyses. Also, reactivity effects and reactivity control during on-line refueling will be unlike current LHRs. In the CAllDU design, spent fuel is transported from the pressure tube to the refueling machine and finally to the light water spent fuel bay. This movement is not through a continuous underwater path. For a short time in this transition, the fuel is not immersed in water.

4. Reactor Coolant Pressure Boundary/Thermal Hydraulic Design The reactor coolant pressure boundary in the CANDU design is significantly different from current LHRs in that there is no high-pressure reactor vessel. Rather, the high-pressure, high-temperature reactor coolant circulates through 232 pressure tubes approximately 4 inches in diameter that contain fuel bundles.

Specific technical concerns about this design follow:

0 Pressure tube integrity: Each tube is a pressure boundary for the primary coolant system and represents a potential for a LOCA. These pressure tubes experience a more severe neutron environment than LWR reactor pressure vessels owing to their close proximity to the fuel and immersion in the moderator. In the area of the rolled joint (i.e., the area where the pressure tube is rolled into the end fitting)., cracks have developed as a result of improper rolling and as a result of manufacturing flaws. All rolled joint cracks have resulted in leak-before-break and were identified from leakage into the annulus area. The rolling process has been modified to eliminate the improper rolling and the pressure tube material has been changed from zirconium 2 used at Pickering in 1983 to a zirconium-niobium alloy.

Cracks have also developed in other areas of the pressure tube as a result of the development of hydride blisters. In two cases described below, the failures propagated rapidly. In 1986, at the Bruce plant, the fracture occurred during pressurization at room temperature while operators were attempting to identify a channel where leakage had been identified.

In this case, the fracture also caused the calandria tube to fail. Failure of a calandria tube, following failure of a pressure tube, can result in damage to

3 other core components. At Pickering, a fracture occurred in 1983 as a result of contact between the pressure tube and the calandria tube at power, lea~ir,g to the formation of a hydride blister. This failure was of the break-before-leak type.

0 Flow blockage potential: Because the large nµmber of relatively small tubes, flow blockage or flow reduction in a tube is a possibility.

0 Seismic capability of the pressure and calandria tubes:

Although seismically qualified for the design basis earthquake, the tubes are horizontal and long, supported only at the ends, and contain the weight of the fuel.

0 ECCS performance: ECCS performance, considering the large number of pressure tubes and the horizontal geometry will be significantly different than that in U.S. LWRs. Codes predicting ECCS performance may have to be developed to verify the codes used in the design of the CANDU 3.

0 Flow characteristics and distribution.

0 Heat transfer parameters.

0 Pressure tube inspection.

The computer codes used in the design and analysis of CANDU 1,ere developed specifically for the CANDU system.

These codes employ models and correlations specifically applicable to CANDU. These codes would include those used in performing the thermal hydraulic analysis and ECCS performance.

5. Control of Tritium The tritium issue will involve considering occupational and public dose limits. Generation of tritium in the heavy water moderator will provide the potential for tritium releases and will increase the potential for plant opera-tional and maintenance personnel to be exposed to radiation.
6. Safeguards The use of natural uranium provides the potential to generate weapons-grade plutonium if access to a reprocessing facility is available. Also, on-line refueling provides the potential for fuel discharges with minimum exposures, which results in

4 a spent fuel with a low concentration of higher-plutonium isotopes. The lower the concentration, the better the weapons grade of the plutonium. On-line refueling also makes physical inventory of the fuel more difficult owing to handling a large volume of fuel. Canadian operators comply -

with IAEA safeguards.

7. Computer Control and Human Factors CANDU 3 reactors utilize computers for control of process systems such as the reactor regulating system, steam gener-ator level and pressure control, pressurizer level and pressure control, and for actuation of safety systems, in-cluding the two reactor shutdown systems. In the CANDU 3, a Distributed Control System is utilized, consisting of electronic modules distributed throughout the plant and interconnected by coaxial data highways. Redundancy, reliability, and independence of the computers as well as the origin, reliability, and independence of input parameters, data to the computers and control of computer software are areas to be considered. Also, although the basic philosophy appears to be to remove the human from operation of the plant to the extent possible, consideration must be given to the ability of the operator to override the system and the operator's ability to control the plant if the computers fail. Other human factors considerations related to the operator's ability to control the plant include operator training and operating procedures.
8. Canadian Safety Philosophy Accident analyses assume an initiating event in combination with a single failure while one of the special safety systems (shutoff rods, liquid poison, ECCS, containment) is unavailable. Unavailability of containment does not infer overall loss of containment, rather, it represents a breach of containment.

Protection against common mode failure relies on the two-group separation concept. Structures and systems of the plant are d*ivided into two groups that are functionally and spatially separated. Process systems belong to Group 1 and Safety Systems belong to Group 2. Each group can shut down the reactor, remove decay heat, and monitor plant pa-rameters even if the other group has been rendered inoperable by a common mode event. All Group 2 systems are protected against the design basis earthquake, tornadoes, floods, and missiles.

5

9. Seismic Design Although the basic seismic analysi.s methods are the same as in the United States, the CANDU design is based on two earth-quake levels:
a. The Design Basis Earthquake (DBE) is conceptually similar to the Safe Shutdown Earthquake (SSE) used in the United States. Stresses from the DBE are limited to level C.
b. The Site Design Earthquake (SOE) is assumed to occur in the long term after a LOCA and is a lesser earthquake than the DBE. ECCS features required for long term recovery from a LOCA are designed to withstand the SOE. This concept differs from the U.S. philosophy regarding the operating basis earthquake.
10. Classification of Pressure Retaining Systems Safety-related pressure-retaining systems in the CANDU design are designed per. the ASME Code to the extent possible; however, the classification criteria are different from the criteria for LWRs and may be less conservative in some cases.

The U.S. classification criteria is given in Regu*latory ,

Guide 1.26, whereas CSA Standard N285.0 is used in Canada.

11. Standards Differences exist between some codes and standards used in Canada and those used in the United States. In some cases, codes and standards had to be developed to govern the unique materials and unique features of the CANDU design. For example, pressure tubes used in the CANDU design are designed per CSA Standard N285.2. In other cases, differences are due to different design practices. The following examples are provided:

CSA Standard N286 is used for QA rather than 10 CFR 50 Appendix B.

CSA Standard N287 is used for concrete containment rather than ASME Section III, Division 2.

CSA Standard 290 is used for instrumentation and control of safety systems rather than IEEE Standards.

CSA Standards N285.4 and N285.5 are used for inservice inspection rather than ASME Section XI.

CSA Standard N293.l is used for fire protection rather than Appendix R to 10 CFR 50.

6

12. Electric Power The electric power system is also based on the two-group concept. Group 1 consists of connections to the grid and the unit generator and, two diesel generators and batteries which supply power to process loads. Group 2 consists of two diesel generators and batteries and supplies power to safety loads.

The Group 2, Class III, system is energized by the grid and the turbine generator via interconnections with the Group 1, Class III, system.

Isolation devices are used to ensure that a failure in one group does not affect the other.

The Group 2 electric power system is designed for common mode events, including the design basis earthquake and design basis tornado.

13. Materials Many of the components in the heat transport system are carbon steel as opposed to stainless steel, which is used in U.S. LWRs. While carbon steel is more ductile, it is also subject to corrosion. The pressure tubes are a zirconium-niobium alloy.
14. Effects of Heavy Water/Light Water Interface Because of the cost of heavy water, contamination of the heavy water by light water used in the ECCS is undesirable.

Measures taken to prevent this contamination and the effects they have on ECCS testing and valve lineups to prevent inadvertent ECCS operation is an area that is potentially different from LWRs. Special measures taken to protect the heavy water must be reviewed in light of any decreased reliability of the ECCS.

15. Containment Adequacy The containment is similar to a large dry reinforced concrete containment used in U.S reactors. It is designed for a loss-of-coolant accident and to maintain structural integrity for a main steamline break.

In addition to the design features described in this enclosure a significant database exists of operational history for transients, transient response, corrosion, accidents, fuel handJing problems, and pressure tube integrity. The staff will consider this operating history in its review of the CANDU 3 design.

Retrieved from "https://kanterella.com/w/index.php?title=ML19003A416&oldid=2397056"