Text

Chapter 6 of VA Polytechnic Inst & State Univ Research & Training Reactor PSAR, DBA
	ML19309A564
Person / Time
Site:	05000124
Issue date:	11/01/1979
From:	; VIRGINIA POLYTECHNIC INSTITUTE & STATE UNIV., BLACKSB
To:	;
References
	NUDOCS 8003310439
	Download: ML19309A564 (42)
	v • d • e

,

', p) r-6 DESIGN BASIS ACCIDENT 6.1 Introduction Safety analysis of the original reactor installation is described in Reference 6.7.1, When the maximum reactor power was increased from 10 KW to 100 KW, a revised safety analysis was performed [ 6.7.2] . In preparation

, for reactor operation at 500 KW a completely revised and updated analysis was completed [6.7.3]. This document is the basis for the information summarized in this chapter.

6. 2 SPERT Reactor Test Data The SPERT-I reactor test program data has been used in previous VPI&SU reactor power excursion models and are the most appropriate experimental data to use. The SPERT-1 reactor was a light water moderated and reflected, l.

non-pressurized reactor using highly enriched MTR-type fuel assemblies.

The reactor fuel consisted of a highly enriched U-235--Al meat clad with Al in a plate geometry (6.7.4]. Several different reactor cores were,used.

The A core was a standard core with the water space between the plates maintained constant. For the B core, the water space between the plates was varied to allow evaluation of several different void reactivity coef-ficient values ( 6. 7. 5] . The reactor core was contained in a tank with a F

diameter of 4 feet and a height of 10 feet. The tank was filled to a point 2 feet above the reactor core, maintaining a height of 2 feet of water above I

the core at the beginning of each test excursion. Under normal test condi-tions of the A core, the temperature of the reactor was the ambient tempera-ture (-20*C) and there was no forced convection flow in the reactor tank.

l Each excursion was initiated by a step reactivity insertion at essentially

{

zero power (-5 watts thermal), and was produced by the ejection ci a i

e 6.1 8003810h l j

1

' antrol rod [6.7.4] . Later test excursions with the B core were performed with controlled variances from these conditions. These later tests included initial elevated temperatures of up to 100*C, minimal forced convection flow at a velocity of several tenths of a foot per second [6.7.6], and initial elevated power levels of up to 100 KW thermal (6.7.7]. The B core tests allow a closer correlation of SPERT data to the VPI&SU reactor at normal operating conditions. As can be seen, the SPERT-I reactor was a simple reactor type but had the potential for varied and detailed power excursion analysis.

< There are several reasons for using the SPERT test data to mode) ver excursions for the VPI&SU reactor. The reproducible behavior of the 5 reactor afforded multiple sets of reasonably consistent test data. Extra-polation of test results from longer reactor periods to shorter reactor periods could be done with reasonable certainty. In addition, the behavior of the SPERT reactor was basically the same as the behavior of the BORAX l test reactor, even though there were some design differences between the two reactors. This suggests that the use of SPERT test data for reactors t

i of similar design is very feasible [6.7.8]. Indeed, SPERT-I test data were used in accident analyses of the Argonaut reactor of Argonne National Labora-tory and of the UTR-1 reactor of American Standard. Both the VPI&SU reactor design and th'e UTR-1 reactor design are based upon the Argonaut reactor.

l The applicability of SPERT-I data to the Argonaut reactor has been discussed

', [6.7.9], showing the use of SPERT-I test data for the Argonaut reactor to be conservative. Considering these arguments and the fact that the VPI&SU reactor design is based upon the Argonaut design, it can be concluded that t the use of SPERT-I reactor test data for the VPI&SU reactor excursion models 6.2

is applicable, producing reasonable and conservative estimates of its excur-sion behavior. i i

The basic designs of the VPI&SU reactor and two SPERT-I cores (the A-17/28 core and the B-24/32) are very similar; specifically: (1) both i reactors are light water moderated and non-pressurized; (2) both reactors I use highly enriched U-235--Al fuel meat, clad with Al in a plate geometry; and (3) both reactors have similar reactivity characteristics [6.7.4,6].

Table 6.1 illustrates several nuclear characteristics of the SP" 3-17/28 and B-24/32 cores and the VPI&SU reactor core. I A typical SPERT-I power excursion is illustrated in Fig. 6.1. The excursion is initiated by a step input of reactivity at time t . Power increases primarily by prompt neutrons until the peak power, P,, is reached at time t,. The excursion power level increase is terminated at P ,at which time the shutdown mechanisms have inserted enough negative reactivity to prevent power increase either from prompt neutrons, or from the fraction

. of delayed neutrons that have been produced up to this time. It is important

to note that if no shutdown mechanisms were present, power would continue to increase. As the power decreases, the delayed neutron population in-creases but additional shutdown mechanism reactivity is produced to negate' all delayed neutrons. Hence, the exponential remainder of the power level plot after time t, is called the delayed neutron tail, showing how the delayed.

neutrons and thu shutdown reactivity affect the approach to equilibrium l power level. Note also that the equilibrium power level, P,, after the l burst is greater than the initial power level. The equilibrium power ,

l leve! is that power level necessary to produce sufficient shutdown effects to negate the step input reactivity.

1

? i l l l 6.3 '

l l

/

TABLE 6.1

)

CHARACTERISTICS OF SPERT-I A-17/28 AND B-24/32 CORES, AND THE VPI&SU REACTOR CORE A-17/28

B-24/32

VPI&SU **

gap between plates 117 65 400 (mils)

, fuel meat thickness 20 20 40 (mils)

Al clad thickness 20 20 27 (mils) critical mass 3.9 4.3 3.0 (kg U-235) i temperature coefficient -0.67x10 -2 -1.1x10 -2 -1.0x10 -2

($/*C at 20*C) neutron generation time -0 ~

0.50x10 0.50x10 ' 1.35x10 '

~

1 (sec)

I f

source of data: 6.7.5 4

- source of data:

6.4 l

l I

P m i

' 1 1

!. ,I l

! l l

. - 1 o

> I

e t l

s. I T '

o I

n. I ,

1 1 1

1 I

i I 1 t

l P

~ ------------------------------------ e I

i i P - :

t 1

0 t

o t, Time t

Figure 6.1 Typical Power Excursion of

u. SPERT-I Reactor l

l l

. e 1 6.5

Thus the power excursion behavior is very dependent upon the shut-down mechanisms. Other notable items concerning the power excursion are:

the rate of power increase; the height of the burst, i.e., P ,; and the equilibrium power level. All these features are dependent upon the input reactivity. Indeed, a family of curves, all similar to the curve in Fig.6.1, and each dependent upon a separate input reactivity, was deter-mined for the SPERT-I reactor [6.7.10,11]. The predictability of these curves allows the interpolation of data, as is done for the VPI&SU reactor excursion models.

Analysis of the shutdown mechanisms of the SPERT-I reactor provides a better understanding of the SPERT-I excursion behavior. The two major

~

shutdown mechanisms for inverse reactor periods of less than 20 sec (which includes all the excursion models analyzed in this study) involve water moderator heating and fuel metal heating [6.7.5,12] . Analysis of the temperature effects upon neutron multiplication yields three changes in nuclear parameters caused by an increase in temperature: (1) a decrease in microscopic absorptio-' cross sections due to spectrum shifts, (2) a decrease in material dens. e e.nd (3) an increase in geometric volume.

I Thase changes in a highly enriched uranium, water-moderated reactor, such as the SPERT-I or the VPI&SU reactors, result in a slight increase in the thermal utilization term, f, due to a decreased thermal disadvantage fac-l

, tor, and a large increase in the thermal diffusion length, L. The latter

. l

! change increases neutron leakage from the core, producing the large nega-

! tive reactivity coefficient [6.7.13]. Both of these changes are evident i

in the water moderator heating and the fuel metal heating shutdown mechanisms.

Interestingly enough, the fuel metal heating produces enough negative 6.6 l

1 1

i

reactivity to shut down the reactor without any other shutdown effects.

An additional shutdown mechanism for inverse reactor periods greater than

-1 20 sec is the formation of steam voids in the moderator [.6 A 5,12]. It is important to note that the steam void shutdown mechanism does not termi-nate the power burst in any excursion model considered in this study The formation of steam does, however, aid in negative reactivity inser-tions at times after t and at equilibrium power.

m A further note concerningthe SPERT-I excursion analysis is that there was no fuel melting for reactor periods greater than 5 msec. The I

final test of the SPERT-I reactor was a destructive test in which 3.5 i

dollars of reactivity was input into the reactor. This insertion resulted in a 3.2 maec period, substantial fuel melting, water ejection, and core disassembly [6.7.14,15]. As will be shown in a later section, the shortest reactor period the VPI&SU reactor would experience even in a hypothetical accident is 90 msec, caused by a reactivity insertion of 1.2 dollars.

This supports the position that the VPI&SU reactor excursion models will not be terminated by fuel melting, water ejection, or core disassembly.

The shutdown mechanisms of the SPERT-I reactor suggest that the I

VPI&SU reactor may terminate power bursts in a manner similar to the ------

SPERT-I reactor. The VPI&SU reactor and SPERT-I reactor similarities have been denoted previously, and it is very probable that the water heating and metal heating shutdown mechanisms of the SPERT-I reactor are present in the VPI&SU reactor. There is, however, a major difference i between the SPERT-I and VPI&SU reactors affecting shutdown, which is discussed below.

The VPI&SU and SPERT-I reactors vary in that the SPERT-I reactor was a low power test reactor used only for pot. 2xcursion experiments, 6.7

i l

while the VPI&SU reactor is a steady-state research and training reactor.

The VPI&SU reactor operates at a moderate power level and hence has higher fuel temperatures and forced convection flow for cooling during normal power operation. The different uses of the two reactors result in three variations: (1) the VPI&SU reactor can have high initix.1 power level excursion starts, while the SPERT-I reactor had low initial power i level excursion starts, (2) the VPI&SU reactor can have high initial temperature excursion starts and the SPERT-I reactor had low initial temperature excursion starts, (3) there is forced convection flow in the VPI&SU reactor excursions, but the SPERT-I reactor had no forced flow.

These variations can result in different peak power levels in the burst,

, or different equilibrium power levels after the burst [6.7.6,7) . As I

discussed earlier, the SPERT-I reactor, B core, was tested at the dif-ferent initial conditions of high power level, high temperature, and forced flow. A comparison of these tests to the normal tests of the A i

l core (low power, temperature, and no flow) reveals tha. following variations.

(1) High initial power level starts.

There is no basic difference. The peak power levels are the same, and the burst peak may experience some broadening [ 6.7.7] .

(2) High initial temperature starts.

I This condition can reduce the peak power by as much as a factor of 3, reducing the maximum fuel plate surface temperature and i

L the energy released up to time t, [ 6.7.6] .

l (3) Flow during excursion.

For large reactor periods (small reactivity insertions), the f

[ standard power peak caused by prompt neutrons is reduced to an 1

6.8

l inflection point, while the equilibrium power level, aided by the delayed neutrons, is increased to as much as 1.6 times the Prompt power peak. This is shown in Fig.6(2 For small reactor periodst the peak power is unaffected, but the equilibrium :

l power level is greater [.6.7.6] . l The effects of the three variations can be explained through the shutdown mechanisms. In the flow variation, with flow, the shutdown F I mechanism of water expansion through heating is diminished with the e

removal of heat from the core by the flow. The coolant velocity is assumed small, and the fast power excursion is not affected; however, the slow power excursion experiences less shutdown reactivity. Sometimes the

shutdown reactivity is less than the delayed neutron contribution, resul-F ting in the equilibrium power level exceeding the prompt neutron peak e

power level. In all excursions with flow, at equilibrium after the burst, the flow removes some of the shutdown reactivity, raising the equilibrium power level. For the temperature variations, with the initial temperature

, near the saturation temperature of the moderator, early shutdown due to I'

4 L

moderator heating and the larger negative temperature reactivity coeffi-cient, reduces the peak power level.

By a-4ning the effects of high *.emperature and flow, it can be shown that the worst accident condit'ons for the VPI&SU reactor are at low initial temperature, with forced convection flow. These conditions will result in the highest peak power level and the highest equilibrium power level.

't The SPERT-I reactor test data are very appropriate for the VPI&SU reactor. The many design features and characteristics of these reactors 6.9

I l

I i

E=

P, . _________________________________

r I

t

.o I

I

g P, . _______'___

a i i

b I Initial Power Peak s I a i r g 3

l' I ,

I 1

t' 1

' l l 1

[ i I

l L. p o I t

o t,*

Time Figure 6.2 SPERT-I Reactor Large Period Power Excursion

! with Reactor Coolant Forced Flow i

l 6.10

and the behavior similarities of these and other reactors of the same design, support this. The duplication of test data by the SPERT-I reactor and the extrapolation of test results also justifies the reli-ability of excursion data of the SPERT-1 reactc:. It must be r==*=hered, however, that a proper analysis involves duplicating the conditions of the excursion. Hence, flow and temperature adjustments must be made to ensure the certainty of the safety of the analysis.

, 63 Power Excursion Accidents The accidents analyzed in this study are all power excursions pro-

duced by reactivity insertions. The reactivity insertions are limited to step insertions, even though ramp insertions would produce results f closer to the actual accidents. The worst-case philosophy is maintained by utilizing step insertions, as step insertions produce the most severe power excursions. The accidents are also analyzed using SPERT-I testing j data, interpolating results from SPERT-I reactor excursions and applying these results to the VPI&SU reactor accident models. The SPERT-I excur-sions used are those with the same assymptotic period projected for the ,

VPI&SU reactor accident models. The similarity of the SPERT-I and VPI&SU l reactor is discussed above, with reasons for the use of SPERT-I data. All ,

excursion models below are evaluated with the maximum power level of the

, VPI&SU reactor at 500 KW.

A further note about the use of SPERT-I data will facilitate a better understanding of the excursion models. As discussed above, the A core i

SPERT-I data were produced with no flow and ambient initial temperature.

The B core SPERT-I data were produced separately with flow, and with ele-vated initial temperature, and these conditions affected only the mar % n i

I i

6.11 i

fuel plate temperature and the equilibrium power level. For the excur-sion models discussed below, A-17/28 core data [6.7.10,11] are used for all peak power levels, and all values of the energy released up to peak power level. B-24/32 core data [6.7.6.16) are used for the maximum fuel

. plate temperature sud the equilibrium power level. The maximme fuel plate temperatura data were produced without core flow. However, for small i

reactivity excursions, such as in the VPI&SU reactor excursion models, the ==rimum fuel plate tempera *ure will not greatly exceed 115'C, suggesting the data are still very reasonable. The A core data are used as they reasonably agree with similar B core data, and sources of data for the A core are more detailed than the sources of B core data.

6.3.1 Operational Accidents Operational accidents are accidents caused by errors of the reactor operators. They can be produced by failures to respond to the reactor control instrueentation warnings (annunciators) or by improper actions of )

. I the operator. It is realized that operational accidents can also occur 1

because the operator, through some means, is unable to respond to the control instrumentation annunciators. It should be emphnsized that these

{ accidents are caused only by operator errors; it is assumed that all safety instrumentation is functional and will perform its designed tasks.

, L In reference to earlier excursion analysis, these accidents assume that i

the safety limits of the reactor are not exceeded.

6. 3.1.1 Scenario I This accident is initiated by a step insertion of 0.26% AK/K reac-tivity producing a 10 second reactor period. The VPI&SU reactor control 6.12

instrumentation has an annunciator (both visual and audible) with its setpoint at not less than a 10 second reactor period. It is assumed the reactor period is just great enough so it does not trip on the annunciator.

Hence, this accident is the most rapid power increase possible without annunciation or scram by the Period Channel. The initial conditions of the accident are:

(1) A 0.26% AK/K reactivity step insertion resulting in a 10

, second reactor period.

[ (2) The setpoint of the ' period less than 10 sec' annunciator is i

not exceeded.

(3) No corrective action by the operator.

7 (4) The reactor is at low power and ambient temperature (30*C) and I is critical.

(5) The reactor coolant pump remains in normal operation af ter the power burst.

As shown above, the reactor power increases by a 10 second period without operator corrective action. The reactor power increases to a mar:mam power level of 600 131, without reactor scram. This power level

! is the equilibrium power level, while the peak burst power level is only an inflection point at 100 KW. The maximum fuel plate temperature is i

L less than 70'C. The results of this excursion are shown in Table 6.2.

As can be seen, the safety limits of the reactor are not reasonably exceeded in this accident. The increase in power level, though rapid, does not pose adverse problems. It is noted that the equilibrium power

! ~

level is dependent upon the coolant flow through the core. For the no-flow situation, this accident has an equilibrium power level of 150 KW.

6.13

. j

. \

l TABLE 6.2 .

DATA FOR Tile VPI&SU REACTOR POWER EXCURSION ACCIDENTS l l

l l

scenario # I II III IV V l step reactivity 0.26 0.34 0.6 0.6 0.8 insertion (* AK/K) assymptotic reactor 10 5 0.2 0.2 0.09 period (sec) l

. inverse reactor 0.1 0.2 5 5 11.1 period (sec-1) ,

i peak power 0.1 0.25 2.0 4.0 14 (no scram) (MW) *

]

I equilibrium power 0.6 0.7 0.85 1.4 1.7 l I 3 (HW) **

l l energy released up !

l. to peak power *** *** 0.7 2.5 2.5 (MW-sec) *

)

l maximum fuel plate 70 70 110 100 100 temperature ('C) **

1 l l

1

, I

source of data:

1 i

- source of data:

, *** no clearly defined peak i

6 g14

With greater flow rates, the equilibrium power level could exceed 625 KW, resulting in a reactor overpower scram.

6.3.1.2 Scenario II The second operational accident is produced by a step insertion of 0.34% AK/K reactivity producing a 5 second reactor period. The VPI&SU reactor control instrumentation has a reactor scram (Period Channel) with its setpoint at not less than a 5 second reactor period. It is assumed the reactor period is just great enough so as to not trip the scram.

Thus, this is the most rapid power increase possible, without a Period Channel scram. The initial conditions of the accident are:

(1) A 0.34% AK/K reactivity step insertion resulting in a 5 second t

I reactor period.

(2) The setpoint of the Period Channel scram is not exceeded.

t (3) No corrective action by the reactor operator even though the

{ ' period less than 10 sec' annunciator is tripped on.

(4) The reactor is at low power and ambient temperature (30*C) and is critical.

(5) The reactor coolant pump remains in normal operation after the power burst.

The reactor power increases on a 5 second period without reactor operator corrective action. Before reactor power reaches 625 KW, an over-power scram is initiated. Without the overpower scram, reactor power would reach an equilibrium power level of 700 KW. The peak burst power level is s

i only an inflection point at 250 KW. The maximum fuel plate temperature is

, less than 70*C. The results of this excursion are shown in Table 6.2.

The excursion, as presented, would result in an overpower scram as the reactor approached equilibrium power level. The equilibrium power level, 6.15

assuming no scram, could produce increased radiation levels in the reactor room, depending upon how the flow of coolant through the core affects the ;

equilibrium power level. With reactor overpower scram, the accident poses no adverse problems. ,

i l

6.3.2 Design Basis Accidents The design basis accident is defined as the worst possible credible accident which can be experienced. As the design basis accident must be

, credible, it is assumed only a single failure (possibly a common mode failure) can occur. Hence, the VPI&SU reactor design basis accident f assumes the worst possible single failure at the worst possible conditions. ;

In reference to the earlier excursion analysis, the design basis accident assumes the safety limits of the reactor can be exceeded.

The initial conditions of the power excursion proposed as the design basis accident can vary the severity of the accident. As indicated ear-lier, the worst initial. conditions are low initial fuel temperature, and constant coolant flow during the excursion. To further demonstrate the consequences of these initial conditions, an accident with the reactor initially at power and high temperature, and with no flow, will be analyzed i first. Scenario IV, with the worst initial conditions, is assumed to be the design basis accident.

j 6.3.2.1 Scenario III This accident assumes the largest credible reactivity insertion and the failure of the automatic safety system, with the reactor at power.

l L

To further lessen the accident consequences, it is assumed the reactor coolant pump is shut down af ter the excursion burst. A means of the b

6.16

failure of the automatic safety sysrem by a common mode failure is dis-cussed in a later section. The nature of the reactivity insertion is left undefined; however, the magnitude of the insertion is taken as the largest permissible amount of excess reactivity for the VPI&SU reactor, which is 0.6% AK/K. The initial conditions for the accident are:

(1) A 0.6% AK/K reactivity step insertion.

(2) The simultaneous failure of the automatic safety system.

(3) The reactor is at 100 KW power level, 100*C temperature, and is critical, j (4) The reactor coolant pump is shut down after the burst.

t

, In this accident, the reactor power level increases by a 0.2 second J.

asymptotic period, to a peak power level of 2 MW. The energy released up to the paak power is 0.7 MW-sec, and the maximum fuel plate temperature

[ is 110*C. The reactor power level then decreases to an equilibrium power level of 850 KW. The results of this power excursion are shown in Table 6.2. I I

A major concern of the results of this accident is the radiation

, released. The radiation levels should be tolerable at equilibrium power, i

I as the reactor is assumed to be shielded for 500 KW power operation. The burst levels are of short time duration, and hence, do not produce large doses. The marimum temperature of the fuel plates is also tolerable, as

'l fuel plate temperatures above 100*C result in steam voids, producing shut-down reactivity and decreasing the power of the reactor.

9

! l

6. 3. 2. 2 Scenario IV l l l I

} This accident is the design basis accident of the VPI&SU reactor.

j The equipment failure and reactivity insertion are the same as in Scenario

! III, but for the design basis accident, the most severe initial conditions 6.17 i

i _ _ -. , . _ . - . , . , _ . ..

are assumed. For the accident, the reactor is initially at low tempera-ture, with flow through the core af ter the burst. The initial conditions for the accident are:

(1) A 0.6% AK/K reactivity step insertion.

(2) The simultaneous failure of the automatic safety system.

(3) The reactor is at low power level, ambient temperature (30*C)

' and is critical.

- (4) The reactor coolant pump remains in normal cperation af ter the burst.

Again, the reactor power level increases by a 0.2 second asymptotic period; however, the peak power level is 4 MW with 2.5 MW-sec of energy released up to this point. The maximum fuel plate temperature is 100*C, with the equilibrium power level at 1.4 MW. The results of this power excursion are shown in Table 6.2.

It is now evident that the increased equilibrium power level may l

I create a minor radiation hazard, in a reactor shielded for a 500 KW r normal operating power level. The radiation levels during the burst may also be a minor consideration. The maximum fuel plate temperature is lower than that for Scenario III, which is to be expected.

6.3.3 Hypothetical Accident, Scenario IV The final scenario in this accident analysis is investigated for purely academic reasons. It is not viewed as credible, or even possible.

This accident is investigated to show that a large reactivity insertion L into the VPI&SU reactor, even if it produces prompt criticality, will not i-result in adverse consequences. Before av==4ning this accident, a dis-I cuasion of how prompt criticality might be attained is in order.

l 6.18 1

By definition, prompt criticality is criticality achieved by only l prompt neutrons. The operating license of the VPI&SU reactor restricts the excess reactivity of the reactor at any time to less than the delayed neutron fraction, making prompt criticality impossible at normal operating conditions. However, as the mav4=um excess reactivity of the VPI&SU reactor is determined at a moderator temperature of 84*F (29'C), and as the VPI&SU reactor has a large negative reactivity coefficient, the excess reactivity can be increased by a cold water injection. Reducing the moderator temperature by 28'C to 1*C results in reactivity insertion of 0.2% AK/K. This gives a new excess reactivity of 0.8% AK/K, making prompt

[ criticality possible.

. To place the prompt critical condition in the proper perspective P

a means of reducing the moderator temperature by 28*C must be determined. J l

j The most reasonable means of reducing the moderator temperature is by a cold water injection of water other than the primary coolant. The worst i

I cold water injection into the core, producing the prompt critical condi-

! tion, requires the instantaneous total failure of the heat exchanger l

introducing 1*C water into the primary ' piping from the secondary supply system. The injection also must occur with none of the cold water mixiQ vith the hotter primary coolant, and with the cold water being introduced into the whole core instantaneously. In reality, this cold water injec-tion could only be a ramp insertion of reactivity, as the flow of the cold 3

water through the core could not be instantaneous. Thus, the worst hypo-thetical step insertion of reactivity by cold water injection requires:

(1) the secondary coolant water at a temperature of 1*C, (2) the instan-taneous total failure of the heat exchanger, (3) no mixing between the 6.15L

primary coolant and the injected cold water and (4) the instantaneous introduction of the injected cold water to the whole core. This failure in itself is indeed incredible. Nevertheless, for the prompt critical condition, the instantaneous cold water injection must occur simultane-ously with the insertion of all the excess reactivity of the reactor.

In view of these requirements, it is very reasonable to regard the hypo-thetical accident as impossible.

Finally, in reference to earlier excursion analysis, this accident 4

has the most rapid power increase, and thus, is the most likely accident to have the power peak before the reactor trip execution. It is question- l able as to whether a reactor trip could terminate this power increase; j however, with or without reactor trip, high power levels would be obtained.

As will be shown, even without reactor trip, this excursion will not pro-duce adverse consequences.

l

Scenario V f

This accident is the hypothetical accident. The equipment failure l i

and excess reactivity insertion are the same as in Scenario IV. In aidi-tion to these conditions, it is assumed the heat exchanger fails so as to instantly inject cold secondary coolant water into the whole core, simul-taneously with the excess reactivity insertion. The initial conditions of this accident are:

(1) A 0.6% AK/K reactivity step insertion.

(2) The simultaneous failure of the automatic safety system. l 1

(3) The staultaneous injection of cold wrter of temperature 1*C, instantaneously into the whole core, resulting in a 0.2% AK/K j

' step reactivity insertion. This cold water injection is the l

6.20 i

(

l

result of the failure of the heat exchanger, prior to reacti-vity insertions.

(4) The reactor is at low power level, ambient temperature (30*C) and is critical.

(5) The reactor coolant pump remains in normal operation after the burst.

s From the insertion of 0.8% t.K/K, the reactor power increases on an asymptotic period of 90 msee to a peak power of 14 MW, with an energy release up to peak power of 2.5 MW-sec, and a maximum fuel plate tempera-ture of 100'C. Power then decreases to an equilibrium power level of 1.7 MW.

The results of this power excursion are shown in Table 6.2.

This accident shows that the prompt critical condition does not pro-duce extremely adverse consequences in the VPI&SU reactor. Although the peak power level is much larger than the peak power level of the maximum credible accident (Scenario IV), the eaergy released up to peak power is the same for both accidents, being 2.5 MW-sec. This implies'that although the maximic radiation levels will differ, the burst radiation doses will

'. be the same. Equilibrium power levels do not vary greatly, implying the b doses at equilibrium power will also be about the same. There is one minor difference between the hypothetical and design basis accidents I

in that the delayed neutron tail of the hypothetical accident will result in higher radiation dose. This difference, however, should be small, as i

- the approach to equilibrium power level is very rapid (less than 10 l seconds) in both cases.

L 6,4 Conclusions from Accidene Ann 1vnam i

There are scveral important conclusions that can be drawn from the hypothetical accident. In a - 4n4ng these conclusions, it should be noted 6.21 l

that the hypothetical accident requires conditions much more severe than

. - those of the design basis accident. This denotes the conservative nature of the conclusions and supports the inherent safety of the VPI&SU reactor.

The conclusions of the hypothetical accident are best viewed in com-parison to the SPERT-I reactor destructive test [6.7.14}. Table 6.3 shows analogous excursion data for the two excursions. Note the large reactivity insertion (3.5 dollars) and the high mari== fuel temperature (600*C) of the SPERT-I destructive test. For fuel melting, water expulsion, and a

core disassembly of the VPI&SU reactor similar to the SPERT-I destructive I

i tect, the reactivity insertion must be very large, about 3.3% AK/K (5.1 dollars), resulting in a very small period, about 5 maec. This reactivity insertion is more than four times the magnitude of the hypothetical acci-dent reactivity insertion. Clearly, it can be concluded that the hypo-thetical accident of the VPI&SU reactor is characterized by no fuel melting, no water expulsion, and no core disassembly.

, Finally, these conclusions are emphasized by the inherent safety characteristics denoted in the safety evaluation of the VPI&SU reactor i Construction Permit Application. The inherent safety characteristics are:

(1) A long neutron lifetime.

(2) Very low built-in excess reactivity.

(3) A negative temperatur ' ificient of reactivity.

i l

, t (4) A negative void coefficient of reactivity.

t The safety of the long neutron lifetime is exemplified by the compari-

[.

son of the input reactivity for core disassembly of the SPERT-I and VPI&SU' t

reactors. The SPERT-I reactor requires a 3.5 dollar insertion to produce

.{

a 6.22 l

L l l -.-.--.,.,--.-.----l

TABLE 6.3 COMPARISON OF EXCURSION DATA FOR THE VPI&SU REACTOR HYPOTHETICAL ACCIDENT AND

~

1 THE SPERT-I REACTOR DESTRUCTIVE TEST i

VPI&SU SPERT-I Hypothetical Destructive Accident

Test **

. step reactivity insertion 1.2 3.5 i (dollars) 1 asymptotic reactor period 90 3.2 '

(msec) !

peak power 14 2300 1 (MW) i

! energy released up to 2.5 14 l peak power (MW-sec) 1

. 1 maximum fuel plate 100 600 '

, temperature (*C) s.

l

)

source of data:

I J ** source of data:

s l

t i

l 6.23 1

l l

a shorter period [ 6.7.14] and the VPI&SU reactor requires a 5.1 dollar insertion. The low built-in excess reactivity 111 nits the severity of the power burst, as shown in Scenario IV. A severe power burst is not produced for even the credible insertion of reactivity in Scenario V.

The negative temperature coefficient of reactivity both limits the burst peak power magnitude, and aids in the quick approach to a lower equili-brium power level. Finally, although it does not aid in termination of

- the VPI&SU reactor excursion model bursts, the negative void coefficient i of reactivity assists the maintenance of a low equilibrium power level.

Furthermore, the negative void reactivity coefficient is a reserve safety 1,

l mechanism, available for the large, but incredible reactivity insertion. It is obvious that these inherent safety characteristics provide the safe and predictable behavior of the VPI&SU reactor.

In summation, the accident analysis of the VPI&SU reactor shows that l

the greatest danger in a power excursion of the VPI&SU reactor lies only l I

in the radiation levels in the immediate area. With the addition of

, shielding for the 500 KW power level increase these radiation levels will l i

be tolerable. For any credible power excursion of the VPI&SU reactor, 1

there is no danger of fuel melting, water expulsion, or core disassembly. j l

' j The inherent safety of the VPI&SU reactor is demonstrated by the inability to produce severe consequences during all credible accidents and during the most reasonable hypothetical accident.

I

! l

(

6.24 l

l l

\ l

6.7 Fyult Troo Analysis of DBA 6.7.1 Nomenclature and Symbols The technique of fault tree analysis has been applied extensively to the problems of nuclear reactor safety (6.7.1]. Qualitative fault tree analysis provides a description of the causes of an undesired event of the system while quantitative fault tree analysis utilizes failure data to obtain probability estimates of accidents. Fault tree logic symbols are shown in Figure 6.4 Failure data can also be interpreted through a statistical model of failure frequency called the ' bathtub' curve, shown in Fig.6.5.

For this model, the failure rate of a component can occur in one of three stages of its lifetime: (1) during the break-in or debugging stage, (2) during the stage of random failures at a constant rate, or (3) during the wear-out stage. Analysis of failure data for fault trees should consider these stages in the component lifetime. Furthermore, the importance of these stages can be determined by the fault tree analysis of the system. For example, the probability of a primary event identified as a wear-cut failure can be reduced by improved maintenance or by more frequent replacement of a failing component. .

6.7.2 Qualitative Analysis

{

The fault tree of the VPI&SU reactor design basis accident (dba) is illustrated in Fig. 6.6.

The construction of the VPI&SU reactor dba fault tree begins with the top event. The top event in this fault tree is 1

the dba as described in Scenario IV. The dba requires a fault through an

. INHIBIT gate, with the inhibit condition being the step insertion of 0.6%

L

&K/K reactivity. Generally, this condition will occ.r as the result of an

. operator error, but further development will not be done in this study. The i l fault is the failure of the automatic safety system, and is developed below, l

l 6.25 l

- . , ,, , -,n, . - , - - , - - - n -.

C.g ,.9 FAULT TREE LOGIC SYMBOLS Event Representation Rectangle A fault event, usually resulting from the combination of more basic fault events acting through a logic gate.

Circle A basic component fault, requiring no further development.

Diamond A fault event not developed to its cause.

Logic Operators AND Cate The logical operation in which the coexistance of all the input events is lll required to produce the output event.

_ OR Cate The logical operation in which the existance of an input event is sufficient T but not necessary to produce the output event.

INHIBIT Cate -

The logical operation in which the input i

event directly produces the output condition event if the indicated condition is present.

l i

6.26

. =.,

. f i

l

i.

e s.

E 3

I' 'm L

i' Break-in 6 i Wear-out Failures

li Random Failures at ConstantFailures Rate l

, i f

I Time Figure 6.5 The ' Bathtub' Curve Model of FailureFrequency[35,36]

l r

l l

6 .,2.7 a

,L l 5 ~

l Maximum tredible Accicent l Insertion of

(\ / 0.61 aK/K l

I I Failure of gAutomaticSafetySystem 1 I t lExecutiontailurc l l Initiation failurej i

l l All Control Rods Scram Signal not Initiated Hot Fail to Insert y,jf"*f,933 by Nuclear Instrumentation Short to Open l

7 .

l 1

_.1 l ..

1 Shin, Power Period f Safety #1 Channel #1 Channel

[ Fails Falls Fails Falls J

! Power

Safety #2 Channel #2 Falls Falls ,

b i

Figure 6.6 Fault Tree of the VPI&SU Reactor Design Basis Accident i

6.28 I

Inclusion of the insertion of 0.6% AK/K reactivity in the fault tree emphasizes the fact that a failure of the automatic safety system alone will not result in the dba. For the dba to occur, the automatic safety system must fail when its service is required, i.e., during the condition of an insertion of 0.6% AK/K reactivity. It should be emphasized that these events must occur simultaneously. This logic situation demonstrates tha ,

principle of failure when service is required. Furthermore, analysis of the VPI&SU reactor has not determined a common mode failure which will both insert the 0.6% AK/K reactivity and cause the failure of the automatic safety l

system. J I

The automatic safety system faul; is developed to produce two events i l

either of which must occur for the system to fail. The events, acting through an OR gate, are the failure of the scram signal to be initiated or received by the control rods and the dump valve, and the failure 6

of the control rods and dump valve to execute the scram after receiving l the scram signal. I 1

The branch developing the failure of the scram signal to be initiated or received by the control rods and dump valve fault has two initiating events, tied by an OR gate. The first is the failure of the ,

1 I

scram signal to be initiated by the scram bus. The second is the can~- l cellation of the scram signal by a hot short. The scram initiation n

circuits are designed with redundancy and the physical separation of

[ the redundant components, making a hot short incredible. A hot short

, would require application of voltage to several circuits physically i

separated from each other. The paths and means of these multiple shorts I could be investigated, but as the total accident is not credible, the 4

6.29

failure is treated as a primary failure, with a low probability assigned to it. The treatment of the hot short demonstrates the concept of the use of a base event without branch development. In consideration of the extremely low probability of a hot short and the higher probability of the failure of the scram bus to initiate the scram signal, only the second failure will be investigated with corrective action in mind. This approach is consistent with the concept of using failure data to evaluate an O'1 gate in order to determine which initiating event corrective action would be most f effective.

The scram signal can be initiated by any of three safety channels in b the nuclear instrumentation. The channels are: Power Channel #1, Power Channsi #2, and the Period Channel. In the dba, the reactor scram set,,iat 1 is exceeded in each of the three safety channels. Hence, fez the scram i signal not to be initiated, the failures of all three safety channels must exist, with each of these events acting through an AND gate. Only two means of failure of the safety channels will be developed. First, the channel detector and/or the electrical lines to the detector can fail, causing the channel to fail low. Second, the setpoint can be set ex assively high,

resulting in no scram initiation for high readings. It should be noted that for normal reactor operation, the setpoints are checked by the operator

~

I before each startup, and the reading of each safety channel meter is noted

. by the operator at least once each hour during operation.

1 The branch developing the failure of the reactor to execute the scram

after receiving the scram signal has two faults, acting through an AND gate. The first fault is the failure of the dump valve to open. The second ,

fault is the failure of the control rods to be inserted. There are three I

i 6.30

control rods which are inserted by a reactor scram: Safety #1, Safety #2,

, and the Shim rod. These rod insertion failures act through an AND gate.

This completes the development of the VPI&SU reactor dba fault tree.

Further development of the primary events will be discussed later during the quantification of the fault tree.

The fault tree of the dba provides much qualitative information about the system. For example, the minimal cut sets can be identified as:

. (1) Insertion of 0.6% AK/K. Failure of Power Channel #1, Power Channel #2, and the Period Channel to initiate scram signal.

(2) Insertion of 0.6% AK/K. Introduction of a hot short cancelling

< s the initiation cf the scram signal.

t (3) Insertion of 0.6% AK/K. Failure of Safety #1, Safety #2, and Shim

. control rods to be inserted upon receiving the scram signal.

Failure of the dump valve to open upon receiving the scram signal.

Redundancy-defeating characteristics and common mode failures can also be identified from the fault tree. The redundancy of the three control rods can be defeated by a common mode failure with common l

charact.*ristics such as environment or manufacturing process. The i

redundancy of the three safety channels can also be defeated by a i similar common mode failure with common characteristics of environment 4

i i ,

. or manufacturing process. (It is noted that components of both of

, these redundant systems were located in the core area of the VPI&SU reactor, and hence, were subjected to an environment of neutron and gamma irradiation and high humidity.) These redundancy-defeating, common mode failures will be discussed further during the fault tree quantifi-1 cation. The final AND gate in the fault tree has the initiating events 6.31

---,w a

of the dump valve failing to open and all three control rods failing to be inserted. No common faflure precipitating all these initiating events could be found.

The qualitative fault tree analysis of the dba is completed with the evalration of the depth of fault tree branch development. The failure modes which may cause the primary events are not well enough known at this time to further develop these events. As will be shown later, failure data is minimal and indicates that knowledge of all the failure modes of the primary events is not complete. Nevertheless, the safety of the system can be evaluated using the fault tree illustrated in Fig. 6.6 and the available data.

Quantitative Analysis A necessary requirement for the quantitative analysis of a fault tree is an adequate data base. The data base of the VPI&SU reactor dba fault tree is taken from the operating records of the reactor. The reactor has been operating since December 1959; however, there have been changes in the control panel and control rod drive mechanisms. These

' changes make data standardization over the lifetime of the reactor difficult if not impossible. Another major factor affecting failure data is the increased usage of the reactor in later years. Despite these discontinuities an attempt will be made to standardize the failure data to the current

, status of the VPI&SU reactor. Variations from this theme will be noted and adjustments will be aimed toward this model. All data are taken from the reactor logs up to and including run #3316, on May 10, 1976.

The model for present day usage of the VPI&SU reactor is taken from the Annual Report of 1975 [6.6.17 ]. During 1975, there were 124,366

! 6.32

kilowatt hours of operation (at a maximum power level of 100 KW) and 251 startups (runs). This yields an average of 485 kilowatt hours per run of the reactor, or approximately 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months of operation at full power (100 KW) per run. Allowing for refueling and maintenance, the frequency of runs is approximately 5 runs per week. A further adjustment is made for low power operation of the reactor. Because low power operation has little power output, the low power operation usage is not properly represented in the total power output for the year. Determination of failure frequency requires the total time of operation. To account for low power operation, the power output will be increased 20%, thus increasing the operation time by 20%. Hence, the usage model is 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months of full power operation per week for 50 weeks per year, or 1,500 hours0.00579 days 0.139 hours 8.267196e-4 weeks 1.9025e-4 months of full power operation per year. The model also assumes 250 runs per year of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months each.

This model year will be viewed as the standard year for all previous operation. The model is further developed to estimate 10 more years of reactor operation (from run #3316) for the remainder of the reactor lifetime, or a total of 6,000 runs or 36,000 hours0 days 0 hours 0 weeks 0 months during the entire i

reactor lifetime.

l The frequency of surveillance of the automatic safety system will also be modeled to produce a uniform data base. The frequency chosen is inverse hours for primary events. It is useful to utilize the inverse year frequency for major faults (such as the automatic safety system failure or the maximum credible accident), to permit comparison

~ ~

, with the 1.0x10 yr standard in WASH 1400 [.6 4 ._18] ..

Not all automatic safety system components receive hourly surveillance.

~

The minimum frequency of surveillance is run (once per run or reactor

~

artup), which can be converted to 0.17 hr . The assumption of hourly l surveillance is a conservative assumption.

6.33

A review of each component's surveillance will aid in explaining the frequency of surveillance model. The components receiving inverse run surveillance are: all the control rods (each inserted everr shutdown),

the dump valve (opened every shutdown and once before every startup),

and the safety channel setpoints (observed before every startup). It is recognized that setpoints can drift, but the startup procedure limits the maximum value of a Power Channel setpoint to less than 150% full power, and the Period Channel setpoint to greater than 5 seconds.

Setpoint drifts exceeding these limits must occur after the startup surveillance of that run. The safety channel calibration and operability are determined at least hourly. During this hourly surveillance, each safety channel power level output is compared with the other safety channel power level outputs and to an additional reactor power level t

meter, the Keichley picoammeter. This surveillance of safety channels could be defeatsd by the simultaneous failure of all four of these channels; however, failure data indicates this phenomenon has a proba-bility of 5.7x10-lhyr~1 which suggests that it can be ignored. Further-i more, the power level is also determined hourly with a heat balance )

! calibration, which is compared to the nuclear instrumentation channels.

l This discursion completes the surveillance frequency model and establishes the base for tce following failure data discussion.

The failure data ba'se of M.e VPI&SU reactor automatic safety t

system is discussed beloe. The failure data are listed in Table 6.4.

The first failure data investigated are the failures of control rod insertion. On March 28, 1972, after run #2266, the control rod I 1

drive mechanisms were modified to their present state. Since run 6.34

. TABLE 6.4 FAILURE DATA FOR THE VPI&SU REACTOR DESIGN BASIS ACCIDENT FAULT TREE

run# date description of failure 3316 5/10/76 Power Channel #2 failed low during operation, due to detector cable insulation deterioration.

3316 5/10/76 No failure, maintenance inspection at shutdown revealed Safety control rod #1 bearing corrosion.

3248 2/11/76 Power Channel #2 failed low during operation, due to broken out of core connector.

I 3187 11/3/75 Safety Control Rod #2 failed to fully insert upon reactor scram, due to bearing corrosion.

3167 10/6/75 Overpower scram, due to operator error.

2876 8/8/75 No failure, maintenance inspection at shutdown

revealed Period Channel detector cable insulation deterioration.

2642 9/6/73 No failure, maintenance inspection at shutdown revealed Power Channel #1 and Power Channel #2 detector cable insulation deterioration.

l' 2545 4/20/73 Dump valve failed to open upon reactor scram, due to moderator temperature at scram being less than moderator temperature at valve closure.

1 2525 3/20/73 No failure, maintenance inspection at shutdown revealed Power Channel #2 detector cable insulation deterioration.

2382 8/15/72 No failure, maintenance inspection at shutdown revealed Keithley detector cable insulation

! deterioration.

2271 4/7/72 Safety Control Rod #2 failed to fully insert

, upon reactor scram, due to alignment problem.

2161 9/7/71 Cverpower scram, due to operator error.

I 2062 4/30/71 Dump valve failed to open upon reactor scram, due to improver maintenance. i I

6.35 l

. s

2266, two control rod insertion failures have occurred during runs

, #2271 and #3187. Furthermore, although there was no failure, during ,

maintenance following run #3316, moderate bearing corrosion was noted on one control rod drive mechanism.

The analysis of this data indicates no severe abnormalities. The first failure at run #2271 was reported to be caused by a misalignment problem, probably a break-in failure. The second failure at run #3187 was reported to be caused by bearing corrosion of a component inside the core area. The corrosion was reported to be caused by the high humidity and radiation environment of the core area. The bearing corrosion noted at run #3316 was the same as the bearing corrosion of run #3187. The corrosion of runs #3187 and #3316 indicate failure in 4 the wear-out stage of the component lifetime. The maintenance surveillance

[ of run #3316 detected the buildup of corrosion and resulted in cor-rective maintenance.

Therefore, the data support corrective maintenance, but indicate the frequency of maintenance should be standardized and perhaps in-l creased. Also, the data suggest a common mode failure of bearing j corrosion. Accordingly, with the assumption that the failure at run

2271 was a break-in failure, the failure rate of the control rods is one failure for one of three control rods per 1,045 runs, or otie failure of a specific control rod per 126 years, or one failure per 18,900 hours0.0104 days 0.25 hours 0.00149 weeks 3.4245e-4 months (5.29x10

-5 hr-1) ,

The next failure to be quantified is the failure of the dump valve to open. Two dump valve failures have been recorded. The first failure was during run #2062 and was caused by improper maintenance.

6.36

+

The second failure was during run #2545 and was due to the moderator temperature at scram (required valve opening) being less than the moderator temperature at valve closure. A procedure now exists which prohibits scheduled opening of the valve if the moderator temperature 1

drops below the temperature at valve closing. The dump valve failure rate is 2 failures per 3,316 runs, or one failure per 6.6 years, or

~

one failure per 9,950 hours0.011 days 0.264 hours 0.00157 weeks 3.61475e-4 months (1.0lx10 ' hr-1) ,

The safety channel failures are the most severe component failures, j as the failure of all three safety channels with a 0.6% AK/K reactivity insertion consists of a mininal cut set of the dba. Failure data is I

taken after run #2057, when the present control panel was installed.

There have been two reported safety channel failures during reactor operation. The first failure, during run #3248, was caused by a simple out-of-core connector failure. The second failure, during run #3316, was caused by in-core detector cable insulation failure. Detector cable insulation deterioration was also discovered on four previous occasions; after runs #2876, #2642, and #2525; maintenance during i

shutdown indicated the possible future failure of a nuclear instru-i mentation channel caused by in-core detector cable insulation deterioration. This indicates a common mode failure, with the l '

l core environment of high humidity and radiation causing the failure l 3

of each safety channel through deterioration of the detector cable insulation. The relocation of neutron detectors described in Chapter 2 should drastically reduce this common mode failure ,in the future.

i. )

~

The safety channel data is analyzed by using only the failures

! which occurred during operation. The failure of run #3248 is used l

l t

I. 6.37 l

l

.. - - -- . . . - _ . - _ . , - _ - . , , ~ , . -

r with the caveat that it is not an accurate indication of this type of equipment failure. The component that failed does not have a high failure rate, so inclusion of this failure produces conservative data.

Thus the safety channel failure rate is two failures for one of three safety channels per 1,258 runs, or one failure of a specific safety channel per 15.1 years, or one failure per 22,650 hours0.00752 days 0.181 hours 0.00107 weeks 2.47325e-4 months (4.42x10

-5 hr-1) ,

l A hot short has never occurred at the VPI&SU reactor; hence, 1

. there is no data for quantifying the hot short failure event. As discussed previously, this event is viewed as not credible, and as such its probability is assumed to be near zero. A failure rate of

-0 -1 1.0x10 hr is arbitrarily assigned to this event, with the con- ;

sideration that such a low number will not affect the fault tree quantification but will establish the low probability of the event.

l The final failure is the INHIBIT condition of the step input of i

0.6% 6K/K reactivity into the reactor. Again, as this event ha,s never I

occurred, there is no failure data for its quantification. Investi-

gation has revealed two operator errors producing minor reactivity insertions resulting in overpcwer s~ crams during runs #3167 and #2161.

! The magnitude of these reactivity insertions is unknown; however, these operator errors suggest that it is reasonable to assume that an operator I

error could result in a reactivity insertion of 0.34% AK/K, producing a period scram within the reactor lifetime. This assumption is sub-I startiated by the estimated occurrence of an operator-controlled

0.26% AK/K insertion (producing a 10 second reactor period) once per year. The above data indicates that the assumption of one 0.6% AK/K t

6.38

a'

b reactivity insertion during the reactor lifetime is credible, but very conservative. Hence, with this assumption, the failure rate of a 0.6% AK/K reactivity insertion is assumed to be once per 24 years, or once per 6,000 runs, or once per 36,000 hours0 days 0 hours 0 weeks 0 months (2.8x8x10 -5 hr~1) . This completes the data base for the dna fault tree.

, The quantified fault tree, using the above data base, is shown in Fig. 6.7 Observation of the scram execution branch of the fault tree indicates that the probability of all tF e control rods failing

~1 to insert is 1.48x10 hr- . This leads to a failure rate of

~17 -1 1.50x10 M the s u a uc h f m u n. The s u N at h failure rate is 8.64x10~1' hr- , which is the probability of all three safety channels failing. These branch failure rates allow the determination of the failure rate of the automatic safety system, which is 8.64x10~ ' hr , or 1.30x10 -10

~

-1 yr . Finally, the probability of

-15 -1 the maximum credible accident is 2.42x10~ hr or 3.63x10 ,

t 6.6. Conclusions fcom the Fault Tree Analysis Several conclusions can be drawn from this fault tree quantifi-cation. Most significantly, the automatic safety system has a very i

! l

? low probability of failure. This produces an extremely low probability l l

!. of the occurrence of the dba. In simpler terms, the VPI&SU reactor 1

dba will occur once every 2.75x10 ' years. The dba probability of

~1 ~

~1 3.63x10~1 yr is much less than the WASH 1400 standard of 1.0x10 yr .

The second conclusion regards the corrective action upon OR gate i initiating events. The brar.ches concerned are the scram execution failure branch, anc the scram initiation failure branch, acting through f

4 6.39 l

e' W

i l Maxinnim t,cdible Accident l 2.42x10-lEhr*3 or J.63x10*ibyr-1 2.8x10 5 hr *I Insertion of

[/

\

I 0.61 M/K failure of Automatic Safety Syston 8.b4 x lo U'hr I

I or 1.J0410-10 yr I I i a noorn . uere i ; 1,,i oa o..., r n ,,.;

.50x10*IIhr'I 8.64x10'I#hr'I

I 1.0x10 20 hr l l6.01x10'4hr'I 4

All Control Rods y Scram Sig,41 not initiated Hot Fall to insert g.,j,,f,gjg by Nuclear 1,ntrumentation Short l

I to Open

-I R,61x10* hr 1.48x10'I3hr (D

TTr TT 5.29x10 5hr'I 4.42x o 'enr 3 4.42x10-Shr *I 5.29x10 bh r i Power Period l Safety el Shim Channel al Channel i r,g;g g,gy, rails rails 5.29x10-Sh r- 1.42r10 5hr' b h'""

Safety 42 Ch""?I 82 Falls falls l

r f

Figure 6.7 Quantification of the VP!&SU Reactor Cesign Basis Accident Fault Tree f.

6.40

w

-d '

an OR gate to produce the automatic safety system failure. The failure data indicates the scram initiation failure rate is greater than the scram execution failure rate by a factor of 5,760. Clearly, corrective action reducing the scram initiation failure rate would be most effective.

5 i

e f

f I

i l..

1 i

, 1 .

b l

l l

6.41

. s-4 1

h.

6.7 References 6.7.1 Hazards Analysis, UTR-10 Standard Model, Advanced Teclinology Laboratories Report ATL-137, Oct. 1, 1959. O'roprietary Infornation) 6 . 7. 2 (Safety Analysis, 10 + 100 kw)

6. 7. 3 Tuley, K. D., "The Power Excursion Safety Analysis of the VPI&SU Re'accor 500 KW Model," Unpublished M.S. Thesis, VPI&SU, Aug. 1976.

6 74 Nyer, W. E. , et al. , " Experimental Investigation of Reactor Transients, " IDO-16285, Phillips Petroleum Co., April 20, 1956.

675 Forbes, S. G. , et al., " Analysis of Self-Shutdown Behavior in the SPERT-I Reactor," IDO-16528, Phillips Petroleum Co. , July 23, 1959.

6. 7. 6 Bright, G. O. (ed.1, " Reactor Projects Branch Quarterly Progress Report for July, August, September,1958," IDO-16512, Phillips

, Petroleum Co., May 6, 1959.

6. 7. 7 Bright, G. O. and Forbes, S. C. , "Hiscellaneous Tests with the SPERT-I Reactor," ID0-16551, Phillips Petroleum Co. , OctoEer 23, 1959.

6. 7. 8 Uyer, W. E. and Forbes, S. G., "SPERT Program Review," IDO-16634, Phillips .* stroleum Co. , October 19, 1960.

6. 7.9 Lennox, D. H. and Kelber, C. N., "Sucmary Report of the Argonaut i Reactor," ANL-5647, Argonne National Laboratory, December 1956.

6 7.10 Miller, L D. , " Calculations of Reactivity Behavior During SPERT-I Transients," IDO-16317, Phillipe Petroleum Co., June 1, 1957.

6. 7.11 Haire, J. C., "Subcooled Transient Tests in the SPERT-1 Reactor Experimental Data," IDO-16342, Phillips Petroleum Co., July 1 1958.

. 6 712 Schroeder, F. , et al. , " Experimental Study of Transient Behavior l in a Subcooled, Water-Moderated Reactor," Nuc. Sci. Eng., Vol. 2, I

pp.96-115, 1957.

l 6. 7.13 Foster, A. R. and Wright, R. L. , Jr. , Basic Nuclear Engineering,

! Allyn and Bacon, Inc., 1973.

j 6. 7.14 Phillips Petroleum Co., " Quarterly Technical Report for October, j November, December,1962," IDO-16890, May 17,1%3.

6715 Miller, R. W. , Sola, A. , and McCardel, R. K. , " Report of tha l f. SPERT-I Destructive Test Program on an Aluminum, Plate-Type, l Water '.loderated Reactor," IDO-16883, Phillips Petroleum Co.,

June 1964. l i

j 6.42 l

I

I, 6.7.16 Wing, A. P., " Transient Tests of the Fully Enriched, Aluminum Plate-Type, B Cores in the SPERT-I Reactor: Data Summary Report, " IDO-16964, Phillips Petroleum Co., June 1964.

6.7.17 Stone, R. T., Annual Report to the NRC, 1975 6.7.18 U.S. Nuclear Regulatory Agency, " Reactor Safety Study: An Assessment of Accident Risks in U.S. Cocnercial Nuclear Power Plants". 'n' ASH-1400, October 1975 l

I 4

l 1

l l

l 6.43

ML19309A564

Text

Navigation menu

Search