This (very long) post is a compilation of my prepared notes from the interview Q&A session.
QUESTION # 1: Please provide us with a brief background of this project. How did ORNL see the necessity to conduct such studies in the early 1980s?
· MY ANSWER:
What we now call “severe accidents” were first studied in 1957, when the AEC released WASH-740. They looked at a hypothetical Maximum Credible accident in which 50% of the core of a (small by today’s standards) nuclear power plant were released into the atmosphere 30 miles from a major city. They did not estimate the probability of such accidents.
· F. Reginald Farmer of the UK pioneered PRA methodologies and published a paper in 1965 in which he defined many of the fundamental approaches to reactor safety risk assessment that are still used today.
· The AEC published the WASH-1400 “Reactor Safety Study” in 1975. It was the first systematic attempt to assess and compare the risk of reactor operations to other common activities within society. Among other things, the RSS concluded
(1) the risks to the public of commercial nuclear power plant operations (expressed as expected fatalities, injuries, and property damage from reactor accidents) was small compared to other normal activities of life such as driving a car, commercial aviation, tornadoes and hurricanes, etc.
(2) the risk of reactor operations was dominated by transients such as station blackout, loss of decay heat removal, and failure to shut down the reactor; and small break loss of coolant accidents (LOCAs) – rather than the large-break LOCAs.
· The accident at Three Mile Island Unit-2 occurred in March 1979, and involved an accident sequence of the generic type the WASH-1400 study concluded was risk-dominant.
· Immediately following the TMI-II accident, the U.S. Nuclear Regulatory Commission launched the Cooperative Severe Accident Research Program (CSARP), which included a variety of R&D activities. Among them, was a focus on detailed systems-level accident sequence analysis for the risk dominant sequences identified by WASH-1400. ORNL was selected by the NRC to conduct the Boiling Water Reactor Severe Accident sequences in a program called the BWR Severe Accident Sequence Analysis (SASA) Program. Station blackout (which had been identified by WASH-1400 as an risk dominate sequence for BWRs) was selected as the first accident to be analyzed.
· Independent of NRC activities, the industry launched the Industrial Degraded Core (IDCOR) Rulemaking Program in 1981. IDCOR ran through about 1989, and included independent code and model development, plant analyses, and experiments funded directly by the nuclear industry.
· I joined ORNL in December 1978 immediately after graduate school (three months before the TMI-2 accident), and joined the SASA team in 1980.
QUESTION # 2: How were the studies conducted and what were the major findings? Please walk us through the accident sequences resulting in meltdown that were observed in the study.
· MY ANSWER:
First, it is important to understand that severe or “core melt” accident progression in nuclear reactors is generally broken into “phases”:
o Pre-core damage phase – from the triggering event to the beginning of core uncovery or damage.
o In-vessel degraded core phase – from beginning of core damage to failure or melt-through of the reactor vessel and escape of core debri into the primary containment
o Ex-vessel phase – from failure of the reactor vessel to failure of the primary containment, secondary containment, and release of radioactivity material into the environment.
o Post-containment failure phase – continued release of radioactivity from the reactor and it’s transport and deposition beyond the reactor site.
· Second, it is important to understand that our analyses were conducted with computer models that were primitive compared with the computer simulation tools we have available today. Nevertheless, the overall sequence of events developed in the 1981 analysis has held-up as being basically valid through many subsequent analyses since that time.
· As far as the accident progression goes:
ACCIDENT INITIATION:
a. the station blackout analysis we analyzed focused on the so-called “long-term station blackout”. The analysis we did in 1981 assumed a simple sequence in which the station battery lifetime was assumed to be only 4 hours, and we further assumed the operators did not take action to depressurize the reactor vessel (more about this later);
b. The reactor (BWR-4 / MK-I containment) was assumed to be operating at full power (3440 MWt / 1152 MWe), pressure (~1020 psig / 7 MPa), and temperature (530 ºF / 275 ºC);
c. An un-specified event was assumed to occur that resulted in complete loss of off-site power;
d. In addition, it was assumed that the station emergency diesel generators failed to start and load (as they normally would) upon loss of off-site power. Thus the station emergency diesel generators were assumed to never play a role in the plant’s response to the loss of off-site power;
e. Because neither off-site AC power or the emergency diesel generators are available, all power is supplied by the station batteries, which in our case, were assumed to be available for 4 hours.
f. It is very important to understand that no other equipment damage was assumed as part of the accident initiation. All other plant systems and equipment were assumed to be undamaged.
FIRST FEW MINUTES:
g. The plant “scrams” or shuts down in a first few seconds, and the reactor power level drops to just a few percent of full power, to ~2% within 1 hour, ~1% at 10 hours, and ~ 0.5% within a day. However, reactor power is still at ~ 0.3% after 1 week. For a large modern 1 GW-class BWR, this is still 50-70 MW of energy being released an hour after the reactor is "scramed".
h. The main steam isolation valves close, and the reactor is isolated behind the main steam isolation valves.
i. Steam-turbine driven reactor coolant systems act automatically to draw water from a large water storage tank outside of the reactor and inject it into the reactor to keep the core covered, adequately cooled, and in a safe condition.
j. The relieve valves in the reactor cycle automatically to maintain safe reactor pressure by venting reactor vessel steam into the million-gallon pressure suppression pool. Operators can also manually actuate these relieve valves to control reactor pressure and assure the pressure pool is not over-heat due to repeated venting of the same relieve valve.
FIRST 4 HOURS:
k. Barring reactor operator actions to the contrary, the situation described above continues for four hours, at which time the station batteries were assumed to be exhausted, and all water injection into the reactor ceases. Up until this time, the reactor would recover with no damage if AC power or emergency diesels were restored.
l. Following exhausting of station batteries, it is no longer possible to inject water into the reactor vessel or to depressurize the reactor vessel. The reactor water level gradually decreases as the reactor pressure relief valves dump steam into the suppression pool. Thus station battery lifetime is a key determinant of the time to initial core uncovery.
HOURs 4-6:
m. 5 hrs: The reactor core begins to uncover at 5 hours ( ~ 1 hour after the station batteries are exhausted) and the reactor fuel assemblies begin to heat up.
n. The water level in the rector continues to drop and the reactor fuel assemblies temperatures rise, eventually passing 1000 ºC, at which point the zircaloy fuel assemble structures and fuel cladding being to react with the steam, releasing more energy and hydrogen (which is being vented to the pressure suppression pool through the relief valves). Can generate 500-600 kg of hydrogen or more.
HOURs 6 - 6.5:
o. 6 hrs: The reactor water level drops below the core and stainless steel control blades and fuel melting begins ~ 2 hours after core uncovery. A large BWR such as Browns Ferry can have over 250 MT of fuel in it – not including control blades and other structures. Molten control plate material, zirconium structure, fuel pellets, and melted fuel move downward or “candle” down to the reactor core plate.
Material
|
Melting Temperature (ºC)
|
Stainless Steel
|
1450
|
Zircalloy
|
1850
|
Boron Carbide
|
2440
|
UO2
|
2800
|
p. 6.5 hrs: The core collapses into the lower head @ 2.5 hrs after cover uncovery
HOURs 6.5 - 7:
q. 7 hrs: The reactor vessel fails and core debris leaves the reactor and falls in the containment floor 3 hrs after core uncovery.
HOURs 7 - 8.5:
r. 8.5 hrs: The hot core debris escaping the reactor vessel begins interacting with the concrete floor of the drywell, releasing steam, and non-condensible gases, accelerating the heatup and pressurization of the primary containment.
s. The drywell (primary containment) fails at ~ 8.5 hr as the seals in drywell electrical penetrations are blown out, allowing radioactive gases, aerosols and hydrogen to flow into the surrounding reactor building.
s. The drywell (primary containment) fails at ~ 8.5 hr as the seals in drywell electrical penetrations are blown out, allowing radioactive gases, aerosols and hydrogen to flow into the surrounding reactor building.
Our understanding of the details of the station blackout severe accident sequence discussed above has evolved since 1981, as various experiments were conducted, better computer models became available, and more analyses were completed. Still, there are some areas of uncertainty in the details of important phenomena. However, the basic sequence of events developed in the 1981 analysis has been confirmed by several subsequent analyses. It is also important to note that ORNL re-ran the accident analyses in the early 1990s with an assumed 6 hour battery life (rather than 4 hour) and with the assumption the operators DO take action to depressurize the reactor vessel as we recommended. Under these assumptions, the timing of major events roughly doubled (e.g. ~ 10 hours to core uncovery and reactor vessel failure not occurring until over 15 hours after the start of the event).
QUESTION # 3: Based on these studies, what suggestions did ORNL make to the NRC?
· MY ANSWER:
Some changes in automatic plant system configurations could be helpful in delaying the accident event progression timing (such as adjusting the rules for switchover of the High Pressure Coolant Injection System water source from the condensate storage tank to the pressure suppression pool).
· Pro-active operator actions could be helpful in delaying accident event times. Chief among these was the benefit of depressurizing the reactor vessel before station batteries are exhausted. Depending on the timing of this action, it can have several beneficial consequences. If done early in the accident, it significantly reduces the rate at which heat is transferred from the reactor vessel to the drywell (primary contaiment) atmosphere – delaying primary containment temperature and pressure increases than can lead to containment failure. If done later in the sequence (just before or early in the core damage phase, this action quenches the core, drops the vessel water level below the fuel, limits the steam source available to drive exothermic heatup of the core due to steam/zirconium reactors, (and the resultant hydrogen production), and reduces the heatup rate of the drywell.
· A second recommended operator action was to take manual control of the reactor vessel pressure relieve valves to rotate SRV operation around the pressure pool, and prevent localized heatup and over pressurizing of the pressure suppression pool.
· In subsequent studies the ORNL team evaluated:
o drywell flooding as potentially important severe accident mitigation procedures to prevent reactor vessel melt-through
o containment venting to prevent containment failure (necessary for drywell flooding)
o borating condensate storage tank water to prevent recriticality during core reconfiguration
· And in general, it was learned that plant-specific design details (such as the lifetime of the batteries, the size of the condensate storage tank and pressure suppression pools, etc.) and operator actions can have significant impact on the event sequence timing.
QUESTION # 4: What kind of impact have these studies had on the safety measures and accident-management procedures adopted by US nuclear plants?
· MY ANSWER:
First, it is important to understand that ORNL’s analysis was but the first of many such analyses subsequently conducted between 1980 and 2000 by several different organizations (governmental and industrial). Both the Industry and the federal sector were mobilized. A great deal of effort was put into understanding and learning from the TMI-II event, expanding our fundamental understanding of severe accident phenomena, and evaluating what could be done to reduce the plants' vulnerability to such accidents. ORNL's work in the 1980s focused on analyzing the major BWR risk-dominant accidents from WASH-1400 (station blackout, small-break loss of coolant accidents, loss of decay heat remove events, and transients without scram events). The work continued through the 1990s, shifting to a focus on identifying accident prevention, coping, and mitigation procedures. There was a significant collaborative effort with the nuclear industry to improve their severe accident management procedures. As previously mentioned there were major parallel and complementary severe accident programs at the NRC and in Industry. All during this period, the both programs included an array of experimental efforts, computer code development activities, and plant-specific accident sequence and PRA analyses.
· In 1988, the NRC required every operating nuclear plant in the U.S. to conduct a so-called Individual Plant Examination (IPE) that was designed to understand how each plant fit within the generic risk profile established by the Reactor Safety Study and the so-called NUREG-1150 risk study.
· So during the period from 1980 through 2000, all of the U.S. plants were evaluated with respect to their risk of severe accidents, and many plant-specific full-scope probabilistic risk assessments were performed.
· There was a multi-year effort within industry to update their severe accident management guidelines, though I cannot say that all of the ORNL recommendations developed during the 1980s and 1990s were implemented.
· Following the Sept. 11, 2001 attack, the NRC also issued a directive that all plants again analyze and address any severe accident vulnerabilities to terrorist activities resulting in large scale fires or explosions."
END OF INTERVIEW NOTES....
Well, that's all for now. Take care everyone and have a wonderful Independence Day!
Sherrell
No comments:
Post a Comment