As has been stated before, the CRBRP design included two redundant and diverse control rod drive systems. The primary system design was similar to that used on both LMFBRs and LWRs on many previous plants. The secondary system was of a more recent vintage. Plant control was accomplished using the primary system while the secondary system was fully withdrawn during operation. Both systems would unlatch and the control rods would fall into the core under the influence of gravity with a scram spring assist on reactor trips for the primary system and a hydraulic assist on the secondary system.
The CRBRP project evaluated three different design approaches for the primary system, the Collapsible Rotor-Roller Nut Mechanism (CRRNM), the Magnetic Jack, and the Ball Screw.1 All three systems had a track record of extensive accumulated experience. The CRRNM design was selected primarily because of the extensive experience that had been accumulated on both commercial and naval reactors exceeded that of the other two concepts combined with its ability to accommodate the requirements for very fine control and a minimum 1000 lb. drive-in capability to free a stuck rod. The CRRNM was the only shutdown system installed on the FFTF. The system was extensively tested as a part of both the FFTF and the CRBRP projects to ensure it would perform as intended even though it was essentially the same system that had been used on many earlier reactors adapted to operate within a LMFBR environment.
Early in the conceptual design stage of the CRBRP project, it was decided that a second totally diverse system would be incorporated into the design. The thinking was that two independent diverse shutdown systems would reduce the failure to scram probability to below 10-6 per reactor year making design and analysis for ATWS events unnecessary. That thinking was based on ATWS probabilistic analyses which suggested failure to scram probability was less than 10-3 per reactor year for a single system. Thus, two diverse and redundant systems should reduce the failure to scram probability to the range of 10-6. It is worth mentioning that the so-called “line in the sand” on the CRBRP project was more directed at resistance to install a core catcher or anything resembling one. That mindset appears to have been primarily driven by the Fermi-1 experience rather than a refusal to consider and analyze the consequences of HCDAs.
As one of the three reactor vendors involved in the CRBRP project, General Electric was assigned the task of developing the secondary shutdown system. The system would be required to shut down the reactor from full power conditions to hot standby temperature (~600°F) in the unlikely event of a stuck rod following the maximum anticipated reactivity addition fault in the reactor.2 The original design with a homogeneous core called for just four of the control rod drive mechanisms (CRDMs) to be of the secondary design. Thus, the reactivity necessary to meet the above requirements were to be accomplished by just three rods. In the heterogeneous configuration, the Westinghouse designers decided they could reduce the number of primary control rods allowing the number of secondary control rods to be increased to six. The two control rod drive system designs, primary and secondary are shown in the figure below.3
Figure 37 CRBRP primary and secondary control systems
In the primary design, the scram latch is located within the mechanism outside the reactor. For the secondary system, the scram latch is located just above the control assembly. In the primary system, the control assembly when unlatched is driven by gravity and a spring. In the secondary system, a piston is placed below the assembly with high pressure primary coolant above the piston and low pressure coolant below the piston, thus driving the control rod in by both gravity and hydraulics. The number of absorber pins in the primary assembly was 37 arranged in a hexagonal array. In the secondary assembly, 31 pins are arranged in a circular array. The bundle for the primary system is hexagonal and operates within the hexagonal duct while the bundle for the secondary system is circular and the assembly operates within a cylindrical guide tube that is installed within the duct. Tripping of the primary system is accomplished by de-energizing the latch magnets which then release the roller nuts from the lead screw with a spring assist. Tripping the secondary system is accomplished by spring load to open pneumatic valves which vent the pneumatic piston located within the mechanism leading to ¼ inch of motion of the tension rod that activates the scram latch. Each system used its own sensors and logic circuits, which are diverse from one another. Even the systems for breaking the control rod motion following a trip were diverse. The secondary system designers did a fairly credible job demonstrating that the two systems were quite immune to common mode failure problems between each other.
The two systems together should have been enough to eliminate HCDAs from further consideration on the CRBRP project but they weren’t because of an ingrained Bethe Tait mindset that prevailed at the NRC and certain national laboratories and likely remains intact today. At the time CRBRP licensing was being pursued there existed numerous groups in the country that were committed to the analyses of HCDAs. There was a conviction held by some that the LMFBR will never win public acceptance unless it can be shown to be able to survive an HCDA. The fault in this reasoning is it misses the point. The issue is the reliability of the reactor shutdown system. Why is it assumed that it is not possible to provide a shutdown system that is demonstrably reliable? There is a contrast between the shutdown system and the decay heat removal system. While there has been a total failure of a decay heat removal system there has never been a total failure of a reactor shutdown system when it was called upon. Fukushima Daiichi is the obvious example of a failure of the decay heat removal system but less obvious was the Browns Ferry unit #1 fire in 1975. The Browns Ferry fire rendered all the safety grade systems that were provided for decay heat removal inoperative but action on the part of an informed operating crew brought systems to bear for ultimate core cooling that had never been intended for that purpose. So there have been at least two total failures of the decay heat removal system worldwide vs. no failures of the reactor protective system.
If sufficient reliability in the reactor shutdown system cannot be achieved with two independent diverse systems such as was provided on CRBRP, what can be done to increase that confidence? The shutdown system must perform its intended function without any margin for mistakes. The counter to the public acceptance argument in the preceding paragraph is that public acceptance will not likely be won by a technology that is uneconomic or so unreliable that it cannot be demonstrated that the system intended to shut down the reactor is reliable and therefore mitigation systems are required. There are additional measures that could be taken to improve the shutdown system reliability even beyond that achieved on CRBRP.
Along these lines, one of the key issues that required resolution for the adaptation of the CRRNM on the CRBRP was the misalignment introduced by the clearances required by the rotating plug supports, both risers and bearings. Up to one inch of misalignment was expected from this source requiring numerous design features combined with extensive testing for its accommodation. The CRBRP project demonstrated through a test program that it could accommodate this misalignment however; with either of the refueling approaches herein recommended this misalignment source is greatly reduced. Not only does this simplify the design but it improves confidence that the shutdown system will function as intended when called upon. It is noted that the secondary system in CRBRP was less affected by this misalignment issue since it used just a thin tension rod to the scram latch. Another confidence building improvement flowing from the design approach proposed herein is the much shorter driveline arising from the reduced length reactor vessel, reducing uncertainties in the control rod location arising from differential thermal growth. Reducing the length of the reactor vessel also improves its seismic response reducing yet another source of misalignment in the control rod drives. Yet another shutdown system enhancement inherent to the design approach has been alluded to elsewhere; the reduced core pressure drop, which removes the most credible motive force for rod ejection accidents.
A concept that appears to have been nearly forgotten in the collective consciousness of the nuclear industry is the idea of using a “partial insertion” as a part of the reactor protective system. The partial insertion involves powering the control rods a fixed amount (such as five inches) into the core using the control rod drive mechanisms operating at a much higher speed than is normally used for in and out motion. The amount by which the control rods are partially inserted could be established as the amount necessary to reduce the reactor power to zero plus some suitable margin. The advantage of the partial insertion is it makes use of the force available from the control rod drive mechanisms to power the rods inward should there be any obstruction in the path of the control assemblies. Another advantage is it takes the scram breakers out of the picture. It was a scram breaker failure at the Salem plant that started the ATWS discussions with LWRs. For a system that includes diverse and redundant shutdown systems patterned after the CRBRP designs, one of the two systems, most likely the primary system could use the partial insertion approach for reactor protection while the secondary system would drop the control rods by gravity. (Of course, if power is lost to the primary CRDMs, they would unlatch and the rods would fully insert.) The reactor plant that used the partial insertion concept had collapsible rotor roller nut mechanisms.
The automatic reactor cutback is a variation of this principle. Cutbacks involve set points slightly below the reactor trip set points and are generally intended to prevent trips from occurring in the first place. They have the added advantage of injecting diversity into the total system that is intended to protect the reactor. Cutbacks would involve mechanically driving the primary control assemblies into the core and be less susceptible to issues which could interfere with the free fall of the control assemblies.
Another concept from the past (SRE) is to operate the control assemblies fully within thimbles that are inserted into the core. The thimbles would be evacuated of sodium and filled with cover gas. Using thimbles would eliminate flowing sodium from interfering with control assembly operation and would permit continuous monitoring of control assembly alignment. Such an arrangement eliminates much of the discussion about the shutdown system reliability. If the mechanisms unlatch, the assemblies will fall. The shortened reactor vessel and refueling scheme proposed are the avenues which make such an approach more attractive. This is the sort of thing that is feasible in a low pressure sodium system but unthinkable in a water cooled reactor.
The BN-800 has adopted an approach specific to this issue4. During normal operation, the reactor’s control rods are hydraulically held in place by the flowing sodium at the top of the reactor core. If sodium flow decreases, the rods fall into vertical control rod channels in the reactor core and stop the chain reaction. Details are unknown from information available in the open literature, but from this description alone, there would not appear to be protection for TOP-ATWS events. Also, such a scheme would not be consistent with a plant designed for load following.
The unfortunate licensing fate of CRBRP prompted interest in the development of self actuated shutdown systems, especially at EPRI where two concepts had been patented by Larry Minnick, formerly with the Yankee Atomic Power Company and then an EPRI employee.5 The above Combustion Engineering referenced report describes three systems, two of which had been earlier patented by Mr. Minnick and compares them with a more technically modest concept based on levitated balls.6 All of these proposed design approaches were intended to protect against loss of flow events without scram. A more recent concept coming out of Japan is shown in the figure below.7
Figure 38 Curie point latch
This concept involves using a latch that is held in place magnetically using an alloy with a curie point that is sufficiently high so the latch remains engaged during normal operation but unlatches when the surrounding temperature reaches the curie point of the selected material and is significantly higher than that corresponding to normal operation. Since this concept is actuated by temperature rather than flow, it would presumably protect against both TOP- and LOF-ATWS events. This sort of system could potentially be offered as a remedy for failure to scram scenarios. It might, for example, be installed as an additional latch on the secondary control rod system.
This section makes no specific recommendation other than the retention of the CRBRP system, which is considered adequate. A decision to incorporate any additional system or systems would be founded on further analyses or be part of a settlement with the regulator.
endnotes
1 Pitterly, T. A., Lagally, H. O.; Review of FFTF and CRBRP Control Rod System Designs; October 4, 1977.
2 The same stuck rod criterion applied to the primary system as well.
3 The figure and much of the subsequent description is drawn from McKeehan, E. R., Sim, R. G.; Clinch River Breeder Reactor Secondary Control Rod System; US-ERDA/Japanese-PNC Working Group Seminar on LMFBR Components 12/5-8/1977; September 14, 1977.
4 Nuclear Engineering International; Fast Reactor Progress at Beloyarsk; 14 Jan. 2011
5 Dupen, C. F. G., Combustion Engineering Inc.; Self Actuated Shutdown System for a Commercial Sized LMFBR; Prepared for EPRI; August 1978
6 The levitated balls contained a neutron absorbing material, most likely boron. The idea behind the levitated balls concept was that they would be kept levitated by primary system flow. When flow dropped below some set level, they would fall into the active core region stopping the chain reaction.
7 Kubo, Shigenobu, Japan Atomic Energy Agency; A safety design approach for sodium cooled fast reactor core toward commercialization in Japan; IAEA Technical Working Group, Vienna, February 27-29, 2012
LMFBR.com 