reference 1, incorporates a natural circulation of heavy water driven by flashing to steam as the heavy water flows to an elevated heat exchanger. The heat exchanger is cooled in turn by a natural circulation flow of light water to a large reservoir.
Analysis has shown that this system can reject the moderator heat in a stable manner. As
further confirmation, a full elevation, light water, l/60th volume scaled test of the natural circulation heavy water loop has been carried out to verify the overall concept and the analysis. In particular, the stability of the flashing driven flow has been confirmed and will
be reported in reference 2.With careful attention to eliminating common mode failures in the shutdown systems, the heat transport system, the emergency core cooling system and the moderator system, the core melt frequency can be reduced to the point that core melt mitigation for events internal to the plant ceases to be a design concern. These same design provisions will form additional lines
of defence for all but the most extreme external events as well.
Introduction
As in other pressurized water reactors, the primary accidents of concern for CANDU are those that involve a loss of coolant (LOCA), or failures in systems that could induce a LOCA (such as a loss of flow, loss of heat sink). For these accidents, the requirements of shutdown, cool, contain and monitor apply.
Where CANDU differs from standard pressurized light water reactor technology is primarily the design of the reactor core. The CANDU core design offers some unique possibilities for design of mitigating measures that are diverse in concept from the traditional technology.
These differences have been exploited to a degree in existing CANDU designs. For future designs, concepts are being developed to enhance system diversity to the point that core melt mitigation for internally caused events ceases to be a design concern.
Diversity in Current CANDU Designs
Contemporary CANDU reactor designs employ redundancy and a considerable level of diversity in the safety systems. Thus redundancy and diversity exist in the two shutdown
systems. Both shutdown systems make use of the low-pressure moderator environment (the calandria) but shutoff rods enter the calandria from above whereas the poison injection system enters the calandria from the side, as shown in figure 1. Each system has its own initiating signals. For every postulated accident, there are normally two diverse signals on each shutdown system to trip the reactor for the complete range of initial operating
conditions. Note that the two shutdown systems are passive in that no operator action and no external power are needed for shutdown action to occur.
™£«£X£S» «ACT,V,TYM«MA*«-0€«
AMD CqMJftOLAKOMC* UNITS
TYftCAl AMAMGCMCNT *ON ZO«C CONTROL AND Vf HTtCAL H.UX OCTf CTOft UNITS
CANDU CORE SHOWDVG SHUTDOWN SYSTEM ARRANGEMENT
Redundancy also exists in the emergency-core-cooling systems. In the event of a loss-of-coolant accident, the Emergency Core Cooling (ECC) system uses pressurized gas (or pumps in some plants) to inject light water into the heat transport system. The water is eventually recovered from a sump in the reactor building, cooled in a heat exchanger and pumped back into the heat transport system.
106
The low-pressure low-temperature moderator serves as a redundant and potentially diverse emergency-core-cooling system. Its availability during normal operation is apparent and it acts passively to accept heat from the fuel channels in an accident involving loss of coolant with loss of ECC. However moderator heat rejection is currently done with electrically powered pumps and pumped cooling water. The electrical supply and cooling water system
also serve the ECC. The common electrical supplies and cooling water limit the combined
reliability of the emergency core cooling systems.Core melt in CANDU can occur only with a loss of coolant (whether caused by pipe failure or a support system failure that induces loss of coolant by system overpressure and relief) with loss of ECC plus loss of the moderator heat sink. Common failures in these systems, e.g. loss of service water or electrical power to both the moderator and the ECC systems, are the main contributors limiting the core-melt frequency for internal events to about 4x10*
per year (ref. 3). While this core melt frequency meets targets set for advanced designs, the ability of the moderator to act as a heat sink provides the opportunity to progress further by eliminating common links between the moderator and other systems.
A conceptual CANDU design is under study which employs a conventional ECC system with a passive moderator heat rejection system. Thus passive design techniques are used to
advantage in enhancing the diversity in the two core cooling systems.
Passive Moderator Heat Rejection
Progress on the passive moderator system development was last given in reference 1. Figure 2 illustrates the concept.
LEVEL 1 Steam generators boil stored water to the atmosphere via main steam safety valves (MSSV).
LEVEL 2 High-pressure injection followed by pumped recovery of emergency coolant. Heat transferred to pumped emergency water.
LEVEL 3 Moderator thermosyphons through heat exchanger. Heat transferred to water jacket.
WATER JACKET Containment wall contains water-filled annulus. Water thermosyphons through heat exchangers for level 3 cooling.
Heat transferred to air flowing upwards by natural convection.
CONTAINMENT LEVEL 2
Emergency Coolant Injection Emergency Water Supply Emergency Power Supply
Steel shell designed for pressure and temperature of large break.
FIGURE 2
CANDU EMERGENCY COOLING
The idea is to run the heavy water in the calandria at a temperature near the boiling point but
to allow the water to flash to steam as it rises in a pipe from the calandria to an elevated heat
exchanger. Subcooled heavy water would be returned to the calandria. The difference in density between the two-phase flow in the riser and the liquid in the downcomer would provide the buoyancy force to drive the flow.Reference 1 gives results of simulations using the CATHENA transient thermalhydraulics code which demonstrates that the normal full power heat load to the moderator can be
transferred in a stable manner with such a design. Note that the heat load to the moderator
during a loss of coolant accident, with the reactor at decay power, is only 30% of normal full power moderator heat load.More recently, further CATHENA simulations have been done at reduced powers. They show a flow oscillation at low power. Also tests have been done in a full elevation loop having a scale of about 1/60 in power, volume and flow area. They confirm the CATHENA predictions. The tests will be reported in more detail in reference 2.
As power is increased, flashing is first observed in the transparent glass riser at upper
elevations. The flow is oscillatory with the riser being liquid filled after the high-flow part of a cycle. No untoward effect of the oscillations is evident. As the power is increased, the oscillation amplitude decreases and the flow becomes stable. During a rapid increase of power, only one or two oscillations are seen as the flow overshoots before returning to the
steady-state value. Thus the feasibility of the flashing-driven design is considered to be
established both for the normal operating condition and for accidents.Loss of. Shutdown
As in other reactors, the CANDU reactor must be shutdown following an accident so that the mitigating systems can deal with the consequences. The unique CANDU geometry has
allowed the implementation of a second shutdown system which is diverse from the shutdown