DESIGN PHILOSOPHY OF PFBR SHUTDOWN SYSTEMS V. RAJAN BABU, R. VIJAYASHREE, S. GOVINDARAJAN, G. VAIDYANATHAN, G. MURALIKRISHNA, T.K. SHANMUGAM, S.C. CHETAL, K. RAGHAVAN, S.B. BHOJE Indira Gandhi Centre for Atomic Research, Department of Atomic Energy, Tamil Nadu, India Abstract This paper presents the overall design philosophy of shutdown system of 500 MWe Prototype Fast Breeder Reactor (PFBR). It discusses design criteria, parameters calling for safety action, different safety actions and the concepts conceived for shutdown systems. In tune with the philosophy of defence-in-depth, additional passive shutdown features, viz., Self Actuating Device (SADE) and Curie Point Magnetic (CPM) switch and protective feature like absorber rod Stroke Limiting Device (SLD) are contemplated. It also discusses about suitability of Gas Expansion Module (GEM) as one of the safety devices in PFBR. 1, INTRODUCTION Prototype Fast Breeder Reactor (PFBR) is a 500 MWe, mixed oxide fuelled, sodium cooled pool type reactor. It consists of two primary sodium pumps and four IHX and two secondary Joops each loop having one sodium pump and four integrated steam generator modules. Two important aspects on which safety of the reactor depends are the reliability of shutdown systems and the reliability of decay heat removal systems, All engineered safeguards are well tuned towards this objective. Overall reliability of siutdown systems, of course, depends upon the well conceived design, manufacture, quality control, prototype testing, on-line monitoring and surveillance. 2. DESIGN CRITERIA FOR SHUTDOWN SYSTEM Broad guidelines for design of shutdown system are as follows: + Atleast two reliable, independent, automatic, fast acting shutdown systems shall be provided operating on diverse principles. Atleast one of the systems shall meet all functional requirements even in case of postulated core deformation, The reliability of each system shall be such that its non-availability is less than 10° per reactor year and the overall non-availability of the two systems shall be less than 10 per reactor year. + The design shall provide sufficient redundancy so that failure of a single most effective absorber rod of a shutdown system shall not result in impairment of that system to an extent that it will not meet the mininmum specified requirements of negative reactivity. ‘+ One of the shutdown systems could be used for reactivity control. However, while doing so, its fanctional capability to shutdown the reactor shall not be jeopardised. 81+ The reactivity worth, speed of action and delay in actuation of each shutdown system shall be such that during all operational states and postulated accident conditions of the reactor, including the most reactive state of the core, - the reactor is rendered sufficiently subcritical and maintained subcritical under cold condition, taking into account uncertainties in the neutronic calculations/measurements, ~ the specified fuel design limits are not exceeded, - the reactor coolant system design limits are not exceeded. + The total reactivity worth of the shutdown systems shall be such that in the shutdown state, with all absorber rods in the core, the reactor shall be subcritical with kenot more than 0.95 such that the reactor remains subcritical under postulated fuel handling errors (e.g, replacement of the most reactive absorber rod by most reactive fuel sub-assembly, removal of absorber rods). + The availablity of safety support systems necessary for actuation of a shutdown system shall be commensurate with the availability requirements of the shutdown system. + All equipment shall be designed such that its probable failure modes will not result in an unsafe condition. + The design shall be such that all maintenance and availability testing which may be required during reactor operation can be carried out without a reduction in the effectiveness of each system below the minimum allowable requirements, + The design shall be such that each shutdown system can be actuated manually from the main and emergency control rooms. + The design shall be such that it is not readily possible for an operator to prevent a safe automatic action from taking place. + The control logic of the absorber rods and their drive mechanisms shall be designed to prevent unintended movement in the directions which add reactivity. + Maximum reactivity worth of an absorber rod, together with its maximum possible withdrawal speed, shall be limited such that the fuel, coolant and cladding design limits are not exceeded in the event of uncontrolled withdrawal of the rod. CONCEPTS CONCEIVED FOR SHUTDOWN SYSTEM Reactor safety is assured by two independent, fast acting, diverse shutdown systems, each comprising of sensors, logic circuits, drive mechanisms and absorber rods. Type-A system consists of a bank of 9 absorber rods while the Type-B system consists of a bank of three absorber rods. Type-A is for reactivity control as well as for reactor shutdown, whereas Type-B is only for reactor shutdown, Each rod is operated by an individual mechanism in-line with the 10d. Their disposition is shown in Fig. 1. In both the systems, shutdown of reactor is achieved by dropping the absorber rods by gravity. But the scram release Electromagnet (EM) of Type-A system is housed in upper part of mechanism above top of control plug and in argon atmosphere, whereas that of Type-B system is at lower end of mechanism immersed in primary sodium hot pool near the top of sub-assemblies. Details of these shutdown mechanisms and absorber rods are dealt with separately in another paper [1]. 82al | “| | Gz flo 9)9 gals ls Bo a4 38 , lelelo}mleialalals|elsia 3 (8/8 8/8] 8/2] 8) 8/8) 3 $ S 2/8 | | | | z 3/2! a al: lo 9/2] | = Q| |G /9/e) a al*) lZe) [sigs a g 2/9) |S/z/2/e 2 al |e) 1 3/5 a ale Zizlwiciil3 s alE] j«jeSletzi oe a als 2 Ela/SiF olElS| (Sle slel2/aie slelelz 2/8/5/5/5/2 SIEGE S|.) [Ss ole alas g/2/8 @) S/S} o]@) a) w fZ}5/°]8] ald alzlg £1E/Selslb/<|z)a)y/ 2/9) = e ) 212) <| | 4/3) a) 5) 4) alal $}S/ 2] aloe lala za} 2] 8] 2] 8) oS) a] 2] BI oI S/Slz1g 4 2) 8) S) | 2l2)E|Slal dla) ale|S/a)0 3]. £ |e @| 0) @|@| 9) 01a) 8) a | FIG. 1. PFBR core configuration. 83Triplicated sensors are used to measure parameters important to reactor safety and are connected by a '2 out of 3' coincidence logic to the reactor protection system. A hot standby channel aids in maintaining the '2 out of 3' coincidence logic. Selection of parameters is based on the well developed concepts of diversity. Physical separation of redundant channels of the safety system is proposed. The routing of redundant signals will be physically independent. ‘Two independent Reactor Protection Logic Processing Systems are provided. One system will be based on hard wired solid state logic circuits working on pulse coding mode, whereas the other system will have either relay logic or two microprocessors one aching standby to the other for logic functions. Protection systems will have facility for on-line testing, wherever needed, without causing safety action. 4, PARAMETERS CALLING FOR SAFETY ACTIONS & TYPES OF SAFETY ACTIONS Depending upon the nature of fault, the reactor protection system is designed to initiate two types of safety actions on the reactor; a gradual shutdown and a fast shutdown, The gradual shutdown is effected by Lowering of Rods (LOR) and the fast shutdown (Scram) is effected by sinmultaneously dropping all the absorber rods from their existing positions into the reactor core. ‘The important parameters calling for safety actions are given in Table I TABLE I. PARAMETERS CALLING FOR SAFETY ACTIONS No PARAMETER SAFETY ACTION LOR SCRAM 1 | High Neutron Flux in start-up range - yes 2 | Short period in start-up range - yes 3 | High Neutronic Power (Log P) - yes 4 | High Neutronic Power (Lin P) - yes 5 | Short period in power range D yes 6 | High reactivity in core - yes 7 | Deviation of temperature rise for each yes yes sub-assembly from the calculated temperature rise for that power 8 | Deviation from mean core outlet temp. yes yes 9 | Deviation from mean gradient temperature yes yes 10 | DND (bulk) due to Fuel clad failure - yes 11 | Earthquake horizontal acceleration = X component - yes - ¥ component : yes 12 | Power/Primary flow rate yes yes 13. | Primary pump trip yes - 14 | Secondary pump trip yes - 15 | Feed water pump trip yes - 16 | Loss of electric power yes yes 17 | Turbine trip yes - 18 | Water/steam leak into sodium in SG yes - 19 | OR ineffective : yes