Boiling water reactor safety systems


Boiling water reactor safety systems are nuclear safety systems constructed within boiling water reactors in order to prevent or mitigate environmental and health hazards in the event of accident or natural disaster.
Like the pressurized water reactor, the BWR reactor core continues to produce heat from radioactive decay after the fission reactions have stopped, making a core damage incident possible in the event that all safety systems have failed and the core does not receive coolant. Also like the pressurized water reactor, a boiling water reactor has a negative void coefficient, that is, the neutron output of the reactor decreases as the proportion of steam to liquid water increases inside the reactor.
However, unlike a pressurized water reactor which contains no steam in the reactor core, a sudden increase in BWR steam pressure will result in a sudden decrease in the proportion of steam to liquid water inside the reactor. The increased ratio of water to steam will lead to increased neutron moderation, which in turn will cause an increase in the power output of the reactor. This type of event is referred to as a "pressure transient".

Safety systems

The BWR is specifically designed to respond to pressure transients, having a "pressure suppression" type of design which vents overpressure using safety-relief valves to below the surface of a pool of liquid water within the containment, known as the "wetwell", "torus" or "suppression pool". All BWRs utilize a number of safety/relief valves for overpressure; up to 7 of these are a part of the Automatic Depressurization System and 18 safety overpressure relief valves on ABWR models, only a few of which have to function to stop the pressure rise of a transient. In addition, the reactor will already have rapidly shut down before the transient affects the RPV
Because of this effect in BWRs, operating components and safety systems are designed with the intention that no credible scenario can cause a pressure and power increase that exceeds the systems' capability to quickly shut down the reactor before damage to the fuel or to components containing the reactor coolant can occur. In the limiting case of an ATWS derangement, high neutron power levels can occur for less than a second, after which actuation of SRVs will cause the pressure to rapidly drop off. Neutronic power will fall to far below nominal power even before ARI or SLCS actuation occurs. Thermal power will be barely affected.
In the event of a contingency that disables all of the safety systems, each reactor is surrounded by a containment building consisting of of steel-reinforced, pre-stressed concrete designed to seal off the reactor from the environment.
However, the containment building does not protect the fuel during the whole fuel cycle. Most importantly, the spent fuel resides long periods of time outside the primary containment. A typical spent fuel storage pool can hold roughly five times the fuel in the core. Since reloads typically discharge one third of a core, much of the spent fuel stored in the pool will have had considerable decay time. But if the pool were to be drained of water, the discharged fuel from the previous two refuelings would still be "fresh" enough to melt under decay heat. However, the zircaloy cladding of this fuel could be ignited during the heatup. The resulting fire would probably spread to most or all of the fuel in the pool. The heat of combustion, in combination with decay heat, would probably drive "borderline aged" fuel into a molten condition. Moreover, if the fire becomes oxygen-starved, the hot zirconium would rob oxygen from the uranium dioxide fuel, forming a liquid mixture of metallic uranium, zirconium, oxidized zirconium, and dissolved uranium dioxide. This would cause a release of fission products from the fuel matrix quite comparable to that of molten fuel. In addition, although confined, BWR spent fuel pools are almost always located outside of the primary containment. Generation of hydrogen during the process would probably result in an explosion, damaging the secondary containment building. Thus, release to the atmosphere is more likely than for comparable accidents involving the reactor core.

Reactor Protection System (RPS)

The Reactor Protection System is a system, computerized in later BWR models, that is designed to automatically, rapidly, and completely shut down and make safe the Nuclear Steam Supply System if some event occurs that could result in inadvertent criticality. The RPS also initiates trip when the reactor coolant pressure boundary, containment, or fuel are in rish. The RPS does not control Emergency Core Cooling Systems. However, the RPS does control primary containment isolation functions. It does not require human intervention to operate. However, the reactor operators can override parts of the RPS if necessary. If an operator recognizes a deteriorating condition, and knows an automatic safety system will activate, they are trained to pre-emptively activate the safety system.
If the reactor is at power or ascending to power, there are safety-related contingencies that may arise that necessitate a rapid shutdown of the reactor, or, in Western nuclear parlance, a "SCRAM". The SCRAM is a manually triggered or automatically triggered rapid insertion of all control rods into the reactor, which will take the reactor to decay heat power levels within tens of seconds. Since ≈ 0.6% of neutrons are emitted from fission products, which are born seconds or minutes after fission, all fission can not be terminated instantaneously, but the fuel soon returns to decay heat power levels. Manual SCRAMs may be initiated by the reactor operators, while automatic SCRAMs are initiated upon:
  1. Turbine stop-valve or turbine control-valve closure.
  2. # If turbine protection systems detect a significant anomaly, admission of steam is halted. Reactor rapid shutdown is in anticipation of a pressure transient that could increase reactivity.
  3. # Generator load rejection will also cause closure of turbine valves and trip RPS.
  4. # This trip is only active above approximately 1/3 reactor power. Below this amount, the bypass steam system is capable of controlling reactor pressure without causing a reactivity transient in the core.
  5. Loss of off-site power
  6. # During normal operation, the reactor protection system is powered by off-site power
  7. ## Loss of off-site power would open all relays in the RPS, causing all rapid shutdown signals to come in redundantly.
  8. ## would also cause MSIV to close since RPS is fail-safe; plant assumes a main steam break is coincident with loss of off-site power.
  9. Neutron monitor trips – the purpose of these trips is to ensure an even increase in neutron and thermal power during startup.
  10. # Source-range monitor or intermediate-range monitor upscale:
  11. ## The SRM, used during instrument calibration, pre-critical, and early non-thermal criticality, and the IRM, used during ascension to power, middle/late non-thermal, and early or middle thermal stages, both have trips built in that prevent rapid decreases in reactor period when reactor is intensely reactive without positive operator confirmation that such decreases in period are their intention. Prior to trips occurring, rod movement blocks will be activated to ensure operator vigilance if preset levels are marginally exceeded.
  12. # Average power range monitor upscale:
  13. ## Prevents reactor from exceeding pre-set neutron power level maxima during operation or relative maxima prior to positive operator confirmation of end of startup by transition of reactor state into "Run".
  14. # Average power range monitor / coolant flow thermal trip:
  15. ## Prevents reactor from exceeding variable power levels without sufficient coolant flow for that level being present.
  16. # Oscillation Power Range Monitor
  17. ## Prevents reactor power from rapidly oscillating during low flow high power conditions.
  18. Low reactor water level:
  19. # Loss of coolant contingency
  20. # Loss of proper feedwater
  21. # Protects the turbine from excessive moisture carryover if water level is below the steam separator and steam dryer stack.
  22. High water level
  23. # Prevents flooding of the main steam lines and protects turbine equipment.
  24. # Limits the rate of cold water addition to the vessel, thus limiting reactor power increase during over-feed transients.
  25. High drywell pressure
  26. # Indicative of potential loss of coolant contingency
  27. # Also initiates ECCS systems to prepare for core injection once the injection permissives are cleared.
  28. Main steam isolation valve closure
  29. # Protects from pressure transient in the core causing a reactivity transient
  30. # Only triggers for each channel when the valve is greater than 10% closed
  31. # Some combination of valves may be closed and will not initiate a reactor scram..
  32. High RPV pressure:
  33. # Indicative of MSIV closure.
  34. # Decreases reactivity to compensate for boiling void collapse due to high pressure.
  35. # Prevents pressure relief valves from opening.
  36. # Serves as a backup for several other trips, like turbine trip.
  37. Low Main Steam Line Pressure:
  38. # Indicative of a line break in the steam tunnel or other location which does not trigger high drywell pressure, or of a failing main turbine pressure controller.
  39. # Closes the Main Steam Isolation Valves to halt the depressurization. This action would automatically initiate a scram signal on MSIV closure.
  40. # Bypassed when the reactor mode switch is not in run mode to allow normal depressurization and pressurization during startup.
  41. Seismic event
  42. # Generally only plants in high seismic areas have this trip enabled.
  43. Scram Discharge Volume High
  44. # In the event that the scram hydraulic discharge volume begins to fill up, this will scram the reactor prior to the volume filling. This prevents hydraulic lock, which could prevent the control rods from inserting. This is to prevent an ATWS. This trip was implemented due to the Browns Ferry ATWS.