Home Energy Physics Nuclear Power Electricity Climate Change Lighting Control Contacts Links


XYLENE POWER LTD.

FNR SAFETY

By Charles Rhodes, P.Eng., Ph.D.

INTRODUCTION:
The issue of safety in advanced reactors is broadly discussed in the 2012 report titled:
Overview of Generation IV (Gen IV) Reactor Designs //Safety and Radiological Protection Considerations.

In Canada nuclear safety matters are regulated by the Canadian Nuclear Safety Commission (CNSC). The main regulatory document is the Canadian Nuclear Safety and Control Act. The FNR discussed herein is intended to fall under the regulatory category of Small Modular Reactor (SMR) with an electricity output of less than 300 MWe.

Elsewhere on this website Fast Neutron Reactors (FNRs) have been identified as the only sustainable, reliable and economic solution to meeting mankind's energy and power requirements. This web page focuses on FNR design parameters that are necessary to achieve inherent safety. FNRs must be designed so that they can be safely installed, operated and economically maintained at both urban sites and in small remote communities where there is limited availability of skilled personnel.

Pool type FNRs are inherently much safer than thermal neutron reactors because:
a) In a pool type FNR there is no high pressure containment of radio isotopes;
and
b) The maximum thermal power of a FNR is limited by passive reactor fuel average temperature control, as compared to thermal neutron reactors where there is no comparable limit on the maximum reactor thermal power.

The FNR design discussed herein has extraordinary tolerance to minor excursions into the condition of prompt neutron criticality. This feature ensures that the FNR is safe for autonomous operation at an urban site. However, the regulations relating to this matter have yet to be developed with CNSC. This issue involves multiple proprietary matters and is a work in progress.

In normal FNR operation there is seldom any cause for maintenance personnel to enter the FNR primary sodium pool enclosure. The FNR relies on passive physics to maintain its temperatrure setpoint, can be remotely monitored and can be partially or entirely shut down via safety system control, local control or remote control.
 

FNR TEMPERATURE STABILITY:
In a FNR the nuclear chain reaction progresses through successive neutron generations very quickly, so the neutron concentration and hence the reactor thermal power can potentially grow or decay equally quickly. It is important to design a FNR such that at a constant temperature setpoint and a constant thermal load its neutron concentration remains stable in all credible circumstances. In normal operation a FNR should maintain its fuel setpoint temperature without any reliance on an external control system. Delayed neutrons in a FNR prevent wide thermal power excursions when the fuel geometry, primary coolant temperature or primary coolant flow in a stable FNR are slowly changed.

FNRs derive their safety by operating in circumstances where the reactor thermal power versus average fuel temperature characteristic has a strong negative slope. This safety characteristic is near optimal when about half of the fission neutrons formed in the core zone diffuse out of the core zone and are absorbed by adjacent blanket zones. The design of a FNR fuel assembly should closely adhere to this safety principle.

FNRs should be always be operated in circumstances where coolant boiling cannot occur. Coolant boiling causes coolant voids which will increase reactor reactivity and reduce the fuel cooling rate, causing uncertainty with respect to the reactor opeaqting parameters.

A FNR should have passive features that limit the rate of change of fuel geometry, the maximum deviation of the primary coolant temperature from the reactor setpoint and the maximum thermal load regardless of operator or power level programming error.
 

FNR POWER SURGE PROTECTION:
It is necessary to ensure that any credible coolant temperature or coolant flow will not cause a local reactor heat flux in excess of the fuel tube material rating.

Likewise it is necessary to ensure that a FNR will not have an uncontrolled thermal power surge due to an unplanned change in its fuel or coolant geometry caused by any credible earthquake, aircraft impact, overhead crane failure or structural failure.

A FNR should use fuel designed such that in prompt neutron criticality instantaneously disassembles within each fuel tube to suppress the prompt critical condition.
 

NON-NUCLEAR MAINTENANCE:
On-site personnel are required to do periodic routine non-nuclear preventive maintenance on the secondary sodium heat transport system, turbo-generators, condensers, cooling towers and related mechanical and electrical equipment and to make repairs as necessary. However, this equipment should not involve any radioactivity. There is sufficient redundancy in the FNR support equipment that some of the heat transport systems can be shut down for maintenance or repair while others remain in operation. Thus the only reasons for keeping staff on the reactor site 24/7 is compliance with steam power plant regulations and maintenance of site security.
 

FNR POWER CONTROL:
For safe power control FNRs rely on thermal expansion of reactor fuel to reduce the local reactivity and increase the fraction of fission neutrons that diffuse into the reactor blanket zone and hence reduce the thermal power output as the fuel temperature increases. The reactor core zone fuel geometry is slowly adjusted to change fuel average temperature setpoint or to cause a cool or cold reactor shutdown.

One of the reactor design issues is prevention of sodium void instability. Formation of sodium voids will potentially increase the local reactivity. At all reactor operating states the decrease in reactivity due to an increase in fuel temperature must exceed the increase in reactivity due to void formation. The tendency for void formation is related to the local sodium temperature, the sodium temperature distribution in the reactor and the sodium hydraulic head. The reactor must not rely on any mechanical pumping mechanism for preventing formation of sodium voids. Typically this condition is achieved by operating the sodium far below its boiling point. The sodium boiling point is raised by use of a significant sodium head pressure in the reactor core zone. The reactor peak power must never be so large as to enable sodium void formation. Reactor power peaks tend to occur at times when the average fuel temperature setpoint is being increased.

One of the issues in FNR design is ensuring that no matter what adverse circumstances occur on loss of station power the reactor fails into a safe cold shutdown state.

Note that once the primary liquid sodium has significantly cooled the average fuel temperature setpoint must be slowly raised before re-establishing reactor operation.
 

ACCIDENT DESIGN BASIS:
From a licensing point of view the FNR design must meet all the severe accident events covered in the design basis for the site. Events that can occur together must also be considered.

For example if a FNR enclosure is hit by a large aircraft the resulting change in FNR fuel geometry must not cause a prompt critical condition. A FNR must also withstand earthquakes and tornados that cause electricity transmission poles to become missiles. The list of possible hazards also includes potential internal plant accidents like sodium fires, hydrogen fires, main steam line breaks and associated pipe whip and steam turbine disintegration, etc.

The Darlington safety report is likely available to the public at the CNSC library in Ottawa and should contain a list of all the design basis accidents.
 

FNR SAFETY CONDITIONS:
There are at least 15 safety related conditions that must be maintained at all times by liquid sodium cooled FNRs:
a) Certain water exclusion;
b) Certain air exclusion;
c) Certain primary liquid sodium containment and level maintenance;
d) Certain primary sodium temperature setpoint range constraint;
e) Certain primary sodium fire prevention and suppression;
f) Certain fuel geometry stability and avoidance of prompt neutron criticality;
g) Certain safe fuel disassembly in the event of prompt neutron criticality;
h) Certain nuclear reaction warm, cool and cold shutdowns;
i) Certain fission product decay heat removal;
j) Certain tolerance of intermediate heat exchanger and steam generator tube failures;
k) Certain secondary sodium fire tolerance and suppression;
l) Certain earthquake tolerance;
m) Certain resistance to external missle attack;
n) Proliferation resistance;
o) Resistance to Murphy's Law.

The FNR described herein is designed to ensure compliance with each of these conditions.
 

WATER EXCLUSION:
Certain water exclusion is realized first by FNR siting at a sufficient elevation that the FNR can never be exposed to flood water. In addition there are four concentric barriers (the external concrete wall and three nested steel cups) that will exclude ground water from the primary liquid sodium. Furthermore no water or water pipes are permitted within the primary sodium pool enclosure. Steam generator drainage and secondary sodium drain down into dump tanks prevents water entering the primary sodium enclosure via a rupture in the steam generator heat exchange tubing. A sump pump expels water from the reactor enclosure foundation.
 

AIR EXCLUSION:
There are two concentric interior reactor roofs and side walls intended for ongoing argon inclusion and air exclusion. The outside structural wall and roof protect the two interior gas barriers. When the liquid sodium is cool its surface can be isolated from air by flooding the surface with kerosene. The paths between the argon filled spaces and the air filled spaces are isolated by argon-vacuum-air locks. The argon pressure is maintained at one atmosphere via the use of large argon containment bladders located within adjacent silos. A dual on-site cryogenic facility provides on going argon-air separation.
 

PRIMARY LIQUID SODIUM CONTAINMENT AND LEVEL MAINTENANCE:
The primary liquid sodium is contained within three cylindrical nested open top steel cups. The innermost cup is 16 m high X 20 m diameter. The middle cup is 17 m high X 22 m diameter. The outer cup is 18 m high X 24 m diameter. The 1 m wide spaces between the cups are filled with fire brick. The fire brick is chosen such that if immersed in liquid sodium it will displace at least 50% of its own volume.

In the event that the inner two cups both fail liquid sodium will flow into the space occupied by all of the fire brick. If the fire brick displaces a volume of sodium equal to 50% of the fire brick volume the volume available for potential sodium occupancy up to 4 m below the normal sodium level is:
{Pi (12 m)^2 (13 m) - Pi (10 m)^2 (11 m)} (.50)
= Pi (1872 m^3 - 1100 m^3)(.50)
= 1212.65 m^3

The volume of liquid sodium available to fill this space while keeping the intermediate heat exchange tubes at least 2 m immersed in liquid sodium is:
Pi (10 m)^2 (4 m) = 1256.63 m^3

Hence as long as the outer most steel cup holds there is sufficient fire brick to prevent the sodium level in the innermost cup falling by more than 4 m. Thus:
6 m - 4 m = 2 m
of heat exchange tube remain immersed in the liquid sodium for decay heat removal.
 

NUCLEAR REACTION SHUTDOWN:
Engineered nuclear reactor safety shutdown systems operate on the principle that in addition to the normal control system which realizes a warm shutdown under no thermal load there should be two fully independent and redundant safety shutdown systems, either of which can cause a reactor shutdown.

For each of the two safety shutdown systems there are independent mechanical and electronic constraints on the temperature setpoint and its rate of change. There are also independent position, temperature and gamma ray sensors that via an independent control can over ride other setpoiint control signals to force a reactor cold shutdown.

For public safety each of the afore mentioned safety systems should be continuously monitored and periodically tested to ensure that they will reliably function as designed if required.

These two safety systems are backed up by physical barriers. To cause a hazard to the public the fuel geometry adjustment system, both safety systems and the physical barriers must all simultaneously fail. To cause a hazard to service personnel maintaining or testing one safety system the other safety system must simultaneously fail.

Complete functionality of these safety systems is an essential condition for safe unattended FNR operation.

Generally there is a requirement for service personnel to periodically physically confirm the proper operation of each safety system. Provided that these scheduled checks are performed and if necessary any defective devices are promptly repaired or replaced, the probability of the multiple safety shutdown systems failing simultaneously is less than microscopic.
 

TEMPERATURE AND GAMMA OUTPUT LIMITING:
For each of the two safety shutdown system there are independent mechanical and electronic constraints on the fuel average temperature setpoint and its rate of change. There are also independent position, temperature and gamma ray sensors that via an independent control can over ride other setpoiint control signals to force a reactor cold shutdown.

The insertion rate of movable fuel bundles into the matrix of fixed fuel bundles is both physically and electronicly limited to prevent fuel over heating and to prevent approach to prompt neutron criticality.

The fuel bundle geometry in a FNR is mechanically stable. The working temperature of each fuel bundle is kept sufficiently low that the fuel bundle geometry cannot become unstable via fuel melting, structural melting or sodium boiling due to the large temperature differences between the material operating temperatures and their melting and boiling points.

Due to the lower boiling point of sodium at the primary liquid sodium surface sodium vapor bubbles will start to form if the liquid sodium surface temperature rises above 870 degrees C. Under those circustances liquid sodium boiling in the core zone is prevented by the liquid sodium static head pressure in the core zone. Due to the liquid sodium static head pressure sodium vapor bubbles will not form in the reactor core zone until the sodium temperature in the core zone reaches about 960 degrees C. The appearance of sodium vapor bubbles on surface of the primary sodium pool gives early warning of serious previously undetected local overheating in the core The temperature of the sodium inside an indicator tube is a reliable but somewhat delayed indication of the liquid sodium temperature at the corresponding fuel bundle discharge. An increasing liquid sodium temperature in the core zone reduces the reactor reactivity.
 

PROMPT NEUTRON CRITICALITY:
For nuclear reactors at urban sites the single biggest risk to the public is a circumstance that might cause a major reactor explosion due to prompt neutron criticality. The best defense against prompt neutron criticality is to understand its causes, to be aware of the potential danger and to prevent it occurring.

To obtain an explosion it is necessary to cause a reactor to rapidly become super critical on prompt neutrons. Delayed neutrons are too slow to sustain the rapid power rise needed for an explosion.

Fast neutrons are high energy neutrons (~ 20,000 km/s),
- prompt neutrons are fast neutrons that come directly from a fission reaction;
- delayed neutrons are fast neutrons emitted from the fission fragments. On they are emitted a few seconds after the corresponding nuclear fission. Delayed neutrons make it possible to design and control both thermal neutron and fast neutron power reactors.
- thermal neutrons are low energy neutrons (2 km / s) that have been slowed down by scattering by low atomic weight moderator materials.

Above the prompt-critical point reactor power rise can occur quickly with thermal neutrons and even faster with fast neutrons. Power rises with thermal neutrons are slow enough to give the reactor time to structurally disintegrate before reaching energy levels that are associated with nuclear explosions. Structural disintegration causes the reactor to become sub-critical which causes the power rise to stop.

A FNR is unique in that it can safely manage small prompt critical excursions. In a FNR a rapid power rise due to a small prompt critical excursion blows the core fuel apart longitudinally in less than 10^-4 s thus causing the reactor to become sub-critical before the power rise is sufficient to cause physical damage.

FNRs are the only type of reactors that have been tested under full power with sudden loss of cooling and simultaneously under conditions in which control rods have been deliberately inactivated to prevent automated control feedback. The FNR intrinsically adjusted power levels to zero within 5 minutes. This type of test was carried out on the EBR-2 reactor almost 50 times with no damage to the reactor nor to any component, with the reactor being powered up again the same day.

In a FNR core fuel thermal expansion and delayed neutrons are the only safeguards against uncontrolled rapid power rise. Hence it is crucial that the design of fast neutron reactors ensures that transients or accidents can not cause strong prompt neutron super-criticality. In prompt neutron criticality the rate of power rise is proportional to the degree of super-criticality and inversely proportional to the neutron transit time T between successive fissions. This time T is given by:
T = 1 / [Vn Sigmafp Nfp]
where:
Vn = neutron velocity
Sigmafp = fast fission cross section of Pu-239 atoms
Nfp = average concentration of Pu-239 atoms in the reactor core

En = neutron kinetic energy
= 1.67 X 10^-27 kg X Vn^2 / 2
= 2 X 10^6 eV X 1.6 X 10^-19 J / eV
giving:
Vn = [(2 En) / (1.67 X 10^-27 kg)]^0.5
= [(6.4 X 10^-13 J) / (1.67 X 10^-27 kg)]^0.5
= 1.96 X 10^7 m / s

Sigmafp = 1.7 b
= 1.7 X 10^-28 m^2

From the web page titled: FNR CORE
Nfp = 1.616 X 10^27 Pu atoms / m^3
giving:
T = 1 / [Vn Sigmafp Nfp]
= 1 / [(1.96 X 10^7 m / s) (1.7 X 10^-28 m^2) (1.616 X 10^27 / m^3)]
= 1 s / [5.3845 X 10^6]
= 0.1857 us
= 185.7 ns.
 

At a prompt neutron growth rate of 1.001 / neutron cycle the number of cycles N required for the neutron flux to double is given by:
(1.001)^N = 2
or
N Ln(1.001) = Ln(2)
or
N = Ln(2) / Ln(1.001)
= 0.69314 / 9.995 X 10^-4
= 693.5

Thus at a neutron growth of 1.001 / cycle the fission power will double in:
693.5 X 185.7 ns
= 128,790 ns
= 128.8 us
= 0.129 ms
which is comparable to the time required for gun powder to burn in a gun.

Thus as long as the degree of prompt neutron supercriticality in a FNR is small the dynamics of the core fuel are comparable to the dynamics of a bullet in a gun. In the event of prompt neutron criticality the Cs and Na in or adjacent to the core fuel vaporizes blowing the core fuel of the fixed fuel bundles into the fuel tube plenums. This fuel disassembly instantly reduces the reactor reactivity, suppressing the prompt neutron critical condition. On cooling gravity restores the core fuel geometry.

A well known case of prompt neutron criticality in a thermal neutron nuclear power reactor was in 1986 at:
Chernobyl

A good description of the safety measure failures that led to the accident at Chernobyl and the corresponding preventive safety measures used in CANDU reactors is contained in a report titled:
Chernobyl - A Canadian Perspective
 

POTENTIAL CAUSES OF PROMPT NEUTRON CRITICALITY:
In a FNR there are several possible ways that prompt neutron criticality might occur.

1) Reactor power instability.

2) Too rapid changes in fuel geometry.

3) Insufficient enclosure structural integrity.

4) Sudden large drop in reactor core zone coolant inlet temperature. This issue can be mitigated via a sufficient thermal mass to ensure a gradual change in core zone local reactivity as a function of position.

5) Insufficient earthquake tolerance.

6) Insufficient Murphy's Law tolerance.
 

REACTOR POWER STABILITY:
If there is too much time and inappropriate negative feedback between a step increase in reactor power and the corresponding corrective decrease in FNR reactivity the reactor power might oscillate in a manner such that the oscillations grow to the point of exceeding the prompt neutron criticality threshold. The reactor physical parameters must be chosen to ensure that such thermal power oscillation cannot occur.

In this matter it is important to limit the combined length of the core fuel rods.

There is an inherent time delay between a step change in reactor power and the corresponding change in reactor reactivity. The reactor physical parameters must be chosen so that the reactor will not power oscillate regardless of the amount of mobile fuel bundle insertion into the fixed fuel bundle matrix.

The change in local reactivity with temperature occurs as a result of thermal expansion of the fuel, iron, chromium and sodium. The thermal expansion of the fuel occurs almost instantly but it takes a finite time for an injected heat pulse to propagate from the fuel to the surrounding materials.

The FNR design presented on this web site uses solid fuel and fuel tubes to maintain a fixed fuel geometry during an Earthquake.
 

TOO RAPID CHANGES IN FUEL GEOMETRY:
A too rapid change in fuel geometry could be caused by too rapid insertion of movable fuel bundles into the matrix of fixed fuel bundles. Too rapid movable fuel bundle insertion can be prevented by using appropriate mechanical speed limits. If the maximum safe mobile fuel bundle insertion depth is exceeded redundant safety systems should use gravitational withdrawal of other mobile fuel bundles to force an immediate reactor cool shut down.

There is a transition region between a reactor being critical with delayed plus prompt neutrons and being critical with just prompt neutrons. A FNR should be fabricated and operated such that it physically cannot cross that transition region. A key issue is time. If the change in reactor fuel geometry is slow enough the heat released while under control by delayed neutrons should induce sufficient negative reactivity to prevent further approach to the prompt critical condition. In a FNR controlled by the fuel temperature this feedback is almost instantaneous. The danger lies in reactor reactivites that are outside the available temperature control range.

A key issue in this respect is fuel geometric stability. With Pu-239 fuel the time required for a 0.2% increase in reactivity due to a change in fuel geometry must be long compared to 3 seconds. Liquid fissile fuels are potentially very dangerous because liquids can develop cavitation, vorticies, or surface waves that can change the reactor reactivity by more than 0.2% in a time period which is short compared to 3 seconds. It is much safer to use physically stable solid fuel as contemplated for this FNR.
 

LOADING AND UNLOADING FUEL BUNDLES:
It is important to never let the fuel assembly accidentaly go critial. In loading fuel bundles into the primary sodium pool each movable bundle should be installed in the fully withdrawn position before installing its surrounding fixed fuel bundles. Similarly the fixed fuel bundles surrounding a movable bundle should be removed before extracting the corresponding movable fuel bundle. That strategy ensures that the fuel assembly will not accidently go critical due to pulling a movable fuel bundle right through a matrix of adjacent fixed fuel bundles.
 

CORE FUEL MELTING PROTECTION:
A relevant paper about a comparable liquid sodium cooled reactor with metallic fuel is S Prism Reactor Margin To Accidents
 

ENCLOSURE STRUCTURAL INTEGRITY:
A prompt critical condition might be caused by a reactor enclosure collapse which crushes the fixed active fuel bundles. For example, a falling crane or a large airplane impact which causes collapse of the reactor enclosure.

A FNR enclosure must be designed such that a structural collapse sufficient to cause crushing of the fixed fuel bundles is not a credible risk. The reactor enclosure outside walls should be protected against an external aircraft or missle impact by bed rock, earth embankments or adjacent structures such as cooling towers. The reactor enclosure roof must be structurally sufficiently robust to safely absorb the impact of a diving aircraft or a falling crane. The reactor roof structure should contain impact absorbing material, such as steel cable woven analogous to the fiber in a bullet proof vest, to safely distribute over the roof area the impact force of any credible projectile. If the impact causes pieces to break off the outer roof the inner roof must prevent the broken pieces falling on to and damaging the reactor. The outer roof structure should be comparable in strength to a highway overpass.

The inner ceiling immediately above the reactor should be made of light weight materials that, if they fell on the reactor fuel assembly, are not sufficiently heavy to significantly change the geometry of the matrix of fixed fuel bundles. The impact of the material fall would be mitigated by the top 6 m of liquid sodium. The hydraulic pressure wave resulting from the impact would accelerate withdrawal of the mobile fuel bundles. The fixed fuel bundle plenums would provide additional shock absorption.

The external enclosure must also protect the reactor from the large liquid hydrocarbon fuel fire that might accompany the crash of a large airplane.

An important issue in earthquake protection is bolting the fixed fuel bundles together to form a rigid matrix. We do not want liquid sodium sloshing back and forth to change the fuel assembly geometry and hence its reactivity.
 

LARGE DROP IN REACTOR CORE ZONE INLET TEMPERATURE:
In a FNR the reactivity increases with decreasing fuel temperature. Depending upon the fuel material distribution if the primary sodium temperature entering the reactor core zone drops too quickly the resulting increase in heat flux might melt the fuel on its cenerline, vaporize the internal liquid sodium or damage the fuel tubes. It is essential to have sufficient coolant thermal mass to prevent sudden major coolant temperature drops that might lead to fuel melting or prompt neutron criticality.

Since the change in reactor reactivity with a change in temperature is negative the reactivity cannot grow due to a coolant temperature rise.

A large FNR with a 1.7 m wide liquid sodium guard band contains a lot of heat stored in its primary liquid sodium pool. Hence it can load follow using some of that stored heat without any rapid change in the reactivity of its fuel assembly. The change in reactor thermal power output can take many minutes whereas the rate of heat transfer out of the primary sodium pool can change by a similar fraction in a few seconds.
 

CERTAIN FISSION PRODUCT DECAY HEAT REMOVAL:
For each FNR there are at least four independent passive heat removal systems any one of which can reliably and safely remove the fission product decay heat.

Under the circumstances of a double liquid sodium containment wall failure the heat transfer capacity of each heat transfer system might fall by a factor of three. However, we only need (1 / 12) of the entire heat transfer system capacity to remve fission product decay heat. Thus in order to reliably remove fission product decay heat it is essential that (1 / 4) of the total reactor heat transfer capacity must continue to function so that under the adverse condition of a double sodium containment wall failure the remaining certain heat transfer capacity is:
(1 / 3)(1 / 4) = (1 / 12)
of system full power heat removal capacity. Hence for maximum reliability there should be at least four independent passive heat removal systems, any one of which can reliably remove the fission product decay heat.
 

TOLERANCE OF HEAT EXCHANGE TUBE FAILURES:
A practical FNR involves many thousands of intermediate heat exchange tubes. Sooner or later one or more of these tubes will fail. Each secondary sodium system has the following features:
1) The secondary sodium loop components are all rated for a working presure of 6 MPa and are safety tested to 9 MPa;
2) There are sodium level sensors consisting of a long thin coils of nichrome waire suspended from an insulated feed through in an argon filled head space. The electrical resistance of this coil to ground decreases as the sodium level increases.
3) There are sodium level sensors in both the dump tank and the overhead argon/hydrogen gas space.
4) The secondary sodium loop normally operates at about 0.1MPa.
5) If there is a leak in the intermediate heat exchanger the sodium level in the dump tank will decrease and the secondary sodium level will decrease.
6) If there is a leak in a steam generator tube the argon + hydrogen pressure in the hydrogen vent will increase while the sodium level decreases.
7) The trigger for venting and draining the shell side of the steam generator to the dump tank is a significant increase in pressure over the secondary sodium loop.
8) If the secondary sodium pressure rises to 0.2 MPa the steam generator vent and drain system is tripped. Then the steam generator shell side pressure goes very high to discharge hydrogen gas after which the gas pressure starts to decrease.
9) Meanwhile water is flowing into the secondary sodium loop. The water causes immediate hydrogen production which raises the pressure in the secondary sodium circuit. Hydrogen bubbles rise and the water sinks in the secondary sodium. The increase in pressure slows further water flow into the secondary sodium. 10) The water that initially flowed into the secondary sodium circuit sinks in the sodium and continues to make hydrogen. The pressure in the secondary sodium circuit now rapidly rises. 11) There is a dump tank for each heat transport loop. Each dump tank has sufficient volume to accommodate all the sodium in its sodium circuit. If the argon pressure over a dump tank is released the secondary sodium will drain down into that dump tank.
12) The secondary sodium systems are vented to above the roof by vents fitted with rupture disks, centrifugal sodium separators and gravity operated ball check valves. The vent must be sufficiently high that entrained sodium in the exhaust hydrogen cannot start a roof fire.
13) The dump tanks are normally filled with 0.2 MPa argon. Hence if there is a steam generator tube leak which causes the secondary sodium pressure to increase the secondary sodium will drain down into a secondary sodium dump tank.
14) Before the rupture disks of #12 above fail the steam generator shell side argon/hydrogen pressure is vented to the atmosphere, the steam generator water injection is stopped and the steam generator is drained. The object is to minimize the mass of water that can leak into the secondary sodium circuit via the steam generator tube failure. As soon as there is some water in the secondary sodium circuit it will release hydrogen gas which will increase the pressure in the secondary sodium circuit. This increase in pressure will slow further flow of water into the secondary sodium circuit. However, that action will stop when the rupture disks open. Hence the initial pressure in the secondary sodium circuit and the volume of the expansion space are important because the time necessary for the secondary sodium pressure to rise provides time necessary for draining the steam generator lower manifold.
15) An important issue is to rapidly drain water out of the lower manifold to prevent that water continuing to flow into the secondary sodium via the heat exchange tube break. Hydrogen forming in the secondary sodium circuit will tend to increase the pressure in that circuit, which will tend to drive sodium back into the steam generator heat exchange tubes. However, once the ball check opens the secondary sodium pressure will fall and when that occurs it is essential that the steam generator lower manifold be empty of water.
16) In order to service the secondary sodium loop the contents of the intermediate heat exchanger must be transferred to the dump tank.
17) After repair the secondary sodium loop must be refilled from the bottom and then the argon charge must be replaced. Sodium and argon are inserted via the dump tank. Argon is also inserted via the hydrogen vent. The intermediate heat exchange bundle has a thin drain tube connected to its bottom. Then an overhead argon pressure permits draining the liquid sodium from the heat exchange bundle.
18) In summary any significant change in either the sodium level or the secondary sodium loop pressure is indicative of a serious problem. The sodium level as a function of time in both the expansion tank and the dump tank should indicate the nature of the problem.
19) On a steam generator tube rupture initially water flows from the steam generator into the secondary sodium which almost instantly raises the sodium pressure to 5 MPa. This transient high pressure should trip the steam generator steam pressure release valve and drain valves and turnoff the steam generator injection water pump. Hydrogen forms in the secondary sodium loop which further raises the secondary sodium loop pressure. A continuing secondary sodium loop pressure increase will cause the rupture disk to open. Then sodium is expelled from the secondary loop via both the tube failure and via the open rupture disk.
20) A consequence of a steam generator tube failure may be NaOH accumulation in elbows at the bottom of the secondary sodium loop. There needs to be a filter system that gradually removes NaOH from the secondary loop. This filter should be installed across the induction pump. The NaOH can be periodically dissolved by raising the minimum loop temperature above 318 degrees C and then cooling it in the filter. There still may be a problem with liquid NaOH sinking to the bottom of the secondary loop.
 

SECONDARY SODIUM FIRE SUPPRESSION:
The secondary sodium loop normally operates at a pressure slightly above one atmosphere. There is a small tendency for secondary sodium to leak at mechanical joints. Such leaks are potentially dangerous to service personnel. Hot sodium will self ignite in air. One way to suppress these sodium fires is tocompletely surround the secondary sodium loop with an argon jacket. The jacket must be physically robust enough to reliably withstand squiring liquid sodium and must act as a thermal insulator.

Small sodium fires can be extinguished using NaCO3.
 

EARTHQUAKE TOLERANCE:
FNRs must not go prompt critical under the circumstances of the most violent recorded earthquakes involving horizontal ground shaking with accelerations up to 30 m / s^2 and velocities up to 1.2 m / s. This earthquake tolerance can be achieved by supporting the fuel assembly on a layer of ball bearings and high presure oil such that the fuel assembly stays almost stationary while the ground shakes underneath it. When an earthquake wave is detected all the mobile fuel bundles should immediately withdraw to reduce the reactor reactivity.
 

PROLIFERATION RESISTANCE:
Implementation of Proliferation Resistance
 

MURPHY'S LAW
Murphy's Law states that if there is any way for humans to do something wrong sooner or later someone will discover it. FNRs must be engineered to be tolerant of possible human error. To the extent possible FNRs must be designed so that incompetent or irrational human activity cannot cause dangerous prompt neutron criticality.

FNRs rely on fairly complex crane manipulation of fuel bundles during fuel bundle installation and replacement. This crane manipulation is unlikely to be fully automated in the foreseeable future, so this portion of FNR work will likely be subject to human error.

In the event that during loading or unloading a fuel bundle is dropped and falls to the bottom of the primary liquid sodium pool the dropped fuel bundle must be immediately retrieved, not ignored or forgotten. The potential danger is a prompt critical condition arising from random overlap of the core fuel of the dropped fuel bundle with the core fuel of other dropped fuel bundles. To minimize such problems the gantry crane used for fuel loading and unloading should be fitted with a safety line to prevent such drops.

It should be assumed that sooner or later humans will make mistakes. A FNR must be designed to enable easy detection and remedy of mistakes. Any mistake that could potentially lead to reactor over heating or dangerous prompt neutron criticality must be obvious to several different individuals long before it can cause a disaster. Ideally any safety procedure that relies on human operator training or skill is open to being done wrong by someone sooner or later.
 

This web page last updated March 29, 2021

Home Energy Physics Nuclear Power Electricity Climate Change Lighting Control Contacts Links