Home Energy Physics Nuclear Power Electricity Climate Change Lighting Control Contacts Links



By Charles Rhodes, P.Eng., Ph.D.

The issue of safety in advanced reactors is broadly discussed in the 2012 report titled:
Overview of Generation IV (Gen IV) Reactor Designs //Safety and Radiological Protection Considerations.

In Canada nuclear safety matters are regulated by the Canadian Nuclear Safety Commission (CNSC). The main regulatory document is the Canadian Nuclear Safety and Control Act. The FNR discussed herein is intended to fall under the regulatory category of Small Modular Reactor (SMR) with an electricity output of less than 300 MWe.

Any analysis of nuclear power safety needs to be set in context. There is no such thing as perfect safety in power generation. A significant fraction of dependable clean electricity is generated by hydroelectric dams. Hydroelectric dams also provide the energy storage necessary to filter the natural variations in wind and solar generation.

Hydroelectric dam accidents are extremely rare, but when they do occur often many thousands of people are killed. Large hydroelectric dams store a lot of potential energy, which if suddenly released is enormously destructive.

Up until WWII hydroelectric dam failures were almost exclusively accidental. However, during WWII techniques were developed for destroying hydroelectric dams and other major concrete structures by aerial bombing.

The point is that a determined military attack on a hydroelectric dam can cause enormous destruction and loss of life.

A determined military attack on a large nuclear power station might potentially cause comparable damage and loss of life. That does not mean that we do not build either hydroelectric dams or nuclear power stations. What it means is that we try to mitigate risks and have sufficient social order that there are no determined military threats on either hydroelectric dams or nuclear power stations.

Just as it is impossible to make hydroelectric dams totally resistant to military attacks, it is equally impossible to make a nuclear power stations totally resistant to determined military attacks.

A hydroelectric dam will potentially destroy itself if the stored hydraulic energy is permitted to erode the engineered dam structure. A nuclear power station can potentially destroy itself if it enters a condition known as prompt neutron criticality in which condidtion there is a sudden rapid release of thermal energy sufficient to melt and/or vaporize the reactor fuel and/or vaporize the liquid reactor coolant. That rapid vapor formation causes such a large increase in cooling fluid pressure that the reactor literally blows itself apart. A prompt neutron critical explosion stops when the thermal expansion of the fuel and coolant is sufficient to stop the nuclear reaction. The reactor explosion at Chernoblyl in 1986 was the result of prompt neutron criticality.

The lesson here is that a determined military attack sufficient to cause prompt neutron criticality will likely seriously damage any nuclear power reactor. One way of addressing this problem is to design the reactor and its enclosure such that any credible prompt neutron critical condition will self extinguish before the resulting damage is a threat to the public. However, a better solution to this problem is to ensure sufficient social order that no such determined military attacks ever occur.

The probability of an earthquake or a tsunami affecting a hydroelectric dam or a nuclear power station is also small, but as demonstrated by the accident at Fukushima Diichi, is not so small that earthquake and tsunami risks can be ignored in reactor engineering.

There is a small but finite chance of either a hydroelectric dam or a nuclear power reactor having a catastrophic failure due to impact by a large meteorite. However, the probability of such a meteorite impact is so small that we generally do not consider it a credible risk. If such an impact did occur mankind would have bigger problems than just a single power failure.

When a nucleus fissions over 99% of the free neutrons that it emits are prompt neutrons and less than 1% are delayed neutrons. Both the prompt and delayed neutrons have initial kinetic energies of the order of 2 MeV.

There are two classes of nuclear power reactors, Fast Neutron Reactors (FNRs) and thermal neutron reactors. Most existing power reactors use water as the primary coolant. In these reactors the hydrogen component of the water rapidly absorbs kinetic energy from high energy fission neutrons, so most of the scattered neutron flux consists of slow or "thermal" neutrons. However, if the primary coolant is a liquid metal, such as sodium which has 23X the atomic weight of hydrogen, most of the scattered neutron flux consists of high energy or "fast" neutrons. The fast neutrons undergo many more fissions per unit time than do thermal neutrons. Hence if the reactor reactivity is positive with prompt neutrons the rate of neutron population growth and hence thermal power growth in a FNR is much greater than in a water cooled reactor.

Power reactors normally operate at an equilibrium point where the reactor reactivity is slightly negative with respect to prompt neutrons and is zero with the addition of delayed neutrons. At this operating point the reactor is stable and fine power control occurs via the delayed neutron flux.

However, a sudden change in fuel geometry, coolant geometry or temperature can cause the reactor reactivity to swing slightly positive on prompt neutrons which causes a very rapid increase in reactor fuel temperature and thermal power output. It is essential to immediately suppress positive reactivity before the reactor power rises beyond its design limit.

In a thermal neutron reactor the reactivity is controlled by mechanical adjustment of the position of control rods. In a thermal neutron reactor when the reactivity swings slightly positive on prompt neutrons the rate of neutron population growth is slow enough that mechanical control rod insertion can be used for safe reactor power control, even if the reactor reactivity slightly increases with increasing temperature. A practical issue with such mechanical control systems is that near reactor power equilibrium the control rod insertion control mechanism tends to slowly hunt.

In a fast neutron reactor, when the reactivity swings positive on prompt neutrons the rate of neutron population growth and hence reactor thermal power output is so fast that safe reactor power control relies on the reactor reactivity rapidly decreasing with increasing fuel and reactor temperatures. Via fuel thermal expansion a fast neutron reactor must immediately converge to a safe stable power state without relying on physical movement of control rods or physical changes to the fuel geometry other than via thermal expansion. To achieve this performance a FNR is subject to design constraints that are not applicable to water cooled reactors. One of the most important of these constraints is ensuring that adverse circumstances will cause an increase in fuel assembly reactivity beyond that which is cancelled by safe thermal expansion. In this respect a limiting factor is fuel center line melting.

With liquid sodium cooled FNRs we are concerned about chemical safety, fire safety, radiation safety, thermal power safety, fuel geometry stabiity, credible physical threats such as earthquakes and primary sodium level maintenance. There must be certainty regarding protection of both workers and the public from aggressive and toxic chemicals, sodium and potassium combustion, ionizing radiation and credible explosive thermal energy releases.

There are two potential risks which are difficult to address. One is a determined military attack. The other is a large meteorite impact. These same risks exit with large hydroelectric dams. In terms of public safety these risks can be mitigated but cannot be totally eliminated. The designobjective is to make these risks much less than other risks normally encounted during human life.

The safety matters related to sodium cooled FNRs fall into several categories:
1) Exclusion of water:
a) The FNR must be sited at a sufficient elevation with respect to surrounding land that it will never be flooded. This is a non-negotiable site requirement;
b) The external roof over the FNR must be watertight and must be sufficiently sloped to naturally shed water, snow and ice;
c) The water tight roof membrane must be rugged and easy to maintain.

2) Exclusion of oxygen:
a) Hot liquid sodium and NaK will spontaneously burn in air;
b) To prevent spontaneous sodium combustion air must be reliably excluded from the primary sodium pool space;
c) The sodium pool must be protected by a layer of argon cover gas at atmospheric pressure;
d) The argon cover gas must be contained by gas tight stainless steel walls and ceiling;
e) Over top of the primary sodium pool there must be a rugged steel or concrete dome of sufficient strength to prevent ceiling or gantry crane collapse into the primary sodium pool under all credible circumstances;
f) Between the dome and the primary sodium pool is a layer of sand bags of sufficient thickness to stop projectiles that are able to penetrate the protective dome;
g) The dome and sandbag construction must prevent penetration of combustion air even if there is a total failure of the argon cover gas arrangement.

3) Earthquake, Tornado and military attack protection:
a) A steel dome roof backed up by layers of sand bags and supported by 1 m thick concrete walls that are stabilized by radial shear walls is an extremely robust way of protecting the primary sodium pool from unforseen physical events;
b) In the event of a severe earthquake or tornado the dome will remain in place preventing discharge of radio isotopes to the surrounding environment.
c) In the event of an anticipated physical threat to a FNR an automated system should withdraw the movable fuel bundles from the matrix of fixed fuel bundles.

4) Removal of Heat:
a) Removal of heat from a FNR normally occurs via circulation of liquid NaK, liquid nitrate salt and/or thermal fluid.
b) There must be a sufficient number of independent redundant heat transport circuits that no credible accident will render all of them non-functional.
c) The reactor must have a negative reactivity coefficient which in normal circumstances will limit its maximum operating temperature.
d) The primary sodium level must be sufficient for the heat removal system to reliably operate and to ensure stable reactor reactivity;
e) The NaK, liquid nitrate salt and thermal fluid heat transport systems must be configured to reliably operate;
f) The water injection systems into the steam generators must be configured to reliably operate in all credible emergencies.

5) Protection against meltdown:
a) In normal circumstances thermal expansion of the fissile fuel is sufficient to stop the nuclear reaction.
b) In the event of a fast neutron criticality event boiling of sodium inside the fuel tubes will tend to blow the fuel rods above the ceramic balls upwards towards the plenum which will halt the nuclear reaction. By this means most minor prompt neutron criticality conditions are suppresed.
c) In the event of an incident or accident that causes severe fuel overheatinng, the fissile fuel will melt or vaporize and flow down displacing lower density liquid sodium. This downward flow of melted fissile fuel will reduce the average fissle atom concentration below criticality so that the nuclear reaction stops.

6) Radiation containment:
a) The mass of the steel dome and sand bags prevents overhead gamma radiation emission;
b) In any credible accident the steel dome will safely contain radio isotopes.

7) Pressure Safety:
a) Both the primary sodium pool and the nitrate salt circuit operate at atmospheric pressure;
b) The NaK circuits normally operate at 0.5 MPa which is sufficient pressure to ensure that in the event of a NaK circuit leak that the NaK will always flow out of the circuit, not vice versa;
c) In the event of a steam generator leak the water/steam will always flow into the nitrate salt circuit which is vented to the atmosphere;
d) Multiple small steam generators are used to minimize the amount of energy that is stored in high pressure steam.

8)Primary Sodium Level Maintenance:
It is essential to maintain the primary sodium level to ensure capacity to remove fission product decay heat and to prevent an uncontrolled reactivity increase due to an unplanned decrease in primary sodium concentration within the reactor core zone.
a) As long as the movable fuel bundles are inserted into the fixed fuel bundle matrix sufficiently for FNR operation it is essential to maintain the primary sodium level.
b) In normal circumstance the primary sodium level is maintained by three redundant nested steel cups;
c) The cup geometery and insulation between the cups are chosen to prevent the primary sodium level falling more than 4 m on inner cup failures.
d) The sodium level must fall by more than 8 m before the effect of the sodium level on fuel reactivity becomes a concern.

9)Reserve Argon Supply Maintenance:
a) Reserve argon is stored in nine atmospheric pressure bladders;
b) The bladders are individually piped so that a failure of one bladder has little or no effect on the other bladders.
c) The bladders are physically protected by 1 m thick concrete walls.

10) Protection Against Overhead Collapse:
Redundant measures are used to prevent any heavy objects such as roof tiles or polar gantry crane components falling onto the fuel assembly.

Elsewhere on this website Fast Neutron Reactors (FNRs) have been identified as the only sustainable, reliable and economic solution to meeting mankind's future energy and power requirements. This web page focuses on FNR design parameters that are necessary to achieve inherent safety. FNRs must be designed so that they can be safely assembled, operated and economically maintained at urban sites where there is limited availability of skilled personnel.

Pool type FNRs are inherently much safer than thermal neutron reactors because:
a) In a pool type FNR there is no high pressure containment of neutron activated reactor coolant;
b) The maximum thermal power of a FNR is limited by passive average fuel temperature control, as compared to thermal neutron reactors which rely on continuously operating mechanical reactivity control systems to limit the maximum reactor thermal power.

A pool type liquid sodium cooled FNR design has multiple measures in depth to prevent a primary liquid sodium fire and to quickly suppress NaK fires. These measures are mainly concerned with exclusion of both air and water under all credible circumstances, certain continuous immersion of active fuel tubes in the primary liquid sodium, certainty with repect to maintenance of safe fuel geometry and certainty with respect to heat removal.

The FNR design discussed herein has extraordinary safety tolerance to fuel overheating and minor reactivity excursions toward prompt neutron criticality. This feature ensures that the FNR is safe for autonomous operation at an urban site. However, the regulations relating to this matter have yet to be developed. This safety issue involves multiple proprietary matters and is presently a work in progress.

A FNR usually operates with its primary sodium pool surface and cover gas in the temperature range 450 degrees C to 470 degreees C. The primary sodium pool consists of three nested steel cups, any one of which can safely contain the liquid sodium and isolate it from the environment. The nested primary sodium pool walls are separated from each other by 1 m thick layers of silica sand and fire brick, which provide both thermal insulation and potential liquid sodium volume displacement.

The cover gas is contained by two nested sheet steel wall coverings either of which can safely isolate the contained argon and sodium vapor from the environment. The sheet steel walls are separated from each other by a 1.0 m thick layer of argon filled ceramic fiber insulation.

There are 48 independent heat transport systems each of which contains three separate heat exchange barriers. A failure of any one of these barriers results in a heat transport system shutdown. However, due to the multiplicity of independent heat transport systems, the facility can continue operating while some of the heat transport systems are shut down.

In normal operation the FNR relies on the inner most sodium and argon containment walls. In the event of an inner most containment wall failure the FNR should be shut down at the next opportunity. A failure of the second containment wall indicates that the reactor must be shut down, regardless of financial consequences.

In normal FNR operation there is seldom any need for maintenance personnel to enter the FNR primary sodium pool enclosure. The FNR relies on passive physics to maintain its temperature setpoint, and the nuclear reaction will passively shut down if the thermal load is removed.

If it is necessary to replace a heat exchange bundle typically the FNR temperature must be reduced to about 120 degrees C and the Na-24 in the sodium pool, which has a half life of about 15 hours, must be allowed to decay for about one week. Then robotic equipment can be used for heat exchange bundle replacement.

If for some reason robots cannot do the job then maintenance personnel need protective cooled suits having closed circuit air systems, similar to space suits, to protect them from the 120 degree C argon atmosphere and hot surfaces in the primary sodium pool space. The practical difficulties of doing work in such conditions, such as disconnecting and then reconnecting intermediate heat exchange bundle flanged pipe joints, should not be under estimated.

In a FNR the nuclear chain reaction progresses through successive neutron generations very quickly, so the neutron concentration and hence the reactor thermal power can potentially grow or decay equally quickly. It is important to design a FNR such that its reactivity always has a strong negative temperature coefficient so that at its operating point its reactivity always quickly decreases as its average fuel temperature increases. Then the reactor will spontaneously seek an operating point where the reactivity is zero.

This safety characteristic is near optimal when about half of the fission neutrons formed in the core zone diffuse out of the core zone and are absorbed by the adjacent blanket zones. The design of a FNR fuel assembly should closely adhere to this safety principle.

If there is a suitable negative temperature coefficient then for a particular fuel geometry and a partcular thermal load there is an average fuel temperature at which the number of free neutrons remains stable. A stable number of free neutrons corresponds to a stable thermal power output. A FNR should exhibit a declining reactivity with increasing temperature without any reliance on an external physical control system. Then varying the rate of heat removal from the reactor controls the reactor thermal power. Delayed neutrons and a large thermal mass in a FNR prevent rapid wide thermal power excursions when the fuel geometry, primary coolant temperature or primary coolant flow slowly change.

FNRs should be always be operated in circumstances where coolant boiling cannot occur. Coolant boiling causes coolant voids which will locally increase reactor reactivity and reduce the fuel cooling rate, causing uncertainty with respect to the reactor operating parameters.

A FNR should have safety features that limit the maximum rate of change of fuel geometry, the maximum deviation of the reactor setpoint from the primary sodium temperature and the maximum thermal load regardless of operator error.

It is necessary to ensure that any credible coolant temperature or coolant flow will not cause a local reactor heat flux in excess of the fuel tube material rating.

Likewise it is necessary to ensure that a FNR will not have an uncontrolled thermal power surge due to an unplanned change in its fuel or coolant geometry caused by any credible earthquake, aircraft impact, overhead crane failure or structural failure.

A FNR should use fuel designed such that any credible excursion into prompt neutron criticality causes instantaneous linear disassembly of the fuel within each fixed fuel bundle to suppress the prompt critical condition. This disassembly occurs because prompt neutron criticality will cause instantaneous boiling of cesium and sodium contained within the fuel tube adjacent to core fuel rods. The resulting high pressure metal vapor will blow part of the core fuel toward the fuel tube plenum. That fuel rod movement will immediately reduce the reactor reactivity.

In this respect a meteorite impact or the explosion of an armour piercing bomb in the primary sodium pool are not considered credible risks.

In the event that linear disassembly of the fuel does not supress the prompt neutron criticality the fuel will vaporize sufficiently to stop the nucler reaction. In this respect it is important that when the fuel particles settle to the bottom of the primary sodium pool the pool bottom contour be such that the fuel will not again become critical. For example, the region under the fuel assembly can contain a layer of neutron absorbing gravel that will prevent a nuclear reaction close to the pool bottom.

On-site personnel are required to do periodic routine non-nuclear preventive maintenance on the NaK heat transport system, NaK-salt heat exchangers, salt circulation pumps, steam generators, injection pumps, turbo-generators, condensers, cooling towers and related mechanical and electrical equipment and to make repairs as necessary. However, this equipment should not involve any radioactivity. Most of it is in separate buildings isolated by three concrete walls with a total thickness of 2.5 m. There is sufficient redundancy in the FNR support equipment that some of the heat transport systems can be shut down for maintenance or repair while others remain in operation. Thus, the only reasons for keeping staff on the reactor site 24/7 is compliance with steam power plant regulations and maintenance of site security.

For normal safe thermal power control FNRs rely on thermal expansion of reactor fuel to reduce the FNR reactivity and hence reduce the thermal power output as the fuel temperature increases. The reactor core zone fuel geometry should be slowly adjusted to change fuel average temperature setpoint or to cause a cool or cold reactor shutdown.

One of the reactor design issues is prevention of sodium void instability. Formation of sodium voids would potentially increase the FNR reactivity. At all reactor operating states the decrease in reactivity due to an increase in fuel temperature must xzfely exceed the increase in reactivity due to structural and liquid sodium coolant thermal expansion. The reactor temperature must be sufficiently low and the liquid sodium head pressure sufficiently high that coolant voids never form.

The tendency for void formation is related to the local sodium temperature, the sodium temperature distribution in the reactor and the sodium hydraulic head. The reactor must not rely on any mechanical pumping mechanism for preventing formation of sodium voids. Typically this condition is achieved by operating the sodium far below its boiling point. The sodium boiling point is further raised by use of a significant liquid sodium head pressure in the reactor core zone. The reactor peak power must never be so large as to cause sodium void formation. Reactor power peaks tend to occur at times when there are changes in fuel geometry with the object of increasing the average fuel temperature.

One of the issues in FNR design is ensuring that no matter what adverse circumstances occur on loss of station power the reactor fails into a safe shutdown state.

Note that if the primary liquid sodium has significantly cooled the average fuel temperature setpoint must be very slowly raised before re-establishing reactor operation. During that warming period the nitrate salt must also be melted and any water in the nitrate salt circuit must be boiled off.

From a licensing point of view the FNR design must meet all the severe accident events covered in the design basis for the site. Events that can occur together must also be considered.

For example if a FNR enclosure is hit by a large aircraft the resulting change in FNR fuel geometry must not cause a prompt critical condition. A FNR must also withstand earthquakes and tornados that cause electricity transmission poles to become missiles. The list of possible hazards also includes potential plant accidents like sodium fires, NaK fires, main steam line breaks and associated pipe whip and steam turbine disintegration, etc.

The Darlington safety report is likely available to the public at the CNSC library in Ottawa and should contain a list of all the design basis accidents.

There are at least 15 safety related conditions that must be maintained at all times by liquid sodium cooled FNRs:
a) Certain water exclusion;
b) Certain air exclusion;
c) Certain primary liquid sodium containment and level maintenance;
d) Certain primary sodium temperature setpoint range constraint;
e) Certain primary sodium fire prevention and suppression;
f) Sufficient fuel geometry stability to prevent an excursion into prompt neutron criticality;
g) Certain safe fuel disassembly in the event of approach to prompt neutron criticality;
h) Certain nuclear reaction shutdown via two independent systems;
i) Certain capability for fission product decay heat removal;
j) Certain tolerance of intermediate heat exchange bundle, NaK-salt heat exchanger and steam generator tube failures;
k) Certain NaK fire tolerance and fire suppression via gravity drain down;
l) Certain earthquake tolerance;
m) Certain resistance to external missle attack;
n) Proliferation resistance;
o) Resistance to Murphy's Law.
p) NaK pressure and level maintenance
q) Nitrate salt level maintenance
r) Certain maintenance of station power for a time sufficient to achieve a safe shutdown to a condition where fission product decay heat is removed by natural circulation.

The FNR described herein is designed to ensure compliance with all of these safety conditions.

Certain water exclusion is realized first by siting the FNR at a sufficient elevation that the FNR will never be exposed to flood water. In addition there are four concentric barriers (the external concrete wall and three nested steel walls) that will exclude ground water and rain water from the primary liquid sodium. Furthermore no water or water pipes are permitted within the primary sodium pool enclosure. Secondary NaK drains down into dump tanks. Nitrate salt drains down into dump tanks. Steam generator condensate drains down into a pumped sump. Other sump pumps expel leakage water from the reactor enclosure foundation.

There are three concentric interior reactor roofs and side walls intended for ongoing sodium vapor inclusion, argon inclusion and air exclusion. The outside structural wall, roof and overhead dome protect the three interior gas barriers. When the liquid sodium is near ambient temperature its surface can be isolated from air by flooding the sodium surface with kerosene. The pipe paths between the argon filled spaces and the air filled spaces are isolated by bellows sealed pipe connections. Physical access is by argon-vacuum-air locks. The argon pressure is maintained at one atmosphere via the use of large argon containment bladders located within adjacent concrete protected spaces. A dual on-site cryogenic facility provides on going extraction of argon from the atmosphere.

An issue that must be faced is the remote possibility of a direct overhead attack by either a diving airplane or a armour penetrating projectile. Assume that by some means the overhead dome is damaged. The single most important immediate step is to lower the primary sodium temperature as much as possible. The issue is that as long as the primary sodium temperature is high it will heat the gas above it causing that gas to expand. When that gas is lighter than the surrounding air it will tend to rise potentially sucking in further oxygen laden air via any open aperture. It is essential to stop that fresh air movement. Hence heat must be sucked out of the primary sodium as fast as possible. When the bulk sodium temperature is down to about 120 degrees C then the density of a fire suppressing gas such as argon (atomic weight 40) when thermally expanded by:
[(273 + 15) / (273 + 120)] X 40 = 29.31 is comparable to N2 at 28 and O2 at 32. We need a higher molecular weight gas for fire asphixiation.

Ideally we need a non-reactive blanket that can reliably cover the top of the primary sodium pool and so asphixiate any primary sodium fire. This blanket can be composed of pie shaped pieces that will cover the top of the primary sodium pool inside the circle formed by the intermediate heat exchange bundle top manifolds. When this blanket is applied the movable fuel bundles are all fully withdrawn so that the indicator tubes will not prevent blanket application.

The primary liquid sodium is contained within three cylindrical nested open top stainless steel cups. The innermost cup is 16 m high X 20 m diameter. The middle cup is 17 m high X 22 m diameter. The outer cup is 18 m high X 24 m diameter. The 1 m wide spaces between the cups are filled with fire brick. The fire brick is chosen such that if immersed in liquid sodium it will displace at least 50% of its own volume.

In the event that the inner two cups both fail liquid sodium will flow into the space occupied by all of the sand and fire brick. If the fire brick displaces a volume of sodium equal to 50% of the fire brick volume, the volume available for potential sodium occupancy up to 4 m below the normal sodium level is:
{Pi (12 m)^2 (13 m) - Pi (10 m)^2 (11 m)} (.50)
= Pi (1872 m^3 - 1100 m^3)(.50)
= 1212.65 m^3

The volume of liquid sodium available to fill this space while keeping the intermediate heat exchange tubes at least 2 m immersed in liquid sodium is:
Pi (10 m)^2 (4 m) = 1256.63 m^3

Hence as long as the outer most steel cup holds there is sufficient fire brick to prevent the sodium level in the innermost cup falling by more than 4 m. Thus:
6 m - 4 m = 2 m
of heat exchange tube remain immersed in the liquid sodium for decay heat removal.

A key issue in fuel bundle design is that with half of the movable fuel bundles fully withdrawn from the matrix of fixed fuel bundles and the remainder of the movable fuel bundles in their normal operating position the reactor must shut down. This fuel bundle design constraint enables safe reactor assembly/disassembly and allows independent operation of the two fully independent FNR cold shutdown systems. In order to achieve reactor zone symmetry the fissile fuel concentration in the movable active fuel bundles may be higher than the fissile fuel concentration in the fixed active fuel bundles.

Engineered nuclear reactor safety shutdown systems operate on the principle that in addition to the normal control system which realizes a warm shutdown with no thermal load there should be two fully independent and redundant safety shutdown systems, either of which can force a reactor cold shutdown.

For each of the two safety shutdown systems there are independent mechanical and electronic constraints on the temperature setpoint and its rate of change. There are also independent position, temperature and gamma ray sensors that can over ride other setpoiint control signals to force a reactor cold shutdown.

Normal reactor safety is achieved via warm shutdown.

For public safety the aforementioned safety systems should be continuously monitored and periodically tested to ensure that they will reliably function when required.

These two independent shutdown systems are backed up by physical barriers. To present a potential hazard to the public the warm shutdown system and both cold shutdown systems must all simultaneously fail. To presemt a potential hazard to service personnel maintaining or testing one safety system the warm shutdown system and the other cool shutdown safety system must simultaneously fail.

Independent functionality of these safety systems is an essential condition for safe unattended FNR operation.

Generally there is a requirement for service personnel to periodically physically confirm the proper operation of each shutdown system. Provided that these scheduled checks are performed and if necessary any defective devices are promptly repaired or replaced, the probability of all the safety shutdown systems failing simultaneously is less than microscopic.

1) WARM REACTOR SHUTDOWN = Nuclear fission stops but the primary sodium temperature remains at the reactor setpoint, typically 460 degrees C.

2) COOL REACTOR SHUTDOWN = Nuclear fission stops and will not restart until primary sodium coolant temperature drops below about 105 degrees C. Normal fuel bundle repositioning and/or intermediate heat exchange bundle replacement is carried out at about 120 degrees C.

3) COLD REACTOR SHUTDOWN = Nuclear fission stops and will not restart even if the primary liquid sodium falls to room temperature. In practice a cold shutdown is seldom used because it triggers a lengthy warmup procedure. The heat required to raise the primary sodium up to its melting point near 100 degrees C must come from an external energy source.

1) Reactor discharge temperature setpoint modulation is achieved by changing the insertion depth of the movable fuel bundles in the matrix of fixed fuel bundles.

2) A reactor coolant temperature rise above its setpoint should cause a warm reactor shutdown.

3) The movable fuel bundles are divided into two groups, A and B, in a staggered pattern similar to the red and black squares on a checker board. Each interior member of group A has four adjacent group B members. Similarly each interior member of group B has four adjacent group A members.

4) The maximum possible reactor reactivity occurs when both groups A and B are fully inserted into the matrix of fixed fuel bundles.

5) In normal reactor operation both groups A and B are partially inserted.

6) Full withdrawal of either group A or group B from the matrix of fixed fuel bundles while the remainder of the movable fuel bundles remain in their normal operating position must cause a reactor cool or cold shutdown. This reactivity design constraint enables operation of the two fully independent FNR shutdown systems and also enables safe reactor fuel assembly / diassembly.

7) In order to achieve reactor zone symmetry when the movable fuel bundles are fully withdrawn the average fissile fuel concentration in the movable fuel bundles should be higher than the average fissile fuel concentration in the fixed fuel bundles.

8) If any single movable fuel bundle is accidentally moved toward being over inserted immediate full withdrawal of either the remaining group A movable fuel bundles or the remaining group B movable fuel bundles must cause a reactor shutdown.

9) If any two movable fuel bundles are accidentally moved toward being fully inserted full withdrawal of all of the remaining movable fuel bundles must immediately occur and must cause a reactor shutdown.

For each of the two safety shutdown system there are independent mechanical and electronic constraints on the fuel average temperature setpoint and its rate of change. There are also independent position, temperature and gamma ray sensors that via an independent control can over ride other setpoint control signals to force a reactor shutdown.

The maximum insertion rate of movable fuel bundles into the matrix of fixed fuel bundles is both physically and electronicly limited to prevent fuel over heating and to prevent approach to prompt neutron criticality.

The fuel bundle geometry in a FNR must be mechanically stable. The working temperature of each fuel bundle is kept sufficiently low that the fuel bundle geometry cannot become unstable via fuel tube melting, structural melting or sodium boiling due to the large temperature differences between the material operating temperatures and their melting and boiling points.

At the primary liquid sodium surface, sodium vapor bubbles will start to form if the liquid sodium surface temperature rises above 870 degrees C. However, under those circustances liquid sodium boiling in the core zone is prevented by the liquid sodium static head pressure in the core zone. Due to the liquid sodium static head pressure sodium vapor bubbles will not form in the reactor core zone until the temperature in the core zone reaches about 960 degrees C. The appearance of sodium vapor bubbles on surface of the primary sodium pool gives warning of local overheating. The temperature of the sodium inside an indicator tube is a reliable but somewhat delayed indication of the liquid sodium temperature at the corresponding movable fuel bundle discharge.

For nuclear reactors at urban sites the single biggest risk to the public is a circumstance that might cause a reactor explosion due to prompt neutron criticality. The best defense against prompt neutron criticality is to understand its causes, to be aware of the potential danger and to do all necessary to prevent it from ever occurring.

To obtain an explosion it is necessary to cause a reactor to become neutron prompt critical. Delayed neutrons are too slow to sustain the rapid power rise needed for an explosion.

Fast neutrons are high energy neutrons (~ 20,000 km/s),
Prompt neutrons are fast neutrons that come directly from a fission reaction;
Delayed neutrons are fast neutrons emitted from the fission fragments that are emitted a few seconds after the corresponding nuclear fission. Delayed neutrons make it possible to design and safely control both thermal neutron and fast neutron power reactors.
Note that with Pu-239 fissile fuel the ratio of delayed neutrons to prompt neutrons is smaller than with U-235.
Thermal neutrons are low energy neutrons (2 km / s) that have been slowed down by scattering by low atomic weight moderator materials.

Above the prompt-critical point reactor power rise can occur quickly with thermal neutrons and even faster with fast neutrons. The power rise with prompt neutrons will quickly cause the reactor to structurally disintegrate. Structural disintegration causes the reactor to become sub-critical which causes the power rise to stop.

A well known case of prompt thermal neutron criticality in a thermal neutron nuclear power reactor was in 1986 at:

A good description of the safety measure failures that led to the accident at Chernobyl and the corresponding preventive safety measures used in CANDU reactors is contained in a report titled:
Chernobyl - A Canadian Perspective

The FNR known as EBR-2 was tested under full power with sudden loss of cooling and while the control rods were deliberately inactivated to prevent automated control feedback. The EGR-2 intrinsically adjusted power levels to zero within 5 minutes. This type of test was carried out almost 50 times with no apparent damage to the reactor nor to any component, with the reactor being powered up again the same day. However, part of the reason for this safe behavior was likely fuel disassembly within the fuel tubes.

Core fuel thermal expansion and delayed neutrons are the primary safeguards against uncontrolled rapid power rise in a FNR. Hence it is crucial that the design of fast neutron reactors ensures that transients or accidents can not cause strong prompt neutron criticality.

A FNR is unique in that it can safely manage small prompt critical excursions. In a FNR with a plenum for each fuel tube a rapid power rise due to a small prompt critical excursion blows the core fuel apart longitudinally in less than 10^-4 s thus causing the reactor to become sub-critical before the power rise is sufficient to cause apparent physical damage.

In prompt neutron criticality the rate of power rise is proportional to the degree of super-criticality and is inversely proportional to the neutron transit time T between successive fissions. This time T is given by:
T = 1 / [Vn Sigmafp Nfp]
Vn = neutron velocity
Sigmafp = fast fission cross section of Pu-239 atoms
Nfp = average concentration of Pu-239 atoms in the reactor core

En = neutron kinetic energy
= 1.67 X 10^-27 kg X Vn^2 / 2
= 2 X 10^6 eV X 1.6 X 10^-19 J / eV
Vn = [(2 En) / (1.67 X 10^-27 kg)]^0.5
= [(6.4 X 10^-13 J) / (1.67 X 10^-27 kg)]^0.5
= 1.96 X 10^7 m / s

Sigmafp = 1.7 b
= 1.7 X 10^-28 m^2

From the web page titled: FNR CORE
Nfp = 1.616 X 10^27 Pu atoms / m^3
T = 1 / [Vn Sigmafp Nfp]
= 1 / [(1.96 X 10^7 m / s) (1.7 X 10^-28 m^2) (1.616 X 10^27 / m^3)]
= 1 s / [5.3845 X 10^6]
= 0.1857 us
= 185.7 ns.

At a prompt neutron growth rate of 1.001 / neutron cycle the number of cycles N required for the neutron flux to double is given by:
(1.001)^N = 2
N Ln(1.001) = Ln(2)
N = Ln(2) / Ln(1.001)
= 0.69314 / 9.995 X 10^-4
= 693.5

Thus at a neutron growth of 1.001 / cycle the fission power will double in:
693.5 X 185.7 ns
= 128,790 ns
= 128.8 us
= 0.129 ms
which is comparable to the time required for gun powder to burn in a gun.

Thus as long as the degree of prompt neutron supercriticality in a FNR is small the dynamics of the core fuel are comparable to the dynamics of a bullet in a gun. In the event of prompt neutron criticality the Cs and Na in or adjacent to the core fuel vaporizes blowing the core fuel of the fixed fuel bundles toward the fuel tube plenum. This fuel disassembly instantly reduces the reactor reactivity, suppressing the prompt neutron critical condition. On cooling gravity restores the core fuel geometry. Note that in the fixed fuel bundles it is essential that the upper blanket rods slide freely inside the fuel tubes so that they will not prevent rapid fuel disassembly. It is equally important to ensure that the internal pressure rating of the fuel tube walls is sufficient for rapid lifting of the stack of blanket fuel rods that is above each core fuel rod.

In a FNR there are several possible ways that prompt neutron criticality might occur.

1) Reactor power instability.

2) Too rapid changes in fuel geometry.

3) Insufficient enclosure structural integrity.

4) Sudden large drop in reactor core zone coolant inlet temperature. This issue can be mitigated via a sufficient thermal mass to ensure a gradual change in core zone local reactivity as a function of position.

5) Insufficient earthquake tolerance.

6) A direct attack by some form of armour penetrating bomb or missile.

7) Insufficient Murphy's Law tolerance. Generally reactors should be designed such that three independent systems must all simultaneously fail before a major accident can occur.

A small step change in reactor fuel geometry causes an instantaneous change in reactor reactivity. That change in reactivity is immediately followed by a change in reactor fuel temperature sufficient to reduce the reactivity to zero.

On insertion of movable fuel bundles to raise the reactor setpoint temperature extreme care must be taken to ensure that the resulting increase in fuel temperature caused by the difference between the new reactor setpoint temperature and the actual coolant temperature is not so great as to melt the fuel.

Similarly if due to reactor thermal overload the coolant temperature becomes too low with respect to the reactor setpoint temperature the fuel will melt.

The potential for fuel melting during fuel bundle insertion is largely avoided by:
a) Inserting the movable fuel bundles very slowly so that the reactor setpoint temperature is never far above the actual coolant temperature;
b) Disconnecting the thermal load while fuel bundle insertion is taking place;
c) Keeping the reactor at its design operating temperature at all normal times except during reactor shutdowns for fuel changes or intermediate heat exchange bundle service.

The potential for fuel melting due to reactor thermal overload is eliminated by designing the heat transport system so that the maximum possible heat removal rate does not exceed the reactor fuel design limit.

There is a complicating issue that the reactor reactivity is also weakly dependent on the coolant and steel temperatures. When the coolant temperature is below the reactor setpoint temperature the coolant decreases the reactor reactivity. To compensate the reactor fuel temperature decreases sufficiently to bring the net reactor reactivity to zero. This issue will cause a decrease in the primary sodium discharge temperature.

Similarly, when the coolant temperature is above the reactor setpoint temperature the coolant increases the reactor reactivity. To compensate the reactor fuel temperature increases in order to bring the net reactor reactivity to zero. This issue will cause an increase in the primary sodium discharge temperature.

In summary, in response to a step increase in thermal load the primary sodium discharge temperature decreases and in response to a step decrease in thermal load the primary sodium discharge temperature increases.

After a step increase in reactor setpoint temperature it may take many minutes for the primary sodium pool temperature to rise. As the primary sodium pool temperature approaches the reactor temperature setpoint the fission reaction rate will decrease as indicated by reduced neutron flux.

Similarly, a step decrease in reactor setpoint temperature will cut off the chain reactions. It may take many minutes for the primary sodium pool temperature to fall and the chain reaction rate, as indicated by the neutron flux, to rise to its former level.

Three way valves are used to prevent these temperature fluctuations propagating forward and affecting the steam temperature.

In order to ensure reactor safety it is essential to design the FNR such that the temperature dependence of the reactivity is dominated by the fuel rather than the coolant and steel. the simplest way of meeting this requirement is to maintain a minimum Pu-239 concentration in the core fuel.

In a practical FNR the thermal mass of the sodium pool is large. Hence after a step change in reactor setpoint it takes a long time for the primary sodium temperature to come to reach steady state with respect to the fuel temperature. During reactor warmup after a reactor cool shutdown it is essential to insert the movable fuel bundles in small steps and wait for the consequent fission reaction rate to decrease, indicating that the coolant temperature is close to the fuel temperature, before further insertion of the movable fuel bundles.

If the FNR has a relatively small sodium pool one must also be concerned about any large decrease in primary sodium pool temperature below the reactor temperature setpoint. A large sodium temperature drop below the reactor setpoint will cause the fuel to run very hot and might ultimately lead to fuel melting.

Fuel melting is prevented by limiting the reactor thermal load.

It is prudent to design the FNR heat transport system such that when the FNR is at its design setpoint temperature and the nitrate salt pumps are all operating the heat extraction rate will not exceed the FNR fuel and fuel tube design value.

The change in reactor reactivity with fuel temperature occurs as a result of thermal expansion of the fuel, iron, chromium and sodium. The thermal expansion of the fuel occurs almost instantly but it takes a finite time for an injected heat pulse from the fuel to propagate into the surrounding steel and primary sodium.

There is a further time delay related to the thermal response of the reactor blanket.

The FNR design presented on this web site uses solid fuel and fuel tubes on a low friction mount to maintain a fixed fuel geometry during an Earthquake.

A too rapid change in fuel geometry could be caused by too rapid insertion of movable fuel bundles into the matrix of fixed fuel bundles. Too rapid movable fuel bundle insertion can be prevented by using appropriate mechanical speed limits on the FNR actuators.

There is a transition region between a reactor being critical with delayed plus prompt neutrons and being critical with just prompt neutrons. A FNR should normally remain in that transition region. A key issue is time. If the change in reactor fuel geometry is slow enough the heat released while under control by delayed neutrons should induce sufficient negative reactivity to prevent further approach to the prompt critical condition. In a FNR controlled by the fuel temperature this feedback is almost instantaneous. The danger lies in positive reactivity injections that exceed the safe available negative reactivity injection available from thermal expansion of the reactor fuel.

A key issue in this respect is fuel geometric stability. With Pu-239 fuel the time required for a 0.2% increase in reactivity due to a change in fuel geometry must be long compared to 3 seconds. Unlike solid fuels, liquid fissile fuels are potentially very dangerous because liquids can develop cavitation, vorticies, or surface waves that can change the reactor reactivity by more than 0.2% in a time period which is short compared to 3 seconds. It is much safer to use physically stable solid fuel as in this FNR.

It is important to never let the fuel assembly accidentally go critial. In loading fuel bundles into the primary sodium pool each movable bundle should be installed in the fully withdrawn position before installing its surrounding fixed fuel bundles. Similarly the fixed fuel bundles surrounding a movable bundle should be removed before extracting the corresponding movable fuel bundle. That strategy ensures that the fuel assembly will not accidently go critical due to pulling a movable fuel bundle through a matrix of adjacent fixed fuel bundles.

A relevant paper about a comparable liquid sodium cooled reactor with metallic fuel is S Prism Reactor Margin To Accidents

A prompt critical condition might be caused by a reactor enclosure collapse which crushes the fixed active fuel bundles. For example, a falling crane or a large airplane impact which causes physical collapse of the reactor enclosure.

A FNR enclosure must be designed such that a structural collapse sufficient to cause crushing of the fuel assembly core zone is not a credible risk. The reactor enclosure outside walls should be protected against an external aircraft or missle impact by bed rock, gravel embankments or adjacent structures such as turbo generator halls and cooling towers. The reactor enclosure roof must be structurally sufficiently robust to safely absorb the impact of a diving aircraft. The polar gantry crane must have sufficient redudant support to ensure that the crane can never fall into the primary sodium pool. The reactor roof structure should contain impact absorbing material, such as sand bags, to safely distribute over the roof area the impact force of any credible projectile. If the impact causes large pieces to break off the outer roof the inner roof and sand bags must prevent large broken pieces falling on to and crushing the reactor fuel asembly. The outer roof structure should be comparable in strength to a highway or railway overpass.

The inner ceiling immediately above the reactor should be made of light weight materials that, if they fell on the reactor fuel assembly, are not sufficiently heavy to significantly change the geometry of the matrix of fixed fuel bundles. The impact of the material fall would be mitigated by the top 6 m of liquid sodium. The fixed fuel bundle plenums would provide additional shock absorption.

The external enclosure must also protect the reactor from the large liquid hydrocarbon fuel fire that might accompany the crash of a large airplane.

An important issue in earthquake protection is bolting the fixed fuel bundles together to form a rigid matrix. The liquid sodium above the fuel assembly may slosh back and forth in an earthquake and we do not want surface waves in the liquid sodium to change the fuel assembly geometry and hence its reactivity.

In a FNR the reactivity increases with decreasing fuel temperature. Depending upon the fuel material distribution if the primary sodium temperature entering the reactor core zone drops too quickly the resulting increase in heat flux might melt the fuel on its cenerline, vaporize the internal liquid sodium or damage the fuel tubes. It is essential to have sufficient coolant thermal mass to prevent sudden major coolant temperature drops that might lead to fuel melting or prompt neutron criticality.

Since the change in reactor reactivity with a change in temperature is negative the reactivity cannot grow due to a coolant temperature rise.

A large FNR with a 1.7 m wide liquid sodium guard band contains a lot of heat stored in its primary liquid sodium pool. Hence it can load follow using some of that stored heat without any rapid change in the reactivity of its fuel assembly. The change in reactor thermal power output can take many minutes whereas the rate of heat transfer out of the primary sodium pool can change by a similar fraction in a few seconds.

For each FNR there are at least four independent passive heat removal systems any one of which can reliably and safely remove the fission product decay heat.

Under the circumstances of a double liquid sodium containment wall failure the heat transfer capacity of each heat transfer system might fall by a factor of three. However, we only need (1 / 12) of the entire heat transfer system capacity to remove fission product decay heat. Thus in order to reliably remove fission product decay heat it is essential that (1 / 4) of the total reactor heat transfer capacity must continue to function so that under the adverse condition of a double sodium containment wall failure the remaining certain heat transfer capacity is:
(1 / 3)(1 / 4) = (1 / 12)
of system full power heat removal capacity. Hence for maximum reliability there should be at least four independent passive heat removal systems, any one of which can reliably remove the fission product decay heat.

A practical FNR involves many thousands of intermediate heat exchange tubes. Sooner or later one or more of these tubes will fail. Each secondary sodium system has the following features:
1) The NaK loop components are all rated for a working presure of 2 MPa and are safety tested to 3 MPa;
2) There are sodium level sensors consisting of a long thin coils of nichrome wire suspended from an insulated feed through in an argon filled cushion tank head space. The electrical resistance of this coil to ground decreases as the sodium level increases.
3) There are NaK level sensors in the dump tanks.
4) The NaK loops normally operate at about 0.5 MPa.
5) If there is a leak in the intermediate heat exchanger the NaK level in the NaK cushion tank will decrease and the corresponding cushion tank argon pressure will decrease.
6) If there is a leak in a steam generator tube the nitrate salt level will increase and the salt will contain steam/water.
7) The nitrate salt flows through the steam generator tubes.
8) The trigger for draining the tube side of the steam generator to the salt dump tank is a formation of steam in the nitrate salt loop or a decrease in NaK level or pressure.
9) If there is water in the nitrate salt circuit it is essential to isolate the steam generator to prevent the nitrate salt circuit from being filled with water by a leak in a steam generator heat exchange tube. Since the steam generators serving a single turbine are connected in parallel it is necessary to trip off the entire steam generator group on detection of water in a nitrate circuit. By stopping the injection water pumps we stop any possible back flow of water.

10) Note that the sodium/salt heat exchanger is at a higher elevation than all the other equipment on that same heat transfer circuit. Draining the shell side of the sodium/salt heat exchanger stops heat transfer through this circuit but potentially raises the induction pump temperature up to 460 degrees C if the three way valve leaks. The NaK cannot be drained to its dump tank until there is certainty that the nitrate salt loop is drained below the level of the NaK/salt heat exchanger. Otherwise there is a possibility of a major accident resulting from salt or water entering the NaK loop via a tube rupture in the NaK/salt heat exchanger.

11) If the NaK pressure falls to 0.3 MPa nitrate salt drainage to its dump tank is tripped.

12) NaK continues to flow through a NaK/salt heat exchanger tube rupture into the salt. It will produce nitrogen. If there is any water in the salt it will also produce hydrogen. The water that initially flowed into the salt circuit continues to make hydrogen. The gas pressure in the salt circuit now rapidly rises and discharges more salt out the nitrate loop vent via a ball check.
13) There is a NaK dump tank and a salt dump tank for each heat transport circuit. Each dump tank has sufficient volume to accommodate all the NaK or salt in its circuit. If the argon pressure over the NaK dump tank is released the NaK will drain down into its dump tank.
14) If the air pressure over the nitrate salt dump tank is released the nitrate salt will drain down into its dump tank.
15) The NaK loops are vented to above the roof by vents fitted with rupture disks and gravity operated ball check valves. The vents must be sufficiently high that entrained NaK in the exhaust cannot start a roof fire.
16) The NaK dump tanks are normally filled with 0.5 MPa argon. Hence if there is a steam generator tube leak which causes steam formation in the nitrate salt loop the nitrate salt must be drained down into the nitrate salt dump tank.
17) If water enters the nitrate salt and the NaK level and pressure are OK the steam generator water injection is stopped and the steam generator is drained. The object is to minimize the mass of water that can leak into the salt circuit via the steam generator tube failure. As soon as there is some water in the nitrate salt circuit it will become steam which will blow salt out of the salt circuit vent.
18) An important issue is to rapidly drain water out of the steam generator to prevent that water continuing to flow into the nitrate salt via the steam generator heat exchange tube rupture. Steam or super heated water entering the nitrate salt circuit will blow salt out the nitrate loop vents. When water is detected in the nitrate salt circuit we must shut down that steam generator.
19) In order to service the NaK loop the contents of the intermediate heat exchanger must be transferred to the NaK dump tank.
20) After repair the NaK loop must be refilled by application of argon pressure to the NaK drain down tank. The intermediate heat exchange bundle has a thin drain tube connected to its bottom. Then an overhead argon pressure permits draining the liquid NaK from the heat exchange bundle.
21) In summary any significant change in either the NaK level or the NaK loop pressure is indicative of a serious problem with that heat transfer circuit. The NaK level as a function of time in both the expansion tank and the dump tank should indicate the nature of the problem.
22) On a steam generator tube rupture initially water flows from the steam generator into the nitrate salt which almost instantly raises the nitrate loop pressure blowing salt out the vents with ball checks. This transient high pressure should trip the steam generator steam pressure release valve and drain valves and turnoff the steam generator injection water pump. 23) Assume that there is a NaK/salt heat exchange tube failure and that the nitrate loop is not fully drained. A continuing NaK pressure increase will cause the rupture disk to open. Then NaK is expelled from the secondary loop via both the tube failure and via the open rupture disk.

24) A consequence of a NaK/salt heat exchanger tube failure may be NaOH accumulation in elbows at the bottom of the NaK loop. A filter system should be provided that gradually removes NaOH from the NaK loop. This filter should be installed across the induction pump. The NaOH can be periodically dissolved by raising the minimum loop temperature above 318 degrees C and then cooling it in the filter. There still may be a problem with liquid NaOH sinking to the bottom of the secondary loop. It should be expelled via the intermediate heat exchange bundle clean out tube.

25) There must be a valve to the drain that dumps the contents of the nitrate salt loop if the NaK lacks level or pressure and the nitrate salt dump tank is full. Thus lack of NaK level or pressure turns off everything downstream.

The NaK loop normally operates at a pressure of 0.5 MPa. There is a small tendency for NaK to leak at gasketed mechanical joints. Such leaks are potentially dangerous to service personnel. Hot NaK will self ignite in air. One way to suppress these NaK fires is to completely surround the NaK loop with an argon jacket. The jacket must be physically robust enough to reliably withstand squirting hot liquid NaK and must act as a thermal insulator.

Small NaK fires can be extinguished using NaCO3.

FNR Earthquake tolerance issues are detailed on the web page titled: FNR Earthquake Protection

Implementation of Proliferation Resistance

Murphy's Law states that if there is any way for humans to do something wrong sooner or later someone will discover it. FNRs must be engineered to be tolerant of possible human error. To the extent possible FNRs should be designed so that incompetent or irrational human activity cannot cause dangerous prompt neutron criticality.

FNRs rely on fairly complex crane manipulation of fuel bundles during fuel bundle installation and replacement. This crane manipulation is unlikely to be fully automated in the foreseeable future, so this portion of FNR work will likely be subject to potential human error.

In the event that during loading or unloading a fuel bundle is dropped and falls to the bottom of the primary liquid sodium pool the dropped fuel bundle must be immediately retrieved, not ignored or forgotten. The potential danger is a prompt critical condition arising from random overlap of the core fuel of the dropped fuel bundle with the core fuel of another dropped fuel bundle. To minimize such problems the gantry crane used for fuel loading and unloading should be fitted with a safety line to prevent such drops.

It should be assumed that sooner or later humans will make mistakes. A FNR must be designed to enable easy detection and remedy of mistakes. Any mistake that could potentially lead to reactor over heating or dangerous prompt neutron criticality must be obvious to several different individuals long before it can cause a disaster. Ideally any safety procedure that relies on human operator training or skill is open to being done wrong by someone sooner or later.

The concept of walk away safety is that if the appropriate operating and/or maintenance employees are not present or suddenly leave when an adverse circumstance occurs the FNR must always default to a safe condition.

The FNR facility consists of a common central heat source and 8 to 16 independent heat to electricity conversion systems. The heat outputs are connected to supply heat to four independent district heating loops. Each district heating loop has one local cooling tower and three remote cooling towers. In order to provide maximum electricity output in the summer all of the cooling towers must be fully functional. When not in the emergency cooling mode at all times at least one generator and its associated cooling tower and heat transport circuits must be fully functional to remove FNR fission product decay heat.

The FNR facility has multiple independent control systems:
1) Primary sodium Pool:
The primary sodium pool control system operates almost independent of the 8 heat to electricity conversion systems. The primary sodium pool features: a) Normal temperature control;
b) Shutdown system #1;
c) Shutdown system #2;
d) Emergency primary pool cooling.

2) There are 8 to 16 independent heat to electricity conversion systems, each with several dedicated heat transfer circuits and one turbogenerator. There are four on-site cooling towers, each which is connected to two turbo generator halls. Each on-site cooling tower is shared by two isolated quadrants of the district heating system.

NE Heat transport and power systems
Circuit (a)
Circuit (b)
Circuit (c)
Circuit (d)
Circuit (e)
Circuit (f)
Generator (a)
Circuit (g)
Circuit (h)
Circuit (i)
Circuit (j)
Circuit (k)
Circuit (l)
Generator (b)

3) NW Heat transport and power systems:
Circuit (a)
Circuit (b)
Circuit (c)
Circuit (d)
Circuit (e)
Circuit (f)
Generator (a)
Circuit (g)
Circuit (h)
Circuit (i)
Circuit (j)
Circuit (k)
Circuit (l)
Generator (b)

4) SE heat transport and power systems:
Circuit (a)
Circuit (b)
Circuit (c)
Circuit (d)
Circuit (e)
Circuit (f)
Generator (a)
Circuit (g)
Circuit (h)
Circuit (i)
Circuit (j)
Circuit (k)
Circuit (l)
Generator (b)

5) SW heat transport and power systems:
Circuit (a)
Circuit (b)
Circuit (c)
Circuit (d)
Circuit (e)
Circuit (f)
Generator (a)
Circuit (g)
Circuit (h)
Circuit (i)
Circuit (j)
Circuit (k)
Circuit (l)
Generator (b)

In each heat transport circuit if nitrate salt temperature is too low the salt drains to its dump tank.

Event triggering minumum power operation:
Loss of AC grid power

Events triggering a emergency primary sodium pool cooling include:
a) A primary sodium pool temperature high above its setpoint.

b) An imminent fire threat to the primary sodium pool.

Each shutdown state is a default state which is reached automatically without human intervention. In a warm shutdown the primary sodium pool maintains its temperature and the generators keep operating at minimum power. A cool shutdown occurs when a potentially dangerous condition affecting the primary sodium pool is anticipated or detected.

The safety concept is that there must always be enough cooling water stored on the reactor site to safely remove fission product decay heat by evaporation with minimal reliance on electic power. For example, one heat to electricity conversion system can be dedicated to providing station power, which is independent of problems on the external electricity grid.

In the normal autonomous operation mode the entire FNR facility operates automatically. Absent an alarm there is nothing for anyone to do. The output power level is set by remote dispatch. The cooling towers act to regulate the district heating water temperature.

On loss of the external AC grid the generators all disconnect from the grid and revert to local frequency control. That local frequncy is phase locked to either the grid or a time base. Everything continues to operate as normal but the only generator load is the house load. The nitrate salt pumps and local cooling tower wazter pumps continue operating as before.

Loss of Grid AC power means that the remote cooling tower and remote building water cooling pumps will no longer operate. It is necessary to power the local cooling towers off house power so that these local cooling towers continue to function when there is no grid AC power.

Typically each cooling tower has two of everything so that half of the cooling tower equipment is powered by one house power circuit and the other half is powered by the other house power circuit.

Thus on loss of AC grid power the FNR defaults to normal operation using the eight local house power circuits.

If there is loss of water from the district heating system the condensers will not work which implies that the affected generators will not work which leads to loss of two of the eight power systems.

The main reactor does not rely on a continuous supply of city water. However, city water pressure may be required for support services such as flushing toilets, refilling emergency water tanks, etc. so loss of city water pressure is a condition that requires ongoing manual supervision until the condition is fixed.

In normal opertion the house power circuits continue operation after loss of AC grid power.

If there is loss of house power the related cooling tower water pump, NaK pumps and nitrate salt pumps will immediately stop and the nitrate salt drains to its dump tank. Hence that system can no longer remove fission product decay heat.

Each house power system requires heavy duty standby power to restart by melting the nitrate salt in each dump tank and circulating the salt prior to local house power generation. Generally this start power must come from either the AC grid, a large local diesel generator or one of the other house power systems. Thus, if possible we do not want an AC grid failure to precipitate a house power failure. Loss of house power causes salt drain down in all the affected heat transfer circuits. On loss of power to the house power busses the FNR facility must default to a forced cold shutdown.

On a forced cold shutdown the FNR no longer maintains temperature. The movable fuel bundles all fully withdraw. The nitrate salt circuits all drain down to thier dump tanks. If the primary sodium temperature rises above its trip point fission product decay heat is removed from the reactor by the NaK and heat transfer fluid. Natural circulation of the NaK transfers heat from the primary sodium pool to NaK and then heat transfer fluid and then water in the steam generators which heat is vented as steam.

In normal ongoing operation the primary sodium pool monitoring system consumes very little power and is easily battery backed for a long period of time. The primary sodium pool monitoring system does not lose power until long after all eight house power systems have failed. On loss of sodium pool control power the movable fuel bundles remain in their last set position. If there is a credible physical threat to the reactor battery power should be used to withdraw the movable fuel bundles.

The primary sodium pool has a filter pump which is powered from a house power circuit. This filter pump can be off for a long period of time with little negative effect.

However, if the batteries for the primary sodium pool electronics become depleted the reactor must fail to a cool shutdown. These batteries should be charged by grid AC or any operating house power system.

If the primary sodium pool temperature becomes too high it is indicative of net primary sodium heating by fission product decay, which indicates a requirement for more cooling.

In a forced cold shutdown the nitrate salt is already drained to its dump tank. Subject to sufficient NaK presure thermal fluid is used to remove fission product decay heat from the NaK. In the absence of city water pressure there must be an independent reliable source of air pressure sufficient to transfer thermal fluid from an in-ground tank to the top of the NaK/salt heat exchangers.

Note that if the FNR has been operating for a significant lenth of time producing just house power the potential thermal power of the fission products will be low. However, care needs to be taken that emergency cooling water is not wasted.

Reconnection of a house power circuit to the AC grid requires resynchronization. Most such reconnections are manually supervised.

Recovery from a forced cold shutdown requires manual intervention.

If only one heat transport circuit is involved:
Drain down the nitrate salt;
Drain down the NaK.

If only one generator is involved:
Take generator to minimum power;
Disconnect generator from AC grid;
Turn off makeup water to steam generators;
Drain down the six connected nitrate salt circuits;
Drain down the six associated NaK circuits;

If one cooling tower is involved:
Turn off the associated generators, as necessary for safe work.

This web page last updated June 25, 2022

Home Energy Physics Nuclear Power Electricity Climate Change Lighting Control Contacts Links