Lecture 9

Safety Practices in Chemical and

Nuclear Industries
CANDU Safety Functions and
Shutdown Systems
Dr. Raghuram Chetty
Department of Chemical Engineering
Indian Institute of Technology Madras
Chennai- 600 036.

Indian Reactors

With the exception of the two Boiling Water Reactor (BWR)

units at Tarapur (which is India's first Nuclear Power
Plant), all other operating nuclear power plants in India are
based on Pressurized Heavy Water Reactor (PHWR).

CANada Deuterium Uranium) reactor is a Canadianinvented PHWR.

Heavy water reactors are pressurized units that operate on

the same basic conventions as PWR. The main difference
is the use of deuterium as both:

Moderator and

Coolant

Rationale for selection of PHWR for India

The features of PHWR that favored this choice to India are:

Use of natural uranium as fuel, which obviates the need for

developing fuel enrichment facilities.

High neutron economy made possible by use of heavy water as

moderator, which means low requirements of natural uranium
both for initial core as well as for subsequent refueling. Also fissile
plutonium production (required for Stage 2 of the program) is
high, compared to Light Water Reactors.

Being a pressure-tube reactor, with no high pressure reactor

vessel, the required fabrication technologies were within the
capability of indigenous industry.

The technology for production of heavy water, required as

moderator and coolant in PHWR, was available in the country.

Pressurized Heavy Water Reactor

Courtesy: Google Images

PHWR (Pressurized Heavy Water Reactor) is
Canadian heavy water cooled and moderated
reactor, commonly named as CANDU.

Fission reactions in the

reactor core heat pressurized
heavy water in a primary
cooling loop.
A heat exchanger, also known
as
a
steam
generator,
transfers the heat to a lightwater secondary cooling loop,
which powers a steam turbine
with an electrical generator
attached to it.
The exhaust steam from the
turbines is then condensed
and returned as feedwater to
the steam generator, often
using cooling water from a
lake or river.

CANDU Reactor
CANDU is a PHWR
Heavy-water moderator
Natural-uranium dioxide fuel
Pressure-tube reactor

Courtesy: Google Images

Advanced CANDU Reactor (ACR)

Courtesy: Google Images

What is Heavy Water?

Heavy water (D2O) is a compound of an isotope of

hydrogen called heavy hydrogen or deuterium (D) and
oxygen.

The deuterium makes D2O about 10% heavier than

ordinary water.

Heavy water has great similarity in its physical and

chemical properties to ordinary/light water (H2O).

Heavy water is an excellent neutron moderator

Heavy water is used as primary coolant to transport heat

generated by the fission reaction to secondary coolant,
light water.
7

CANDU and PWR

Courtesy:
Google Images

Differences in Reactor-Core Design

CANDU

Natural-uranium fuel
Heavy-water moderator &
coolant
Pressure tubes; calandria not
a pressure vessel
Coolant physically separated
from moderator
Small/Simple fuel bundle
On-power refuelling
No boron/chemical reactor
control in coolant system.

PWR

Enriched-uranium fuel
Light-water moderator &
coolant
Pressure vessel
No separation of coolant from
moderator
Large fuel assembly
Batch (off-power) refuelling
Boron/chemical reactor control
in coolant system.

Refuelling & Excess Core Reactivity

Courtesy: Google Images

In CANDU, a little bit of fuel is replaced daily. The reactivity change is

small. The excess reactivity of the core is always small (except at the
very beginning of life, when all the fuel is fresh). This small excess
reactivity is continuously compensated by varying the amount of light
water in liquid zone-control compartments. The low excess reactivity is
a safety feature of the CANDU lattice.

CANDU On-Power Refuelling

On-power refuelling is one of the unique features of the
CANDU system. Due to the low excess reactivity of a naturaluranium fuel cycle, the core is designed to be continuously
stoked with new fuel, rather than completely changed in a
batch process (as in LWR and BWR).

Courtesy: Google Images

Refueling PHWR

PHWRs reactors can be

refueled on-line. This
photo shows the refueling
machine.

New fuel assemblies are

added horizontally and
the spent fuel assemblies
are pushed out to the
spent fuel storage area.
Courtesy: Google Images

Fuel-Cycle Safety

Natural uranium or other low-fissile-content fuel ensures

that there is no potential for criticality of new or used fuel
in air or light water.

No need to ship new fuel in borated steel containers.

No need to borate the Emergency Core Cooling

System (ECCS) water.

No need to borate the fuel-bay water.

Simplified irradiated-fuel dry storage.

Fuel Assembly

The fuel assemblies used in the reactor are 0.5 m long,

consisting of individual rods
Zircaloy cladding
Fuel pellets consist of uranium dioxide
Fuel burnup in a CANDU is ~20% less than that obtained by
many PWR and BWR reactors

Courtesy: Google Images

Example of CANDU Fuel Assembly

Fuel rods

Outer diameter: 13 mm

Wall thickness: 0.42 mm

Diameter pellet: 12.15 mm

Fuel: Natural uranium, sintered to ceramic UO2 pellets

Uranium pellets per rod: 29

Cladding material: Zircaloy 4 (99% Zr, Sn, Fe, Ni)

Example of CANDU Fuel Assembly

Fuel bundle

Length: 495 mm

Diameter: 102.4 mm

Fuel rods per bundle: 28

Weight of bundle: 23 kg

Weight of uranium: 18.5 kg

Fuel bundles per channel: 12

Total number of fuel bundles in core: 4680

CANDU Calandria
Fuel channels

CANDU 6: 380 (CANDU 9: 480)

Fuel bundles: 28 fuel rods

Coolant pressure: 9.9 MPa

Number of primary pumps: 4

Number of steam generators: 4

CANDU Calandria
Calandria: Two concentric, horizontal stainless steel
cylinders

Inner cylinder: core tank, diameter 8.04 m, length

5.94 m, heavy water moderator and coolant with 380
channels in CANDU 6

Outer cylinder: shield tank diameter: 8.5 m, length: 6

m holding light water as radiation shield.

Fuel Bundles & Calandria

Courtesy: Google Images

CANDU Internal Structure & Outer Shell

CANDU Shutdown Systems

The shutdown systems are designed to shut down the reactor to

prevent a potentially hazardous situation from occurring.

CANDU reactors are controlled by two independent digital

computers, both monitoring plant status continuously but only
one in control at any time (the other as backup).

To ensure high shutdown reliability two completely independent

and diverse Shutdown Systems (SDS) are provided:
ShutDown System 1 (SDS1)
ShutDown System 2 (SDS2)

Different physical arrangement including reactivity control

device and separated from control systems

Shutdown Systems

Both shutdown systems are designed to quickly insert

sufficient negative reactivity into the core and reduce the
reactor power output to a safe, subcritical, low level.

These special shutdown systems are physically and

functionally separate from the process control systems
and from each other. Each reactor shutdown system is
designed to be fully capable of independently shutting
down the reactor when called upon to do so.

The special shutdown systems are designed, built and

maintained to a very high quality assurance standard.

These systems are designed to fail-safe so that safety

action will always be provided.

Reactor Vessel Assembly

The CANDU reactor

consists of the horizontal
cylinder called the
Calandria

Fuel and coolant tubes run

horizontally

Moderator inlet and outlet

tubes direct the moderator
through the calandria, then
to the external heat
exchanger for cooling.
Courtesy: Google Images

Shutdown Systems

Reactor shutdown occurs by two

independent, fast-acting systems:
SDS 1 consists of cadmium rods
(28 in the CANDU-6 design) that
drop by gravity into the core
SDS 2 works by high-pressure
injection of a liquid poison
(gadolinium nitrate or lithium
pentaborate solution) into the lowpressure moderator.
Each shutdown system is
independently capable of shutting
down the reactor safely, based on
trip signals received through
independent triplicated-logic
detector systems.

Courtesy: Google Images

Shutdown System One (SDS1)

This system consists of multiple, stainless steel encased,

hollow cadmium rods which drop, under gravity, into the
reactor core in the event of a trip.

The rods are an effective and distributed neutron absorber

which quickly reduce the reactor power to a safe,
subcritical, low level.

These rods are retracted on cables which are connected to

a winch via an electromagnetic clutch and are normally
suspended out of core in the poised state.

Each individual trip channel can be triggered if any trip

parameter for that channel is exceeded.

Shutdown System One (SDS1)

The system must be fail safe so that in the event of an

equipment or power failure, the shutdown system will
activate and the reactor will be shut down. The general
method of achieving this fail-safe condition is to ensure
that the shutdown system operates when constituent
devices are de-energized. This clutch, when energized,
holds the shutdown rod, suspended on its cable, out of the
reactor core. This arrangement of relay contacts is known
as a triplicated contact set. It ensures that the two out of
three requirement for tripping is maintained (2/3 Logic).

Shutdown System Two (SDS2)

SDS2 is similar to SDS1 with the following differences:

Higher trip set points.

The final negative reactivity device.

Operates by injecting a suitable neutron absorbing liquid

(poison) into the reactor. The poison chosen is Gadolinium
Nitrate.

The system has a two out of three trip circuit using control
valves to apply the high pressure injection gas instead of
relay contacts.

Shutdown System Two (SDS2)

The valves used are air to close style so that following a

loss of instrument air, the valves will fail open and a reactor
shutdown (fail safe) will occur.

In the event of a trip, the air supply to the valves is dumped

via electrically operated solenoid valves.

If any two of the three pairs of valves open, a flow path will
be established allowing the high pressure cover gas to
inject the poison into the moderator.

Poison Injection System

The triplicated channels can be activated manually or by

such trip parameters as rate log, high neutron power, or
high primary heat transport pressure.

The helium storage tank is maintained at approximately 8

MPa.

Trip action requires at least two of the three channels to

initiate poison injection.

The poison injection valves will open and apply the

stored helium pressure to the gadolinium nitrate in the
seven storage tanks.

Poison Injection System

The poison is forced through the seven injection nozzles

by the helium pressure so that it is sprayed into the
centre of the reactor core.

The poison tanks each contain a polyethylene ball which

floats on the surface of the poison. Once the poison is
injected, the ball will be forced onto the lower seat in the
poison tank which prevents the helium gas from
overpressurizing the calandria.

Shutdown systems

Each of the two shutdown systems has sufficient

capacity to perform its safety function, i.e. to provide
the required negative reactivity rate and depth,
assuming a specified number of elements (one or two
shutoff rods in Shutdown System-1 or one poison
tube/bank of tubes in Shutdown System-2) is
inoperable.

The system actuation is fail-safe with respect to power

or air failure.

CANDU Reactivity Control

Stainless steel clad cadmium tubes
Cobalt adjuster rods
Boric acid into moderator for fresh fuel only, later on

Gadolinium Nitrate used

Moderator dump: The heavy water (D2O) moderator

can be dumped by gravity into a storage tank under the

reactor vessel. This will stop the fission reaction because
the neutrons wont be slowed down.

CANDU Shutdown Systems

SDS1

SDS2

Physical
Arrangement

Vertical

Horizontal

Trip Mechanism

Control Rods

Liquid Poison

Diving
Mechanism

Gravity Force

Hydraulic
Pressure

Logic

2/3 Chanel Trip

2/3 Parameter
Trip

Triplicated Tripping Logic (or 2/3 Logic)

Any 2 tripped channels will actuate the associated

shutdown system.

The triplicated tripping logic reduces the chance of a

spurious trip, and allows the testing of the system on-line.
Channel D

Channel E

Channel F

Individual Detectors
in Each Channel

Pair D-E

Pair E-F

SDS*1 Actuation

Pair D-F

SDS Design

In order to meet the requirement of continuous

availability, each SDS should be designed, operated and
maintained as closely to 100% reliable. The equipment
chosen should therefore be of the highest quality with key
items triplicated.

Each system, SDS1 and SDS2, consists of three

separate and independent channels (Channels D, E and
F for SDS1 and Channels G, H and J for SDS2) with a
requirement that two of the three channels must exceed
the setpoints before a reactor trip is initiated. This
removes the possibility of spurious trips causing a reactor
shutdown.

SDS Design

The equipment used on shutdown systems is allocated

exclusively to reactor shutdown protection and for no
other purposes.

In addition, interlocks are provided such that if a

shutdown system has been operated, it is not possible to
insert any positive reactivity into the reactor core, for
example, removal of adjuster rods. This eliminates the
possibility of the reactor power increasing while the
original fault condition still exists.

Abnormal Operating Conditions

If a single channel trip, the operator must first establish,

by instrumentation inspection, whether the trip was
genuine or due to equipment malfunction or noise.

In the event of a genuine trip due to a transient condition

occurring on just one channel (e.g., during refuelling) the
channel may be reset after the transient has subsided.

If the trip was the result of equipment failure, the channel

must be rejected, the necessary approval for
maintenance must be obtained, and the work carried
out.

Abnormal Operating Conditions

In the event of a complete reactor trip, it is first

necessary for the operator to establish, from the
instrumentation and read-out devices, the cause of the
trip.

The operator must then decide whether it is possible to

diagnose and clear the fault within thirty minutes and
thus be able to restore criticality before poisoning out.

Abnormal Operating Conditions (contd)

If a shutdown rod become trapped in the core (say

faulty marginal drop test), this condition will be
indicated by the appropriate shutdown rod position
meter. Severe local flux distortions will result. These
local negative reactivity excursions may be partially
corrected by other reactivity devices, (e.g., adjuster
rods and liquid zone level adjustment). However, the
reactor power output must be reduced to avoid local
fuel overheating and possible fuel failure.

Abnormal Operating Conditions (contd)

When operating with the heat transport system at

reduced pressure, the heat transport system could
boil if the pressure is allowed to fall too low. This will
result in cavitation of the main coolant pumps and a
low flow condition may develop which could cause a
conditional trip.

If boiling were allowed to persist, voiding in the fuel

channels could occur. This condition would cause
the reactivity to increase which could also trigger a
neutron trip.

Typical Trip System Parameters

The trip parameter and trip level is selected by safety analysis
to ensure that the fuel temperature limits are not exceeded.
The parameters will trip with an adequate margin to the
analyzed safety limit to ensure continual safe performance.
Neutronics
1. Neutron Flux Level High - reactor power level is too high
2. Neutron Rate Log (Rate of Change of Logarithmic Power
High) - rate of change in power is too fast.

Typical Trip System Parameters

Process
3. Steam Generator Level Low - impending loss of principle
heat sink
4. Feedwater Line Pressure Low - impending loss of principle
heat sink
5. Pressurizer Level Low - unexpected low heat transport
inventory
6. Heat Transport Pressure High - energy mismatch, reactor
power too high

Typical Trip System Parameters (contd)

7. Heat Transport Pressure Low - impending heat transfer
problems, boiling & cavitation
8. Heat Transport System Gross Flow Low - impending heat
transfer problems
9. Reactor Building Pressure High - possible hot fluid leak in
containment or loss of vacuum
10. Moderator Level Low - possible overrating of those channels
still moderated
11. Moderator Temperature High - lower sub-cooling margin for
moderator.
Manual
12. Manual Channelized (i.e. D, E & F) Trip Pushbuttons (with
common or individual capability).

Shutdown System

The complete loss of electrical power to either

shutdown system will result in a reactor trip.

Loss of air to the control valves for shutdown system2

will result in a reactor trip.

Operation of SDS2 will automatically result in a

poisoning out of the reactor.

Both shutdown systems are meant for FAIL-SAFE.

If the plant is to be in an operational state, the reactor

protective system must be in a poised state in order to
provide safety action at all times.

Safety Functions and Associated Systems

Other safety features

1 Manual Backup
2. Identification and Tagging

Safety systems equipment and its interconnections shall be

suitably identified e.g., by tagging or color-coding, to differentiate
this system from other plant systems.

In addition, within safety systems, redundant channels/devices

shall be suitably identified to reduce the likelihood or inadvertent
maintenance, test, repair or calibration on an incorrect channel.

3. Control of Access to Safety Systems Equipment

Access to equipment of the safety systems shall be appropriately

limited, bearing in mind the need to prevent both unauthorised
access and the possibility of error by authorised personnel.

Auxiliary Power Supply

The auxiliary power supply (both electrical and controls) is

divided into two redundant groups. Each of these groups are
divided into safety related and non-safety related.

Redundant groups of safety related equipments are separated

from one another by fire barriers of appropriate rating.

Physical and electrical isolation is provided between safety

related and non-safety related systems.

A supplementary control room in addition to the main control

room, is provided which can be used to perform essential safety
functions in case of main control room becoming unavailable.

The sensors, power supply and controls of the supplementary

control room are independent of the main control room.