After Fukushima, any Station Blackout capability reviews must be carried out with diligence and integrity beyond any reasonable doubt. This is especially true for nuclear reactors that did not consider a sustained loss of AC power and severe accidents in their original design basis. Integrity of the engineered barriers to release of activity must be demonstrated to showcase the extension of defense in depth to a Station Blackout and reasonable provisions for effective interventions. An important aspect of nuclear reactor heat transport system pressure boundary integrity is the ability of its over-pressure protection system to meet the challenges upon a sustained loss of AC power.

The primary heat transport systems in water cooled nuclear power reactors have at least two passive safety relief valves so that at least one is available to act with the generally mandated consideration of a single failure. Design criteria for these relief valves vary but their steam relief capacity, reliability and performance must conform to the relevant ASME code or equivalent requirements. A typical PWR of about 3000 MW thermal power may usually have 3–5 such valves able to relieve upto ∼200 kg/s of steam, which may be about an order of magnitude higher than required. A typical single unit CANDU reactor, on the other hand, has about 30% less thermal power but only 2 such safety relief valves with a combined steam relief capacity of about 4 kg/s or about 4 MW of thermal power equivalent at the relief set-point and a time when the decay power is ∼20 MW. Installation of these valves in a CANDU reactor is also atypical; as they do not provide a direct and unobstructed path from the heat transport system but are installed downstream of another series of isolating Liquid Relief Valves emptying into an unpressurized and small degasser condenser vessel downstream of which they are mounted.

These valves become critical when there is a sustained loss/depletion of engineered heat removal systems following multiple failures as in Fukushima. An unmitigated increase in heat transport pressure and a consequential breech in pressure boundary become inevitable if the core decay heat exceeds the safety valve steam relief capacity. If the ensuing failure is in the boiler tubes, a containment bypass and release of activity into atmosphere is possible.

The present design of CANDU reactor Primary Heat Transport system does not seem to allow the anticipated energy relief through the safety relief valves following a sustained loss of all engineered heat sinks. This may result in uncontrolled primary heat transport system pressurization and a potential for boiler tube ruptures such that activity releases bypass the containment and expose the population to dangerously high radiation well before any evacuation. If the valves are to conform to requirements of the ASME codes under early stages of a loss of heat sinks scenario just as they must for design basis accidents (energy relief capacity greater than the heat load), it may seem that many clauses of the applicable ASME code sections for the subject valves are violated in abundance and with impunity.

A containment bypass resulting from boiler tube failure caused by the faulty overpressure protection can cause fatalities that can be high with astronomical economic consequences, especially after the fuel begins to overheat. Such a containment bypass is considered to present the highest risk to public. The probability of a sustained loss of heat sinks is not insignificant and the overall risk is yet to be quantified for all instigators for any CANDU power plant. The national regulators have not required that utilities do so in a timely manner and as a condition of operating license.

The paper examines the CANDU safety relief valve design criteria, lists design challenges and potential consequences during a station blackout severe accident scenario that could be well mitigated by an otherwise robust design.

This content is only available via PDF.
You do not currently have access to this content.