The Design Basis Accident (DBA) for a nuclear power plant is the most severe possible single accident that the designers of the plant and the regulatory authorities could reasonably expect. It is, also, by definition, the accident the safety systems of the reactor are designed to respond to successfully, even if it occurs when the reactor is in its most vulnerable state. The DBA for the BWR consists of the total rupture of a large coolant pipe in the location that is considered to place the reactor in the most danger of harm—specifically, for older BWRs (BWR/1-BWR/6), the DBA consists of a "guillotine break" in the coolant loop of one of the recirculation jet pumps, which is substantially below the core waterline (LBLOCA, large break loss of coolant accident) combined with loss of feedwater to make up for the water boiled in the reactor (LOFW, loss of proper feedwater), combined with a simultaneous collapse of the regional power grid, resulting in a loss of power to certain reactor emergency systems (LOOP, loss of offsite power). The BWR is designed to shrug this accident off without core damage.

The description of this accident is applicable for the BWR/4, which is the oldest model of BWR in common service.

The immediate result of such a break (call it time T+0) would be a pressurized stream of water well above the boiling point shooting out of the broken pipe into the drywell, which is at atmospheric pressure. As this water stream flashes into steam, due to the decrease in pressure and that it is above the water boiling point at normal atmospheric pressure, the pressure sensors within the drywell will report a pressure increase anomaly within it to the reactor protection system at latest T+0.3. The RPS will interpret this pressure increase signal, correctly, as the sign of a break in a pipe within the drywell. As a result, the RPS immediately initiates a full SCRAM, closes the main steam isolation valve (isolating the containment building), trips the turbines, attempts to begin the spinup of RCIC and HPCI, using residual steam, and starts the diesel pumps for LPCI and CS.

Now let us assume that the power outage hits at T+0.5. The RPS is on a float uninterruptable power supply, so it continues to function; its sensors, however, are not, and thus the RPS assumes that they are all detecting emergency conditions. Within less than a second from power outage, auxiliary batteries and compressed air supplies are starting the Emergency Diesel Generators. Power will be restored by T+25 seconds.

Let us return to the reactor core. Due to the closure of the MSIV (complete by T+2), a wave of backpressure will hit the rapidly depressurizing RPV but this is immaterial, as the depressurization due to the recirculation line break is so rapid and complete that no steam voids will likely collapse to liquid water. HPCI and RCIC will fail due to loss of steam pressure in the general depressurization, but this is again immaterial, as the 2,000 L/min (600 US gal/min) flow rate of RCIC available after T+5 is insufficient to maintain the water level; nor would the 19,000 L/min (5,000 US gal/min) flow of HPCI, available at T+10, be enough to maintain the water level, if it could work without steam. At T+10, the temperature of the reactor core, at approximately 285 °C (550 °F) at and before this point, begins to rise as enough coolant has been lost from the core that voids begin to form in the coolant between the fuel rods and they begin to heat rapidly. By T+12 seconds from the accident start, fuel rod uncovery begins. At approximately T+18 areas in the rods have reached 540 °C (1000 °F). Some relief comes at T+20 or so, as the negative temperature coefficient and the negative void coefficient slows the rate of temperature increase. T+25 sees power restored; however, LPCI and CS will not be online until T+40.

At T+40, core temperature is at 650 °C (1200 °F) and rising steadily; CS and LPCI kick in and begins deluging the steam above the core, and then the core itself. First, a large amount of steam still trapped above and within the core has to be knocked down first, or the water will be flashed to steam prior to it hitting the rods. This happens after a few seconds, as the approximately 200,000 L/min (3,300 L/s, 52,500 US gal/min, 875 US gal/s) of water these systems release begin to cool first the top of the core, with LPCI deluging the fuel rods, and CS suppressing the generated steam until at approximately T+100 seconds, all of the fuel is now subject to deluge and the last remaining hot-spots at the bottom of the core are now being cooled. The peak temperature that was attained was 900 °C (1650 °F) (well below the maximum of 1200 °C (2200 °F) established by the NRC) at the bottom of the core, which was the last hot spot to be affected by the water deluge.

The core is cooled rapidly and completely, and following cooling to a reasonable temperature, below that consistent with the generation of steam, CS is shut down and LPCI is decreased in volume to a level consistent with maintenance of a steady-state temperature among the fuel rods, which will drop over a period of days due to the decrease in fission-product decay heat within the core.

After a few days of LPCI, decay heat will have sufficiently abated to the point that defueling of the reactor is able to commence with a degree of caution. Following defueling, LPCI can be shut down. A long period of physical repairs will be necessary to repair the broken recirculation loop; overhaul the ECCS; diesel pumps; and diesel generators; drain the drywell; fully inspect all reactor systems, bring non-conformal systems up to spec, replace old and worn parts, etc. At the same time, different personnel from the licensee working hand in hand with the NRC will evaluate what the immediate cause of the break was; search for what event led to the immediate cause of the break (the root causes of the accident); and then to analyze the root causes and take corrective actions based on the root causes and immediate causes discovered. This is followed by a period to generally reflect and post-mortem the accident, discuss what procedures worked, what procedures didn't, and if it all happened again, what could have been done better, and what could be done to ensure it doesn't happen again; and to record lessons learned to propagate them to other BWR licensees. When this is accomplished, the reactor can be refueled, resume operations, and begin producing power once more.

The ABWR and ESBWR, the most recent models of the BWR, are not vulnerable to anything like this incident in the first place, as they have no liquid penetrations (pipes) lower than several feet above the waterline of the core, and thus, the reactor pressure vessel holds in water much like a deep swimming pool in the event of a feedwater line break or a steam line break. The BWR 5s and 6s have additional tolerance, deeper water levels, and much faster emergency system reaction times. Fuel rod uncovery will briefly take place, but maximum temperature will only reach 600 °C (1,100 °F), far below the NRC safety limit.

Prior to the incidents at the Fukushima Daiichi reactor complex (involving BWR 3 and BWR 4 reactors) caused by the March 2011 Tōhoku earthquake and tsunami, no incident approaching the DBA or even a LBLOCA in severity had occurred with a BWR. The Fukushima incidents are still ongoing and it would be premature to draw conclusions on their ultimate severity, but they already exceed the severity of the DBA in several respects. For example, the primary containment vessels have had to be flooded with seawater containing boric acid, which is likely to preclude any resumption of operation. Nothing similar to the chemical explosions that have occurred at the Fukushima Daiichi reactors was anticipated in the DBA scenario.

Before this incident there had been minor incidents involving the ECCS, but in these circumstances it had performed at or beyond expectations. The most severe incident that had previously occurred with a BWR was in 1975 due to a fire caused by extremely flammable urethane foam installed in the place of fireproofing materials at the Browns Ferry Nuclear Power Plant; for a short time, the control room's monitoring equipment was cut off from the reactor, but the reactor shut down successfully, and, as of 2009, is still producing power for the Tennessee Valley Authority, having sustained no damage to systems within the containment. The fire had nothing to do with the design of the BWR – it could have occurred in any power plant, and the lessons learned from that incident resulted in the creation of a separate backup control station, compartmentalization of the power plant into fire zones and clearly documented sets of equipment which would be available to shut down the reactor plant and maintain it in a safe condition in the event of a worst case fire in any one fire zone. These changes were retrofitted into every existing US and most Western nuclear power plants and built in to new plants from that point forth.

Related Post