Sniffing out the danger16 August 2016
Crucial to the public acceptance of nuclear power is the confidence that, come what may, reactor safety is secure. The last line of defence of reactor safety is the ability to swiftly shutdown a reactor when a catastrophic failure has occurred. David Flin looks at the evolution of monitoring equipment and the latest offerings.
Delta Controls has supplied pressure, temperature and flow instrumentation into the nuclear industry for over 55 years. The company goes back as far as Calder Hall at the UK’s Sellafield site – one of the world’s oldest reactors, which was connected to the grid in August 1956.
Standards for such equipment have evolved over the years, and the manner in which they have been applied has changed. In the early days of nuclear power, standards were determined by national governments and by the developers of individual plants. National and international standards have since been developed, and have become the basis for meeting the requirements of national and international regulators.
A fundamental principle of nuclear power plant operation is that the operator company is responsible for safety and the national regulator is responsible for ensuring the plants are operated safely by the licensee. Another important consideration is that the regulator’s mission is to protect people and the environment.
Consequently, the plant operator is responsible for safety shutdown systems, and applies their safety requirements to equipment and procedures. For its part, the national regulator is responsible for ensuring the plant operator carries out these functions, applying basic criteria for plant operation.
Design certification is the responsibility of national regulators and there are varying degrees of international collaboration among these. Together, or separately, they have developed a number of sets of codes and standards related to quality and safety that are internationally applied.
The standards are constantly under review and being updated. A trend in the UK is to move towards so-called “functional safety standards” based on existing practice in IEC 61508. This means that failure modes and risk of failure are designed out, particularly where electronics and firmware are used.
In common practice, following incidents or accidents at nuclear reactors, reviews will inform regulators and operators of the improvements needed in areas where failures occurred. They will also provide detail on the root causes addressed and on changes recommended or mandated. For example, after the Fukushima incident there were a number of reviews of standards. The result was that plants had to withstand higher levels of seismic load and more radiation exposure. This was especially the case with regard to safety systems and the event of loss of coolant accidents (LOCAs). This meant for some plants the instrument products have had to be re-qualified.
Requirements of safety shutdown systems
The three primary objectives of nuclear reactor safety systems as defined by the US Nuclear Regulatory Commission as: to shutdown the reactor; to maintain it in a shutdown condition; and to prevent the release of radioactive material. In order to achieve a safe shutdown, the instruments detecting the conditions that indicate that a catastrophic failure is taking place have to be reliable, accurate and quick acting.
It is not uncommon for a number of different types of instrument to be used to detect catastrophic failure. These may include the measurement of radiation, humidity, temperature and pressure. A plant will typically use several methods and will make use of a large number of locations for the sensors. This is to prevent false positive and false negative readings.
Delta’s DPS and FRATS have been used, for example, for many years in the various nuclear plants in Sweden. The DPS is used to detect rapid changes in ambient pressure within the containment where the primary circuit is housed. This is done by throttling or slowing the low-pressure input via a small pressure vessel or tank such that the rate of change of pressure is slower than it is through the high-pressure input. A sudden change in pressure – due to a high pressure line break event for example – is detected by the high pressure side of the DPS sensor sooner than the low pressure side and the switch is activated. Normal changes in ambient pressure do not activate the switch, as both sides of the sensing diaphragm experience the pressure change simultaneously.
Delta Controls’ FRATS are used within the containment as well in the balance of the nuclear island and in the balance of plant, where their function is to detect abnormal rises in temperature.
DPS working principles
A DPS operates by connecting two different pressures across a sensing diaphragm. The pressure difference creates a force which then overcomes that of a pre-tensioned spring, and in the process it moves a balancing arm or mechanism to effect the movement required to activate the micro- switch(es) of the switch. High and low pressures are applied on either side of the sensing diaphragm. This design helps to eliminate errors due to a difference in area which is often a common problem present in twin-element pressure-differential switches.
Reliability is key for these sensors. They have to be robust, certain to operate, and give accurate results, despite being subject to challenging conditions. What is more, they have to be able to reliably operate for 40-year lifespans.
Because it is vital that safety shutdown equipment operates reliably when required, despite long periods when there is no requirement for activation, Dr Chris Webborn, sales director at Delta Controls, says that a reputation for reliability is crucial for companies operating in this area. Checking and maintaining equipment once installed can be problematic, and it has to operate when required. Consequently, there must be robust protocols in place to ensure that products are thoroughly tested.
The testing process
In order for these products to be used in these applications, rigorous product testing has to be undertaken. Testing typically involves thermally and radiation ageing the product to simulate its end of life condition before subjecting the products to vibration testing, radiation testing, earthquake simulations, and finally a loss of coolant simulation – a test involving exposing the products to high temperature steam and high pressure inside an autoclave. The idea of the tests is to prove that the products will perform within specification before, during and after any breach in the structural integrity of the nuclear steam supply system.
Webborn said the testing process is a lengthy one because of the need to artificially age the switches to meet the worst-case conditions that they will face. The process can take many weeks, potentially up to 12 months. The company works with operators to approve testing procedures.
The ageing processes
As standards change the precise values for testing products can vary, but the following is an example of the testing undertaken by Delta Controls to meet one of their customer’s requirements.
The DP switches have been thermally aged at 122°C for 1053 hours to simulate an end-of- life condition after 20 years. This accelerated ageing is based on the Arrhenius model, using the lowest activation energy of the non-metallic materials used in construction.
In addition, a number of switches undergoing the testing procedures are exposed to a total integrated dose (TID) of 17.82MRads at a rate of 0.25MRads/hr using cobalt 60 gamma rays to achieve the end-of-life condition expected after being exposed to both normal and accident conditions. Other switches are exposed to a TID of 27.5MRads.
The switches are cycled a minimum of 1000 times, actuating the switches for 15 seconds, then de-actuating them for a further 15 seconds, while monitoring and recording the current across a precision resistor throughout the test to ensure correct operation. This is to mechanically age the product by simulating the typical number of actuations over a 20-year period for a specific alarm application.
In separate test programmes, Delta has seismically tested its products using the random multi-frequency (RMF) test requirements of Standard IEEE 344-1075/1987. In addition the products were also subjected to tri-axial RMF test levels as defined in the RCC-E Code.
Following the ageing programme and the seismic tests, Delta Controls then subjects its products to a High Energy Line Break (HELB)/ LOCA simulation. The switches were exposed to superheated steam at 173°C and 550 KPa for three hours, and to saturated steam at 160°C for six hours and at 120°C for 24 hours.
These tests demonstrated that having achieved a simulated end of life condition the products were able to function to their design requirements.
Standards will inevitably change over the years and product development aims to exceed these requirements. Seismic testing represents the seismic conditions of the individual sites. There may be an increase in the levels of radiation that the products must be able to withstand. Developments in products in the near- to medium-term future will therefore be focusing on ensuring that products retain and improve their robust nature.
Webborn said that development of products is cautious and tends to involve taking existing products and redeveloping them in a very structured format.
A trend in the UK in recent years has seen the requirement for the older existing products to undergo an EMPHASIS assessment of the development process.
The EMPHASIS method assesses a device’s compliance with the IEC 61508 Functional Safety standard, along with other requirements specific to the UK nuclear industry. It provides the end user with confidence that the firmware or software in these devices meet the required good practice levels of design, testing and production to achieve the integrity levels needed for project applications and to reduce the risk of systematic failures.
In some cases, particularly those involving firmware, the products need to be redeveloped to ensure the function safety principles defined in IEC61508 are followed, the aim being to reduce risk in the design phase rather than relying purely on a testing based qualification.
Given the nature of such products, and the need to ensure that they can operate reliably for the lifetime of a nuclear plant – typically 40 years – under challenging conditions, it is likely that there will be only modest and cautious developments in the near term.