Nuclear Technology / Volume 199 / Number 1 / July 2017 / Pages 16-34
Technical Paper / dx.doi.org/10.1080/00295450.2017.1326783
Advanced reactors are often claimed to be passively safe against unprotected upset events. In common practice, these events are not considered in the context of the plant control system, i.e., the reactor is subjected to classes of unprotected upset events while the normally programmed response of the control system is assumed not to be present. However, this approach constitutes an oversimplification since, depending on the upset involving the control system, an actuator does not necessarily go in the same direction as needed for safety. In this work, dynamic simulations are performed to assess the degree to which the inherent self-regulating plant response is safe from active control system override. The simulations are meant to characterize the resilience of the plant to unprotected initiators. The initiators were represented and modeled as an actuator going to a hard limit. Consideration of failure is further limited to individual controllers as there is no cross-connect of signals between these controllers. The potential for passive safety override by the control system is then relegated to the single-input single-output controllers. The results show that when the plant control system is designed by taking into account and quantifying the impact of the plant control system on accidental scenarios there is very limited opportunity for the preprogrammed response of the control system to override passive safety protection in the event of an unprotected initiator.