Reliability comparison of computer based core temperature monitoring system with two and three thermocouples per sub-assembly for Fast Breeder Reactors

Abstract

Prototype Fast Breeder Reactor (PFBR) is a mixed oxide fuelled, sodium cooled, 500 MWe, pool type fast breeder reactor under construction at Kalpakkam, India. The reactor core consists of fuel pins assembled in a number of hexagonal shaped, vertically stacked SubAssemblies (SA). Sodium flows from the bottom of the SAs, takes heat from the fission reaction, comes out through the top. Reactor protection systems are provided to trip the reactor in case of design basis events which may cause the safety parameters (like clad, fuel and coolant temperature) to cross their limits. Computer based Core temperature monitoring system (CTMS) is one of the protection systems. CTMS for PFBR has two thermocouples (TC) at the outlet of each SA(other than central SA) to measure coolant outlet temperature, three TC at central SA outlet and six thermocouples to measure coolant inlet temperature. Each thermocouple at SA outlet is electronically triplicated and fed to three computer systems for further processing and generate reactor trip signal whenever necessary. Since the system has two sensors per SA and three processing units the redundancy provided is not independent. A study is done to analyze the reliability implications of providing three thermocouples at the outlet of each SA and thereby feed independent thermocouple signals to three computer systems. Failure data derived from fast reactor experiences and from reliability prediction methods provided by handbooks are used. Fault trees are built for the existing CTMS system with two TC per SA and for the proposed system with three TC per SA. Failure probability upon demand and spurious trip rates are estimated as reliability indicators. Since the computer systems have software intelligence to sense invalid field inputs, not all sensor failures would directly affect the system probability to fail upon a demand. For instance, the coolant outlet temperature cannot be lower than the coolant inlet temperature. This intelligence is taken into account by assuming different “fault coverage percentage” and comparing the results. A 100% fault coverage means the software algorithm could detect all of the possible thermocouple faults. It was found that the system probability to fail upon demand is reduced in the new independent system but the spurious trip rate is slightly worse. The diagnostic capability is marginally affected due to complete independence. The paper highlights how an intelligent computer based safety system poses difficulties in modeling and the checks and balances between an interlinked and independent redundancy.