Preliminary accident analysis of Flexblue ® underwater reactor

Flexblue is a subsea-based, transportable, small modular reactor delivering 160 MWe. Immersion provides the reactor with an infinite heat sink – the ocean – around themetallic hull. The reference design includes a loop-type PWR with two horizontal steam generators. The safety systems are designed to operate passively; safety functions are fulfilled without operator action and external electrical input. Residual heat is removed through four natural circulation loops: two primary heat exchangers immersed in safety tanks cooled by seawater and two emergency condensers immersed in seawater. In case of a primary piping break, a two-train safety injection system is actuated. Each train includes a core makeup tank, an accumulator and a safety tank at low pressure. To assess the capability of these features to remove residual heat, the reactor and its safety systems have been modelled using thermal-hydraulics code ATHLET with conservative assumptions. The results of simulated transients for three typical PWRaccidents are presented: a turbine trip with station blackout, a large break loss of coolant accident and a small break loss of coolant accident. The analyses show that the safety criteria are respected and that the reactor quickly reaches a safe shutdown state without operator action and external power.


Introduction
Flexblue ® is a small modular reactor delivering 160 We to the grid.The power plant is subsea-based (up to 100 m depth and a few kilometres away from the shore) and transportable.It is entirely manufactured in shipyard (no large outdoor activities) and requires neither levelling nor civil engineering work, making the final cost of the output energy competitive.Thanks to these characteristics and its small electrical output, Flexblue ® makes the nuclear energy more accessible for countries where regular large land-based nuclear plants are not adapted, and where fossilfuelled units currently prevail on low-carbon solutions.Immersion provides the reactor with an infinite heat sink the oceanaround the containment boundary, which is a cylindrical metallic hull hosting the nuclear steam supply systems (Tab.1).
Several modules can be gathered into a single seabed production farm and operate simultaneously (Fig. 1).The reactor is meant to operate only when moored on the seabed.Every three years, production stops and the module is emerged and transported back to a coastal refuelling facility, which hosts the fuel pool.This facility can be shared between several Flexblue ® modules and farms.During operation, each module is monitored and possibly controlled from an onshore control centre.Redundant submarine cables convey both information and electricity output to the shore.A complete description of the Flexblue ® concept, including market analysis, regulation and public acceptance, security and environmental aspects, is found in Haratyk et al. [1].The purpose of this paper is to present the first accident analysis of Flexblue ® and to discuss the performance of its innovative passive safety systems.
2 The reactor and its safety features

The reactor
The reactor and all the nuclear systems carrying primary coolant are hosted in one of the four watertight compartments of the module (other compartments host the turbo generator, an onboard control room, I&C control panels, a living area and process auxiliaries) see Figure 2. The reactor compartment boundary forms the third barrier of confinement.The reference design of Flexblue ® includes a looptype pressurized water reactor (PWR), with two horizontal steam generators (SGs) and two motor coolant pumps.This technology enjoys a long experience, both in civil power production and in naval propulsion.Primary loops are designed to ease natural circulation when coolant pumps are turned off: pumps are plugged directly on steam generators outlet in order to eliminate the usual U-shape pipe between SGs and pumps.The reactor core uses classical fuel assembly technology: 17 Â 17 fuel bundles with an enrichment below 5%.Active length of the core is 2.15 m.Reactivity is controlled without soluble boron and only with burnable poison and control rods.This feature is very important because it allows major space savings (no boron tank).The core design is deeply described in [2] (Tab.2).

The safety systems
The safety systems of Flexblue ® are designed in order to operate passively according to the IAEA passivity definition [3].All safety functions are fulfilled without any operator action and external electrical input.The little amount of energy needed for actuation and monitoring is supplied by onboard, redundant, rechargeable emergency batteries featuring two weeks of autonomy.
Chain reaction can be stopped by two diversified devices: the control rods and an emergency boron injection system, which is actuated only in case of anticipated transient without scram (ATWS).Both these devices can independently shut down the reactor and keep it subcritical up to cold shutdown state [2].
Residual heat removal is performed by four cooling loops, each one able to remove 50% of decay heat: two primary chains are connected to the primary circuit: each one includes an inlet pipe connected to a hot leg, a heat exchanger (PPHX) immersed in a large safety water tank, and an outlet pipe connected to a cold leg.The intermediate heat sinks formed by the two safety tanks are cooled by the ocean through the metallic hull; two secondary chains are connected to the secondary circuit: each one includes an inlet pipe connected to a main steam line, an emergency condenser directly immersed in seawater and an outlet pipe connected to a feedwater line.
Thanks to the infinite heat sinkseawaterand to the elevation difference of the heat sink with respect to the heat sources, the four chains operate passively by natural circulation.In normal conditions operation, they are closed by pneumatic valves and open to their fail-safe position when electrical load is lost.The targeted long-term safe state of the reactor is a shutdown state where continuous cooling of the reactor core is achieved by natural circulation (Fig. 3).
Protection against loss of coolant accidents is ensured by two passive safety injection trains.Each one includes a direct vessel injection (DVI) line fed by three injection sources: a core makeup tank (CMT) pressurized by the primary circuit, a classical accumulator pressurized at 50 bar by nitrogen and a large safety tank, which feeds the primary circuit by gravity when primary pressure has decreased to near containment pressure.In addition,    a two-train automatic depressurization system (ADS) is connected to the pressurizer (PZR) and to the hot legs to generate a controlled depressurization of the primary circuit, which enables faster injection.Once these systems have actuated, the long-term equilibrium state is reached when the safety tanks are empty and the reactor compartment is flooded (Fig. 4).At that point, a passive recirculation path is in place: water boils off the core, is released in the containment, condensates on the containment walls, collects in the sump and is injected back into the reactor pressure vessel through sump screens and DVI lines by gravity.Decay heat is transported and removed through the metallic hull.Thanks to the unlimited heat sink (the ocean), grace period is theoretically infinite for both targeted states, which is a breakthrough in nuclear safety.
The two large safety tanks not only play the two roles of intermediate heat sinks and injection sources, but also a third role of suppression poolswhen a leak leads to a quick containment pressurization.They also act as radiation shield to protect workers and systems located in the adjacent compartments.Confinement of the radioactive isotopes is guaranteed by three hermetic barriers: fuel cladding, primary circuit and containment boundary formed by the hull and the compartment walls (Fig. 5).The capability of the containment to reject decay heat to seawater has been investigated by Santinello et al. [4].Results show that the process is satisfactory and enables all decay heat removal.
3 Analysis tool and reactor model

Modelization
Flexblue ® reactor is modelled (see Fig. 6) with ATHLET in accordance with GRS guidelines [5,6].The nodalization of the circuits is performed in order to get both a sufficient accuracy and an acceptable calculation time.Two core channels are modelled: an outer ring and an inner channel where power density is higher.In this latter one, the hot fuel pin is modelled to calculate peak clad and fuel temperatures.The two loops are modelled, as well as all the safety systems with the exception of the emergency boron injection system (failure of scram is not considered in the studied transients).Pressurizer and piping are considered perfectly insulated.The injection sources (tanks and accumulators) are not borated.The active auxiliary systems and the regulations are not modelled.There are three fluid dynamics systems in the model: the primary one (primary circuit and connected systems), the secondary one (secondary circuit and connected systems) and seawater.
The model considers a 2.5-second delay between the scram signal and the full insertion of control rods.Decay heat calculation is based on formulas from Todreas and Kazimi [7], extracted from standards of American Nuclear Society [8], and then conservatively increased by 20% to respect NRC guidelines [9]. Figure 7 presents the considered decay heat for the accident analyses.

Main hypotheses
Reactor core is at 100% of its nominal power (530 MW th ) at the beginning of each transient.The initiating event always leads to a turbine trip (or is the turbine trip itself), which is followed 3 s later by the loss of electrical load.The only electrical sources available are the emergency batteries, which are able to monitor and control the safety systems, and to open or close some valves.The action of other active components and systems is not considered.It is a conservative assumption because the active systems would only have a favourable effect in the performed transients.In a future work, active systems will be modelled to study more transients (for example, active injection should be considered after a steam generator tube rupture).
The opening time of the valves is 2 s with the exception of the ADS valves, which have a longer, preset opening time.Pressurizer and steam generators safety valves setpoints are respectively 171 bar and 83 bar, with a one-second opening time.Even if it is planned to install flow restrictors in the pipes, their effects are not taken into account in the accident analysis, which is a conservative measure.To provide a sufficient core flow when a pump coast down happens, coolant pumps models include a rotating inertia represented in Figure 8: the driving  pressure reaches 50% of the nominal value after 5 s and 0% after 30 s.
The containment pressure is set constant at 1 bar during the transients, so the leak flow is maximized when a break occurs.Heat sink temperature (seawater) is conservatively set at 35 °C.Heat transfer between safety tanks and seawater through the metallic hull is not modelled, which is conservative.None of the steam generators tubes is considered clogged.The detailed design of the Flexblue ® core was not yet available when these analyses have been conducted.As a consequence, the neutronic data of a typical German Konvoi have been used.The conservative nature of these input data is not established.As mentioned in Section 8, core behaviour is to be watched closely with accurate neutronic data when available.Average burn-up is 8.1 GWD/t and maximal burn-up is 45 GWD/t.The actuation logic of emergency signals and passive systems with the treatment delays considered are presented in Table 3.

Turbine trip
The simulated transient starts with a turbine trip that causes a loss of offsite power.

Results
The results are described in Table 4 and Figures 9-13.

Discussion
When turbine trip is triggered, steam and feedwater lines are immediately closed (0.15 s).Reactor scram happens more than 4 s later.During this time interval, primary and secondary pressures strongly increase (Figs. 9 and 10) because core is at full nominal power and heat is not removed to any heat sink.After reactor scram, core power  quickly decreases (Fig. 7) and high pressure in SGs leads to the connection of both emergency condensers (ECs) that transfer almost 16 MW th to seawater in the first minutes of the transient (Fig. 11).Maximum primary conditions are reached at t = 7.3 s (167 bar, 322 °C) and maximum secondary conditions are reached 7 s later (82.7 bar, 298 °C).Both pressurizer pressure and SGs pressure remain lower than their safety valves opening setpoints.
Concerning the boiling crisis risk in this transient, the results provide a minimum departure of nucleate boiling ratio (DNBR) of 3.87 at t = 3 s.Clad surface temperature   does not exceed 400 °C and fuel centreline temperature does not exceed 1350 °C (melting temperature is 2700 °C).Thus, first barrier safety criteria are comfortably respected.However, system code ATHLET is not a very refined code to investigate core thermal-hydraulics.Deeper investigation of core behaviour is needed with a core analysis code (e.g.COBRA -COolant Boiling in Rod Arrays).Eight minutes after turbine trip, the emergency heat removal by the condensers becomes greater than the heat removed by the steam generators, which is already greater than core decay heat.This situation will not change later: starting from this point, the thermal-hydraulic conditions in primary and systems continuously decrease.The critical phase of the transient has passed.Natural circulation is now well established and core is passively cooled.Primary flow is around 200 kg/s.As primary fluid temperature decreases, water density lowers and pressurizer water level falls.At t = 90 min (5400 s), this level reaches the CMTs injection setpoint.
Cold water (50 °C) contained by CMTs flows into the vessel through direct vessel injection lines while hot water from primary circuit fills back the CMTs.This circulation causes a sudden drop of primary pressure and temperature (Figs. 12 and 13).At t = 150 min (9000 s), natural circulation in the CMTs stops and core is once again only cooled by passive exchangers.Cooling is very efficient because CMTs injection signal also leads to passive primary heat exchangers (PPHXs) actuation.PPHXs and ECs remove together 8.5 MW th (Fig. 10), while decay power is around 6.5 MW th at that point.
During the entire simulated transient, void fraction at core outlet is zero.Primary fluid remains monophasic in all the primary circuit and in the CMTswith the exception of the pressurizer where primary fluid is at saturation conditions.Its means that low CMT level signal-which would open the ADSis not close to be actuated.Saturation margin is always greater than 30 °C, and the liquid water in the vessel upper head does not flash.Primary temperature reaches the EPRI criterion for safe shutdown (215 °C [10]) after 100 min, far earlier than the EPRI objective of 24 h.At the end of the simulation (2 h 47 min), primary temperature at core outlet has decreased down to 175 °C.Following the PPHXs actuation, safety tanks have heated up by only 11 °C, demonstrating an important thermal inertia.
Analysis of ATHLET results shows that safety systems of Flexblue ® reactor can handle a turbine trip followed by a station blackout without any operator action.After a tense sequence during the first minutes due to a high core power, the passive cooling systems quickly remove a power greater than decay heat.Safety criteria of the first barrier are fully respected and safety valves of primary and secondary circuits are not challenged.A safe shutdown state is reached in less than 2 h where primary circuit is pressurized and core is durably cooled.This quick cooling raises a concern about the thermo-mechanical stresses in the pressurizer surge line.The adiabatically modelled pressurizer stays quite hot (above 300 °C), so the temperature difference between bottom and top of the surge line is important.A refined model of the pressurizer and a thermo-mechanical study of the surge line are needed to address this concern.

Large break loss of coolant accident
Even if such a break could be excluded by application of the "break preclusion" concept, a double-ended guillotine break of a cold leg (400 mm diameter primary pipe between pump and pressure vessel) is postulated here.

Results
The results are presented in Table 5 and Figures 14-19.

Discussion
The double-ended guillotine break of a reactor primary leg is a very brutal transient.Leak flow reaches immediately 18,500 kg/s and core is entirely uncovered after 4.5 s (Fig. 14), which stops the chain reaction and brings down the fuel centreline temperature (Fig. 15) because of the loss of moderator.Primary pressure drops from 155 bar to 1 bar in 20 s, which triggers the reactor protection signal.It leads to reactor scram, secondary lines isolation and connection of CMTs on DVI lines following the sequence presented in Table 5.But the first injection sources that feed the vessel are the accumulators.Indeed, CMTs pressure (which is equal to primary pressure) is quickly lower than accumulators  pressure (50 bar).At t = 5.5 s, injection starts with a high mass flow (160 kg/s per line, Fig. 16).It stops the vessel water level fall (Fig. 14) and slows down the heat up of the fuel cladding (Fig. 15).Water level is stabilized for 15 s at rod bundles bottom (Fig. 14) so that vapour formation can initiate cooling of the fuel by single-phase gas heat transfer.In the following 50 s, accumulators injection enables the partial replenishment of the core water inventory (Fig. 14).Clad surface temperature reaches a maximum (705 °C) and starts decreasing.Maximum clad oxidation is 0.4% (far below the authorized 17%) and hydrogen generation does not exceed 0.03% of authorized value.First barrier safety criteria are fully respected.During this time interval, primary temperature varies from 100 °C to 300 °C (superheated steam), but eventually falls down to saturation conditions at 100 °C (Fig. 17).
At t = 77 s, accumulators injection stops but CMTs and safety tanks quickly resume injection 20 s later.Liquid level in the core slightly decreases again without any consequence on clad surface temperature.At t = 98 s, CMTs injection starts.Total flow rate is limited (around 20 kg/s) but sufficient to resume vessel reflood.Until t = 13 min, direct vessel injection is dominated by CMTs flow and exhibits wide oscillations between 0 and 30 kg/s per line (Fig. 18).CMTs injection is driven by primary pressure, which is impacted by steam generation and consequently primary flow.This feedback could be the   source of these density-wave oscillations.Low CMTs levels are reached at t = 13 min (780 s) and trigger the automatic depressurization system.The actuation of the ADS three stages does not impact the primary pressurewhich is already very lowbut eases significantly the injection mechanism by opening the hot legs of the loops.The single failure criterion is applied on one of the ADS final stage valves, without significant effect.Safety tanks now dominate the injection and total DVI flow is quite steady during the following hour, from 30 to 23 kg/s per line (Fig. 19).At t = 16 min, core coolant inventory is definitely recovered.Concerning the passive heat exchangers, their actuation is very quick (9 s).Thanks to ECs heat removal, secondary pressure is kept below SG safety valves setpoint and falls to 1 bar in around 30 min.However, ECs and PPHXs play a minor role in this transient; most of decay heat is released to the containment through the break.
At the end of the simulation, liquid level in the vessel is 1 m above the top core, primary pressure is close to 1 bar and primary temperature at core outlet is 88 °C.Void fraction at core outlet oscillates between 5% and 35%.Injection flow is 46 kg/s.The remaining water inventory in the safety tanks enables an 8-h injection at this magnitude.Despite the severity of the transient, these results prove that Flexblue ® passive safety systems can handle a loop double-ended break accident during the first hour and a half, without any operator action and with only emergency batteries as electrical input.Regarding the long-term mitigation of the accident, the expected safe shutdown state is represented in Figure 26.The feed and bleed process slowly floods the containment up to a level where sump natural circulation actuates passively.Steam exiting the core through the ADS is condensed on the hull internal side and comes back down into the sump.Heat is eventually removed by seawater.AP1000 design has already been licensed with a comparable but time-limited strategy [11].A specific study is to be conducted to prove its effectiveness with the Flexblue ® design.

Small break loss of coolant accident
The postulated break is a 10 mm diameter break on one of the two direct vessel injection lines.

Results
The results are described in Table 6 and Figures 20-25.

Discussion
The beginning of the small break transient is quite smooth.Leak mass flow rate does not exceed 18 kg/s.Primary pressure (Fig. 20) goes down to 130 bar within 3 min.Meanwhile, water inventory in the pressurizer counterbalances the leak discharge, so water level in the vessel does not fall (Fig. 21).At t = 188 s and 193 s, low PRZ level and low PRZ pressure safety signals are actuated.They successively trigger reactor scram, coolant pumps stop, CMTs injection, secondary lines isolation and passive heat exchangers actuation (Tab.6).At that time, the loss of coolant is less than 6% of the primary inventory.
Injection of cold water from the CMTs starts (Fig. 22), heat removal by passive exchangers is very efficient (close to 20 MW th at t = 700 s, Fig. 23) and the break removes between 4 and 5 MW th .The combination of these three actions causes a slow decrease of primary temperature (Fig. 24) and quickly brings down primary pressure (Fig. 20).At t = 5 min, primary fluid in the vessel reaches saturation conditions and boiling starts in the core.Void fraction at core outlet remains lower than 20% (Fig. 25), but a vapour bubble appears in the vessel upper head.Circulation in the CMTs is then monophasic: cold water flows to the vessel while hot primary water fills back the tanks.At t = 25 min (1500 s), a flashing occurs in both CMTs upper heads.Vapour phase replaces the liquid phase and CMTs start draining out.Low CMTs levels signal actuates ADS opening at t = 47 min (2820 s).
The opening of the first two stages of ADS (located at PZR top) causes a sudden jump of liquid level in the pressurizer but no liquid water fills up the ADS lines.Meanwhile, core void fraction strongly increases and collapsed liquid level goes down to 1 m below fuel rods top (Fig. 21).This does not significantly affect core cooling because liquid water is still wetting the fuel rods.Primary temperature is decreased by 100 °C within 15 min.Shortly after, the break flow turns into vapour phase.Accumulators injection is very brief (100 s) and is followed by a 3-min pause of DVI flow (Fig. 22).This pause is counter-balanced by the pressurizer draining into the vessel.
At t = 1 h 4 min (3860 s), shortly after the opening of the ADS final stage, primary pressure has finally decreased enough to enable safety tank gravity-driven injection.Reactor vessel is quickly refilled (Fig. 21), and injection flow     is very steady around 23 kg/s through the intact DVI line (Fig. 22).At the end of the simulation, 2 h 47 min after the break, vessel liquid level is 1.3 m above fuel rods top, core void fraction is zero, core outlet temperature is 100 °C and primary pressure is close to 1 bar.These final conditions are very similar to large break LOCA final conditions.The targeted safe state is the same one: a flooded containment with a sump natural circulation passing through the core (see end of Sect.6.2 and Fig. 26).

Conclusion
The purpose of this study was to investigate the capability of Flexblue ® reactor and its passive safety systems to respect safety criteria when typical PWR design-basis accidents occur.The thermal-hydraulics system code ATHLET was used to model the reactor and its safety systems with conservative assumptions.The results of the three chosen transients (turbine trip, large break LOCA and small break LOCA) prove that safety systems are appropriately designed to handle such accidents.The safety criteria are respected with significant margin and the three simulations end on a safe and stable shutdown state.It is worth noting that in the analyses, no credit was taken for operator action or external electrical input.Safe shutdown states are not limited to a given mission time because heat sink around the containment is infinite.The passive safety systems performances and their resilience to extended loss of offsite power constitute a very promising path to enhance nuclear safety.
The analysis also raised some vigilance points that deserve deeper investigations.Firstly, core behaviour is to be watched closely with accurate neutronic data and an appropriate computer code, particularly when coolant flow is suddenly lost at high core power like in the turbine trip transient.This will be possible, thanks to the progress made concerning the Flexblue ® core design [2].Secondly, ATHLET results sometime exhibit oscillations during passive injection and natural circulation.It is crucial to check that instabilities do not jeopardize the fulfilment of the safety functions.Lastly, it will be necessary to study thermo-mechanical stresses during transients, especially in the natural circulation loops and the pressurizer surge line.
In future works, it will be interesting to study the capability of safety systems to handle a steam generator tube rupture, a main steam line break and a feedwater line break.It is also necessary to study containment and reactor coupling during break transients to confirm the pressure suppression system sizing.

3. 1 ATHLET
ATHLET (Analysis of Thermal-Hydraulics of LEaks andTransients) is a thermal-hydraulic system code developed by the German technical safety organization GRS.It is applicable to the analysis of PWR and BWR, and has already been used for the analysis of transients involving horizontal SGs, similar to the ones of Flexblue ® .It is composed of four main calculation modules: thermo-fluid dynamics, heat transfer and heat conduction, neutron kinetics, and control & balance of plant.ATHLET validation work (including for passive systems) is presented in[5].

Fig. 4 .
Fig. 4. Targeted safe state when primary circuit has failed.

Fig. 6 .
Fig. 6.ATHLET model.Dimensions are not representative.The model includes about 200 objects composed of about 1000 control volumes.

Table 5 .
Fig. 14.Water level in the vessel.Grey area represents core zone.

Fig. 21 .
Fig. 21.Water level in the vessel.Grey area represents core zone.
The authors would like to thank GRS for their technical support in the use of ATHLET.The authors are also grateful for the comments and the review provided by other members of Flexblue ® development team.Nomenclature ADS automatic depressurization system ATWS anticipated transient without scram CMT core makeup tank BWR boiling water reactor DNBR departure from nucleate boiling ratio DVI
Fig.3.Targeted safe state when primary circuit is intact.

Table 3 .
Safety signals (conservative delays for actuation).Passive primary cooling actuation CMT injection or high pressurizer level 4 ADS first stage opening CMT injection and low level in both CMTs 20 ADS second stage opening ADS first stage opening 70 ADS final stage opening ADS second stage opening and very low level in both CMTs 250

Table 4 .
Sequence of turbine trip accident.
Steam line and feedwater line isolation 3 s Station blackout.Coolant pumps coast down with their inertia.Minimum DNBR is reached (3.87) 4.6 s Reactor scram actuated by pumps low speed 6 s Emergency condensers are connected to SGs 7.3 s Maximum primary pressure and temperature are reached (167 bar, 322 °C) 14 s Maximum secondary pressure and temperature are reached (83 bar, 298 °C) 8 min Heat removed by ECs becomes greater than heat removed by SGs which is greater than

Table 6 .
Sequence of small break loss of coolant accident.