LWRs require the capability to cool down following reactor shutdown to provide for system maintenance and refueling operations. Under normal operation, current large PWRs cool down in two stages. Initially, the secondary system will be used to remove heat from the primary by dumping steam to the condenser via the turbine bypass system until the system temperature will no longer support sufficient boiling. At that point a forced-flow residual heat removal (RHR) system will remove reactor decay heat using a heat exchanger cooled by forced-flow safety-related component cooling water (CCW) system. In turn, the CCW is cooled by the safety-related forced flow plant service water system. The RHR system is not designed to operate at the temperature and pressure required at the start of the plant cool down, necessitating the two-step process.

In the event of a loss-of-offsite power, current large PWRs employ a diverse auxiliary feedwater (AFW) system using steam-driven, diesel-driven, or motor-driven (backed by a safety AC bus) feedwater pumps. The AFW pumps draw water from a large condensate storage tank to provide water for the continued generation of steam. Steam is dumped to the atmosphere, allowing the continued removal of decay heat from the primary. At the point where insufficient steam is generated, the RHR system and related support systems, all supported by a safety AC bus, will continue the plant cool-down to cold standby.

All iPWR designs will likely plan to use the secondary system to initially remove decay heat under normal operating conditions. Some designs may then plan to use a non-safety-related forced-flow RHR system to take over when steam is insufficient for heat removal during normal operations. However, unlike the large PWR designs, all iPWR designs will employ a passive decay heat removal system capable of removing the maximum core decay heat generation following a reactor trip. Heat will be rejected to large plant water tanks capable of removing heat for 72 hours or more without refill to make-up for boil off. As a result, no diesel-backed safety AC bus is required to support forced-flow RHR, CCW or service water heat removal systems in iPWR designs. Water from a tanker truck can supply additional cooling water beyond the initial 72 hours.

Many new reactor designs, and especially SMRs, are still in the conceptual or preliminary design phase and typically very little information for HSI design and device selection is available early in the project life cycle. Nevertheless, it is possible to generalise the characteristics of much of HSI technology that would be used in advanced NPPs. This is not so much because of similarities in new designs, but rather because of the state-of-the-art in HSI technology. In the past there was a certain degree of customisation of instruments and controls (I&C) for specific control rooms, but this customisation was more in the layout of the control room and the control boards. Most of the instruments and controls (traditional ‘light box’ alarm annunciators, panel-mounted switches, knobs, dials and gauges) were devices that were designed to strict industry standards for reliability and robustness. However, for the foreseeable future we can expect implementation of devices initially designed for consumer and commercial use, but that are fast becoming standard in many industries: high-resolution flat panel displays, touch screens, wireless handheld computers that can serve as both input and display devices, and a range of static and mobile devices designed to improve supervisory control, improve situation awareness and enhance operator performance and reliability.

In most industries we find that advanced automation systems have the potential to enhance the safety of workers and equipment, enhance monitoring of process variables through improved sensing, control and display capabilities, increase system reliability, resilience and availability, and reduce the need for human operators for functions that can be achieved more efficiently through automation.

In contrast, the nuclear industry has yet to reap the full benefits of advanced technologies. There are several reasons for this backlog, but at the same time there are many reasons why a transition to advanced technology is not only inevitable, but also highly desirable. Even a brief examination of the current state-of-the-art of emerging instrumentation and control and also human interface technologies would quickly reveal the reasons for this trend.

In most existing plants, surveillance, testing, inspection and monitoring of plant performance are all dependent on human operators and are all labour-intensive activities. This is not surprising, given the current state of technology in the majority of older plants. Traditional I&C and display technology in most plants older than 20 years consists of fixed analogue devices, as mentioned above. The control boards and panels in the control room are typically arranged in a horseshoe configuration and very often the controls used for control actions and the gauges where the results of such actions must be observed are widely separated on the boards and panels throughout the control room. The result is that the operator has to move around a lot to collect information from diverse sources. At the same time, the operator has to keep a lot of information in his or her head while performing a procedure. Under abnormal or emergency conditions this can produce significant workload and stress, and it is easy to see how this kind of HSI could become a potential source of human error. Indeed, there is ample evidence of the critical importance of well-designed HSIs from the accidents at Three Mile Island, Chernobyl and Fukushima Daiichi, both of which had inefficient analogue HSIs.

Innovations in HSI technologies have the potential to alleviate or even eliminate many of the problems associated with analogue I&C. Various strategies to upgrade I&C systems, including modernisation of control rooms, are beginning to emerge (Korsah et al., 2009). These strategies range from the most common ‘like-for-like’ replacement of systems (for example, replacing alarm light boxes with flat panel monitors that still display alarms as conventional alarm tiles), to comprehensive human factors engineering (HFE) studies combined with systems engineering projects that consider all technical and human aspects of the new or upgraded systems. Since most new reactor designs will employ FOAK technology (technology that has not been used in the older generation of NPPs), they have the opportunity to avoid the problems of outdated I&C and HSIs (obsolescence, unavailability, costly maintenance and so on). However, there are still significant risks associated with FOAK designs. These risks include challenges of integration, inadequate consideration of the changing role of the operator, coupled with the possible need to define new models of human-automation collaboration, the need for integrated system validation and many more.

Advanced technologies cannot be placed in the hands of the operator without considering how this will affect his or her task and performance. This means that designers should be intimately familiar with the characteristics of technologies, not only individual devices, but also devices coupled, integrated or interfaced with other new as well as older devices. An understanding of how the introduction of new technologies may affect operator behaviour and performance is crucial to the success of an NPP development project in the short term, and the safe and efficient operation of the plant in the long term.

Georgia Institute of Technology, Atlanta, GA, USA

8.1 Introduction

With respect to safety, large and small power reactors are expected to satisfy essentially the same technical, regulatory and licensing requirements. The question of interest to this chapter is whether there are inherent properties related to the power level that impact safety that would favor large or small reactors (IAEA, 2005a, 2009; Ingersoll, 2009; Petrovic et al., 2012). Considerations related to two important aspects (decay heat and source term) together with some additional aspects are discussed below:

• Decay heat. The most critical safety consideration of nuclear reactors is removal of decay heat after a shutdown in off-normal conditions, in particular during a loss of offsite power event. Under the assumption of comparable power density, based on first principles one can argue that small modular reactors (SMRs) are inherently safer in that respect. Namely, power is produced in the core, and depends on the core volume, V, whereas, if everything else fails (in the absence of any other mechanism), it is ultimately dissipated through the vessel having surface area S. The larger the S/Vratio, the higher the inherent heat removal capability. Since volume increases faster than surface (third vs. second power of linear size), this factor is smaller for large reactors, and larger for SMRs, i. e., SMRs inherently can reject a higher fraction of decay heat through their vessel.

• Source term. Assuming a similar specific power (W/gHM) and core-average fuel burnup, an SMR will have a proportionally smaller source term than a large unit. However, a proportionally larger number of SMR modules will be needed to deliver the same total power. One could argue that a simultaneous failure of multiple units is unlikely, but events at Fukushima Daiichi nuclear power plant (NPP) show that an unforeseen common mode failure is indeed possible, even if not likely. One should note that the common mode failure will at most make the source term for multiple SMRs as large as that of a large unit, but not worse. Moreover, due to their finer ‘power granularity’, there is theoretically more flexibility in siting (grouping or dispersing) SMRs.

• Properties enabling or facilitating safety. There are several other features directly related to power level that indirectly enable improved safety. For example, smaller core size and power level enable or facilitate integral configuration, and smaller NPP footprint facilitates placing it on seismic isolators. Such properties and their impact are further discussed in the rest of this chapter.

• Active and passive safety. Systems providing safety functions will be discussed in more detail in the next section; nevertheless, because of their importance we introduce here the distinction between active and passive safety systems. Conceptually, the latter are based on the laws of nature and therefore expected to be more likely to perform their function

Handbook of Small Modular Nuclear Reactors. http://dx. doi. Org/10.1533/9780857098535.2.191

Copyright © 2015 Elsevier Ltd. All rights reserved.

under a variety of off-normal conditions. While both small and large reactor designs may incorporate passive safety systems, practice shows that SMRs are more conducive to implementation of passive systems. An extensive list of the proposed SMR concepts with passive safety would be too long; instead representative examples are discussed in this chapter. An example of a large plant with passive safety systems is the Westinghouse AP1000 (Schulz, 2006).

• Reliability of safety systems. A number of SMR concepts (cf. e. g. international reactor innovative and secure, (IRIS; Carelli et al., 2004; Petrovic et al., 2012) have proved successful in systematically using their main defining characteristic — lower power level and size — to their advantage when implementing their safety approach. These designs tend to be based on simplicity enabled by the lower power level, thus promising to simultaneously achieve reliable safety and economics. They illustrate the key approach needed for a successful and competitive SMR design — it cannot be based on scaling down a larger design but needs to exploit unique SMR characteristics. For example, the integral primary circuit configuration — which is one of the enabling features and will be repeatedly mentioned throughout this chapter — is generally limited to SMRs due to the limiting reactor vessel size and cannot be directly extrapolated and applied to large power units.

Keeping in mind these top level differences and unique aspects of SMRs, in particular

of the integral pressurized water reactol (iPWR) type, this chapter discusses their

safety and related aspects:

• Section 8.2 presents approaches to safety (active and passive; inherent safety; and safety by design) and specific solutions adopted in various SMRs to implement their safety approach.

• Section 8.3 discusses experimental efforts needed to address unique characteristics of SMRs, in particular the integral configuration and primary components within the primary loop, and provides examples of several integral test facilities.

• Section 8.4 focuses on probabilistic risk assessment (PRA). It illustrates the benefits of the safety-guided design and discusses the SMR potential to significantly enhance their safety indicators to allow reducing the size of the emergency planning zone (EPZ), if possible to the plant site boundary.

• Section 8.5 briefly reviews security issues, and in particular mutual synergy of safety and security functions.

• Section 8.6 presents future trends, in particular related design trends, research needs, improved analytic capabilities, licensing approaches, and testing and validation.

• The last section provides references.

The actual evaluation is a multi-stage process. It addresses the system response and outcomes parts of the Methodological approach. The process is summarized in Appendix A of GenIV International Forum PR&PP (2011b).

9.4.2.2 Step 7: integrate results for presentation (main activity P)

The presentation of results must be carried out carefully. In this process, the analysts should reference and consider previous studies, and should apply the best available analysis tools to generate results and prepare the output in an optimal form for presentation to designers, program policy makers, and external stakeholders.

9.4.2.3 Step 8: write the report (main activity R)

As noted previously, reporting to the sponsors should be an ongoing process, and elements of the final report may be generated in draft form throughout the process. Ultimately, the analysts must provide the results in a form that can be understood by the user, thereby enabling the user to draw appropriate conclusions. If the report contains classified or sensitive information, it may be necessary to abstract an unclassified summary. GenIV International Forum (2011b) describes the information to be included in the report.

Progress between NRC and the nuclear industry on these key licensing and policy issues was an important consideration in determining whether the US would sponsor and fund an SMR program through the US Department of Energy (DOE). The SMR program would be structured as a public/private cost-share program to help mitigate the financing and licensing risk of FOAK reactor technology.

The US decided to fund and launch a competitive cost-share SMR program based on its assessment of three important risk factors that impact FOAK reactor deployment. First, since SMRs are a new nuclear technology, is there a market and demand for this technology? Second, do capital markets or end-users have the capabilities and desire to finance this FOAK technology and follow-on commercial projects? Third, does the regulatory authority — in this case the NRC in the US — have the resources and capabilities to license enhanced SMR designs and their unique safety and regulatory issues in a timely and effective manner?

While no risk can be totally mitigated, the US decided to establish the DOE SMR program to provide resources and capabilities to help mitigate the financial and licensing risks of the FOAK SMRs. The US decision to establish the SMR program was based, in part, on the significant progress in addressing and resolving the key licensing issues and potential financial constraints. In the US, the capital markets were noting uncertainty about financing new nuclear power plants (NPPs) because (a) the cost of natural gas in the US would make it difficult for NPPs in electrical markets to compete with the price of electricity generated by natural gas plants, (b) energy conservation and other economic measures were reducing demand for electricity in relation to historical demand curves, and (c) the political environment for NPPs was unpredictable based on heightened interest in renewables and the elimination of funds to continue the licensing of the Yucca Mountain waste disposal facility in Nevada. Financing of SMRs in global markets will also encounter the same risk factors of being competitive with other energy sources and being supported by political policy and regulatory authorities.

Evaluation of a proposed hybrid energy system architecture should include assessment of performance or attractiveness in several broad areas, including: (1) technical feasibility, (2) overall system economics, (3) environmental impacts, (4) production reliability/on-demand availability, (5) system resiliency, (6) system security, and (7) overall public or political attractiveness. To understand and evaluate the potential merits of a tightly coupled hybrid system it is necessary to define characteristics that exemplify ‘good’ system architecture.

The licensing process as developed by the NRC is predicated on experience developed over the past 40 years focusing almost exclusively on large LWRs as represented by the current fleet of 96 reactors operating today in the US. DOE-NE recognizes the importance of addressing regulatory and safety issues for both LW-SMRs and in particular A-SMRs early in the conceptual development process to facilitate the process for resolving key safety and licensing issues and for developing a regulatory basis to support licensing review of these new reactor designs. For SMR designs, both LW-SMR and A-SMR, to compete economically with the established economic performance of large LWRs, it is imperative that the regulatory process can appropriately accommodate and address such design considerations as increased plant simplifications, reduced risk factors, and anticipated increase in safety margins. The A-SMRs design concepts represent design philosophies and features that are significantly different from traditional LWRs.

As a minimum, A-SMRs will at least differ from LWRs in terms of the reactor coolant technology employed. It is further anticipated that most A-SMRs are likely to be of an integral design as discussed earlier in this book where essentially all of the primary systems and components are incorporated within a single reactor vessel. This design simplification is critical to both the enhanced safety case and economic competitiveness for SMRs in general. This integral design eliminates the high-consequence accident scenario of a large pipe-break loss-of-cooling accident (LOCA) and significantly reduces the number and size of penetrations through the reactor pressure vessel [5]. Other key generic safety features for A-SMRs will likely include:

• passive safety features as opposed to active systems;

• proportionately larger amount of reactor coolant inventory contained in the primary reactor

vessel;

• reduced source terms (radionuclide inventory);

• natural circulation cooling resulting from elongated pressure vessels to house the primary system components and restrict the vessel diameter sufficiently to be transportable via rail or truck — this passive safety feature will likely reduce the requirements for emergency power to drive circulation pumps; and

• below-grade construction to address post-September 11 security concerns.

Figure 14.3 lists some of the policy and technical issues from a regulatory perspective that represent regulatory and licensing areas to address early as the A-SMR design concepts evolve [6]. The current A-SMR R&D regulatory and safety projects address several of these areas. Furthermore, these policy and technical issues will also likely be a function of the following factors, as also illustrated in Figure 14.3:

• technology-specific issues largely due to reactor coolant technology employed;

• reactor size in terms design electrical rating;

• deployment as single versus multiple modules and use of shared systems;

• end use design objective, e. g. electric power, process heat, hybrid with renewable power sources, etc.; and

• generic issues for A-SMRs.

Current regulatory and safety research areas are listed in Table 14.3 including a brief summary of the scope for each research area.

The severe accident testing described in Table 14.3 is being conducted at DOE’s Argonne National Laboratory in its Natural convection Shutdown heat removal Test Facility (NSTF) as illustrated in Figure 14.4. Heat removal tests will be conducted to evaluate the effectiveness of the passive air reactor cavity cooling system (RCCS) to remove decay heat under accident conditions for A-SMRs. As noted previously, the successful demonstration of such passive systems will reduce requirements for emergency power to operate electric power-driven pumps. Plans for potential tests include evaluating natural circulation startup testing at different power ramp rates, steady-state parallel channel interaction and stratification, and performance tests under accident conditions.

In the deterministic safety analysis, it is confirmed that the operational limits are in compliance with the assumptions and intent of the design for the SMART normal operation. The safety analysis is performed on the initiating events listed in the safety related design basis events (SRDBE) that are appropriate for the SMART design. The initiating events result in event sequences that are analyzed and evaluated for a comparison with the radiological and design limits as acceptance criteria. Safety analyses are performed to demonstrate that the management of a design basis accidents (DBA) is possible by an automatic response of the safety systems. For the non-LOCA-initiating events, the safety analysis is supported with relevant computer codes, which are compatible with the digital protection and monitoring systems of SMART. For the LOCA-initiating events, a conservative methodology is utilized. The analysis results show that the SMART design properly secure the safety of the reactor system under limiting accident conditions.

Probabilistic assessment

In the SMART safety assessment, a probabilistic safety analysis (PSA) is required to validate the event classification and plant condition, to evaluate the safety level and to identify the weak points of the SMART design. The scope of the PSA is level 1 in the basic design stage. The level 2 and 3 PSA, external PSA and the low power/ shutdown PSA will be performed in the SDA stage. For the level 1 PSA, scenarios of 10 events have been developed: general transients, loss of feed-water, loss of offsite power, SB LOCA, steam line break (SLB), steam generator tube rupture (SGTR), large secondary side break, control rod ejection (REA), anticipated transient without scram (ATWS), and control rod bank withdrawal (BWA).

In general, there are two independent reactivity control systems provided for iPWRs or large LWRs, each relying on different principles to operate. In large, traditional PWRs, the primary reactivity control system is the use of soluble boric acid in the coolant. But as demonstrated in many iPWRs, this does not have to be the case, as a number of iPWRs are designed without the presence of boron in the coolant.

The second control system is the use of control rods, which have to be capable of ensuring sub-criticality under normal operations, including anticipated operational occurrences, and with enough margin to tolerate malfunctions such as stuck rods. The control systems have to be able to control the rate of reactivity change during normal operational power maneuvers (such as xenon depletion).

In both cases, the systems have to ensure that the fuel design limits are not exceeded, e. g., local power variations are less than the limits defined for pellet clad interaction. In addition, at least one of the systems has to be able to ensure sub­critical conditions at cold conditions.

Flow measurement is required for nuclear safety systems. Reactor coolant flow and main steam flow are examples. Perhaps the most challenging of the flow measurements is reactor coolant flow. Typical PWRs use an elbow tap method to attain a DP that is then translated to flow. The elbow taps are implemented in the elbow bend of the reactor coolant pipe on the crossover piping between the steam generator and the reactor coolant pumps. The theory behind this approach is that the larger centrifugal force of the water along the outside wall of the bend is compared to the lesser force of the water travelling along the inside wall of the pipe to create a differential pressure that is related to flow by a square root relationship. This method of flow measurement must be normalized and calibrated at near full power in order to provide the necessary accuracies.

iPWR designs that have primary side piping systems may be able to use the traditional approach. Some iPWR designs may find that the geometries of the piping associated with the reactor coolant pumps (RCPs) and/or the smaller flow velocities

preclude this type of measurement. In those cases, as with the non-pipe designs, new methods and approaches will need to be developed.

The NuScale design, for example, does not have reactor coolant piping or reactor coolant pumps. RCS flow is based on a natural circulation design that results in low flow velocities compared to traditional PWR designs. Both the lack of a pipe to mount the usual sensing element and the low flow velocities provide a challenge for traditional flow measurement methods. New technologies may provide the solution in these cases.

Some of the new technologies being considered for iPWRs without the traditional pipe configurations in their primary system are: ultrasonic methods, transit time methods, MEMs methods, and fiber optic methods. The benefits of some of these methods over the traditional DP method is that the primary sensed parameter is linear with respect to flow, as opposed to the square root relationship used in traditional DP methods. This linear relationship allows the accuracy to be consistent over the entire flow range and allows for improved accuracy at the low end of the flow range, which has not been the case in traditional DP methods. Accurate low-flow measurement is going to be a requirement for several iPWR designs. The need for high accuracy at low-flow conditions will drive several iPWR builders to find an other-than-traditional flow-measurement method.

Concerning primary coolant flow, some iPWR designs will have RCP pumps in their designs. It is possible, and even probable, that designs with RCP pumps will use RCP voltage, current, or pump speed as the primary parameter to measure flow. In a water-filled system, this approach has merit. Since ‘flow’ is a parameter determined indirectly from other parameters, the use of pump speed/voltage/current is a viable alternative approach.

Along the same lines as using pump speed, natural circulation designs may choose to use temperature, or delta temperature, as the method to measure reactor coolant flow. In a natural circulation design, the equivalent of the reactor coolant pump is the delta temperature across the core. In these cases, the primary system delta temperature will correlate to flow directly. Although this method of correlating delta temperature to flow is not a particularly complex method, it is a new concept for both the regulator and the builder. As with all new concepts, it will take longer for the new concepts to be proven, developed, and embraced.

Flow measurement methods in applications other than the reactor coolant flow have the flexibility, in some designs, to use traditional or new technology. If the system is a safety system, the concern will be the environmental qualification, but in systems not related to safety, older more traditional methods, including DP methods using venturis or nozzles, may be possible. These methods will still have the pitfalls of lower accuracies in the low flow range, and lack of qualification for higher pressures and higher temperatures, which may force iPWR builders to use newer technology for more linear flow measurement, even in the non-safety systems.