The outcomes of the system’s response are expressed in high-level measures for PR&PP, defined as follows.

9.3.4.1 Proliferation resistance

• Proliferation technical difficulty — The inherent difficulty arising from the need for technical sophistication, including material-handling capabilities, required to overcome the multiple barriers to proliferation.

• Proliferation cost — The economic and staffing investment required to overcome the multiple technical barriers to proliferation, including the use of existing or new facilities.

• Proliferation time — The minimum time required to overcome the multiple barriers to proliferation (i. e., the total time planned by the host state for the project).

• Fissile material type — A categorization of material based on the degree to which its characteristics affect its utility for use in nuclear explosives.

• Detection probability — The cumulative probability of detecting the action described by a segment or pathway.

• Detection resource efficiency — The staffing, equipment, and funding required to apply international safeguards to the SMR.

These measures are similar to those adopted in most assessments of PR (see discussion

in GenlV International Forum, 2011b).

R. L. Black Consultant, USA

11.1 Introduction

The licensing and deployment of any small modular reactor (SMR) is dependent on whether (a) there is a significant market demand for new nuclear power, (b) SMR technology can be developed in a timely manner to meet the demand, and (c) the SMR technology can be licensed effectively. As described in this Handbook, enhanced safety, improved security, and flexibility in siting and application are all factors that have created a market demand. Assuming a market demand for SMRs and an ability to finance, licensing becomes the next risk factor. Effective licensing is dependent, in part, on the maturity of the SMR technology. New and unproven nuclear technologies might present a challenge to effective licensing. Accordingly, near-term licensing and deployment of SMRs is focused on the proven light-water reactor (LWR) technology.

The commercial deployment of SMRs will be a global enterprise. Vendors will apply for licensing approval of their designs in the country of design origin (i. e., where the vendor is located). The approved SMR design will then be manufactured largely in the country of origin, marketed globally, and licensed for operation in the country of deployment. Various degrees of and requirements for local content for SMR systems and components might present a challenge to regulatory authorities to make sure that these safety systems and components meet the safety intent of the SMR design. The licensing/regulatory authority must be able to license and regulate SMRs in a manner that reasonably assures all safety, environmental, regulatory, and policy issues are addressed and resolved, particularly in the post-Fukushima environment. Importantly, the licensing authority must be able to assess the enhanced safety characteristics of SMR designs to support approval or certification of these advanced reactor technologies and their subsequent licensing. Enhanced safety designs and the associated significantly reduced risk to the public afford the licensing authority an ability to license SMR designs based on risk and safety assessments that support the designs.

Several countries have begun regulatory reviews of SMR designs. This chapter will discuss several approaches for SMR licensing that are permitted by the US regulatory process promulgated in new licensing procedures of the US Nuclear Regulatory Commission (NRC). This discussion is provided to the extent that they might be relevant to SMR licensing in other countries. In addition, this chapter discusses how several key SMR generic licensing issues were addressed and resolved by the NRC

Handbook of Small Modular Nuclear Reactors. http://dx. doi. Org/10.1533/9780857098535.3.279

Copyright © 2015 Elsevier Ltd. All rights reserved.

as an example to highlight how these safety and policy issues can be addressed by other regulatory authorities. The effective licensing of SMRs as a global enterprise will be aided by international collaborations and assistance. These collaborations, both by industry and regulatory authorities, will provide a strategy and framework to assist in the safe and effective licensing of SMRs for worldwide deployment.

The impact of the flowline on the supply chain is also significant, the whole system being based on a robust material-requirements-planning (MRP) foundation. For larger suppliers the ‘Kanban’ system can be operated, delivering sub-assemblies or part-kits to the workstations directly on the flowline. Each part will have a unique identifier permanently marked via physical (laser) etching or nameplate, incorporating both a visually readable and electronic-scanning data-matrix identifier. During the assembly process the dot-matrix data identifier is read using a handheld matrix-reading device which interprets the matrix into defined attributes such as item part number and serial number, build record. The completed unit assembly will tally with a full inventory of parts, each logged via the data-matrix system. This provides a complete build history of the small reactor and could also be used to automatically trigger a payment milestone to the supplier when the part is incorporated onto the customer unit.

Olefins are made from a light olefin (ethylene and propylene). They are the backbone of the petrochemical market and are consumed in the production of plastics. The conventional process uses coal to make syngas that is converted into methanol. The methanol is used in the olefin synthesis process to create ethylene and propylene with a variety of natural gas components. The nuclear-integrated process would add heat and power to create hydrogen using high-temperature steam electrolysis, significantly decreasing carbon dioxide emissions [27].

The reactor vessel assembly of SMART contains its major primary systems such as fuel and core, eight SGs, a PZR, four RCPs and 25 CRDMs in a single pressurized reactor vessel (PRV) as shown in Figure 15.5. The integrated arrangement of these components enables the removal of the large size pipe connections between major reactor coolant systems, and thus fundamentally eliminates the possibility of LB LOCAs. This feature, in turn, becomes a contributing factor for the safety enhancement of SMART. The reactor coolant forced by RCPs installed horizontally at the upper shell of the reactor pressure vessel (RPV) flows upward through the core, and enters the shell side of the SG from the top of the SG. The secondary side feedwater enters the helically coiled tube side from the bottom of the SG and flows upward to remove the heat from the shell side, eventually exiting the SG in a superheated steam condition. The large free volume in the top part of the RPV located above the reactor water level is used as a PZR region. As the steam volume of a PZR is designed to be sufficiently large, a spray is not required for a load maneuvering operation. The primary system pressure is maintained constant due

(Continued)

Figure 15.5 SMART reactor vessel assembly.

to the large PZR steam volume and a heater control. The core exit temperature is programmed to maintain the primary system pressure constant during a load change. In this way, the reactor always operates at its own operating pressure range matched with the system condition. Eight SGs are located at the circumferential periphery
with an equal spacing inside the RPV and relatively high above the core to provide a driving force for a natural circulation of the coolant.

Following a LOCA, current large PWRs employ an emergency core cooling systems (ECCS) to minimize fuel damage. This is accomplished by the injection of large amounts of cool, borated water into the RCS. The ECCS also provides highly borated water to ensure the reactor remains shut down following the cooldown associated with a main steam line rupture. This water source is the refueling water storage tank (RWST), which is external to containment, except in the AP1000 PWR design. Subsystems taking suction from the RWST can include high pressure injection or charging pumps, intermediate pressure injection pumps, and the low pressure injection or RHR system. Also, containment spray pumps take suction from the RWST to limit a containment pressure spike following a LOCA or a steam line rupture in containment. Some large PWRs also employ cold leg accumulators that inject borated water into the reactor when pressure falls below the injection set point. All these systems are safety-related and are backed by the plant emergency diesel generators. Figure 5.4 shows a typical large PWR ECCS.

Similar to the Generation III+ AP1000 design, many iPWR designs have moved the RWST or its equivalent inside containment. The level of the RWST is well above the level of the top of the fuel. The iPWR designs have eliminated large — break LOCAs by eliminating all large-bore piping. Small-break LOCAs will likely not exceed the capacity of the CVCS charging pump. In addition, the small-bore piping connected to an iPWR reactor pressure vessel will be isolable as close as possible to the vessel, which will limit the probability of a small-break LOCA. In the event of a leak, the ADS valves will function to reduce pressure to the point where water can be gravity-fed from the RWST into the reactor pressure vessel to keep the core covered. All ECCS cooling is designed to be by natural circulation. As a result, the various ECCS pumps backed by emergency diesels are not required for iPWR designs.

Many iPWR designs will also use a gravity-fed boron injection tank to ensure the reactor remains subcritical following an accident. These injection tanks are located high inside the containment and serve not only as a poison source, but also provide an additional source of water for emergency decay heat removal.

The iPWR containment designs are designed to be cooled passively to limit pressure spikes following an accident. Or, the containment shell, such as in the NuScale design, is designed to accept significantly higher pressures than a current large PWR design. (NuScale, 2012) Therefore, no containment spray system is planned for the iPWR designs, except the SMART reactor (Lee, 2010).

7.4.1 Purpose and objectives of advanced HSIs

As indicated in the earlier definition, the primary purpose of the HSI is to provide the operator with a means to monitor and control the plant and to restore it to a safe state when adverse conditions occur. The successful accomplishment of this objective will satisfy the five important human performance goals that all contribute to the safe and efficient operation of the plant: (1) reduce complexity, (2) reduce error and improve human reliability, (3) improve usability, (4) reduce operator workload and (5) improve situation awareness.

Achieving these objectives relies heavily upon the most effective information and communication technologies available. These technologies have the potential to improve many of the shortcomings of the old generation of analogue HSIs (that is, ‘hard controls and instruments’, such as buttons, switches and gauges) found in most NPPs. However, such improvements are dependent on a focus on human — factor principles in human-technology interaction. Advanced automation systems are beginning to allow a more dynamic collaboration between humans and systems. We can no longer regard the complex relationship between humans and systems as ‘people versus technology’, which was often the result of the classical function allocation approach. That out-dated approach was based on attempts to implement ‘HABA-MABA (human are better at-machines are better at’) principles derived from Fitts’ List (Hoffman et al., 2002). Rather, it now is more appropriate to focus on the total socio-technical system as a ‘joint cognitive system’. Woods and Hollnagel (2006) and Lintern (2007) describe a cognitive system as one that performs the

cognitive work functions of knowing, understanding, planning, deciding, problem solving, analysing, synthesising, assessing and judging, as they are fully integrated with perceiving and acting. In a particular work environment in the power plant, the entity that performs perceiving and acting functions would be the human agent. This implies that the control room and the entities within it could be characterised as a joint cognitive system that functions in a distributed way and involves relevant parts of the environment, the physical, mental and cultural processes of people, and the technical artefacts. The joint cognitive system viewpoint emphasises the cognitive functions that human operators and technologies accomplish in collaboration. It allows human-factors analysts and designers to analyse the system on different levels of detail, starting from the entire socio-technical system of the NPP, down to specific functions of an HSI that would have the ability to support the operator’s cognitive functions.

While not limited to SMRs, it is worth summarizing the safety approaches, commenting in particular on inherent safety features and safety-by-design that will be shown to be preferentially linked to SMRs. ‘Inherent safety’ and ‘safety-by-design’ are sometimes used interchangeably. However, the former primarily reflects the presence of a feature that eliminates certain accidents, while the latter emphasizes that the design was consciously modified to achieve such effect. There are other subtle differences in the use of safety-related terms in the US and worldwide; IAEA — TECDOC-626 (IAEA, 1991) is a good source for the latter, and therefore we will also cite it here. The following definitions may be applied to components as well as systems; we will introduce them as they apply to systems with the understanding that they extend to components. Furthermore, we will focus on essence rather than precise definitions.

All NPPs incorporate a number of safety systems designed to provide safety functions and perform appropriate actions in off-normal and accident situations. According to the modus of their operation, they are divided into active and passive ones.

Active safety systems require external power, force, action or signal. For example, decay heat removal may require an electric actuation signal, a motor-driven (or manually operated) valve to be opened, a pump to be operated to establish coolant flow, or some combination thereof. For active safety systems to operate, external power source(s) are required, and this can presents vulnerabilities, even with multiple redundant and diverse external power sources (power lines, diesel generators, batteries) as evidenced in the Fukushima Daiichi accident.

Passive safety systems, in contrast, operate based on the laws and forces of nature, and are thus less susceptible to external impacts, i. e., are ultimately less likely to fail. It is difficult to devise totally passive systems. In the US practice, this term is extended to include systems that in addition to their truly passive portion rely on stored energy to initiate the action (such as opening a valve, using battery or compressed air power, to establish natural circulation) which then proceeds based on the laws of nature.

Table 8.1 illustrates the division into active and passive systems/components by providing an example of a specific Nuclear Regulator Commission (NRC) classification of structures and components (for the purpose of aging management review). It is extracted from the 10 CFR 54.21(a)(1)(i), ‘Structures and Components Subject to Aging Management Review’ (CFR, 2010).

A more precise distinction may be achieved (IAEA, 1991) by considering the level of passivity, ranging from Category A denoting the most passive systems with no signals, external forces, power sources, moving parts or moving fluids involved, to the least passive Category D, that requires or allows the following:

• Energy must only be obtained from stored sources such as batteries or compressed or elevated fluids, excluding continuously generated power such as normal AC power from continuously rotating or reciprocating machinery.

• Active components are limited to controls, instrumentation and valves, but valves used to initiate safety system operation must be single-action relying on stored energy.

• Manual initiation is excluded.

An example is the emergency core cooling system, based on gravity-driven fluid circulation, initiated by fail-safe logic actuating battery-powered electric valves. For the complete definition of all categories, see IAEA (1991).

Older so-called Generation-II NPPs rely primarily on active safety systems. Many

modem NPPs implement a combination of active and passive safety systems (IAEA, 2004). The Westinghouse Gen-III+ AP1000 is a passive safety plant, meaning that all safety systems are passive (Schulz, 2006).

It should be noted that passive systems may still fail; for example, a wall intended to function as a safety separation barrier may be destroyed in an earthquake; a pipe in a natural circulation loop may be crushed, and so on. This is where the inherent (or intrinsic) safety and the safety-by-design, come in. One should differentiate between an overall inherently safe NPP and inherently safe features. Quoting IAEA — TECDOC-626 (IAEA, 1991): ‘Inherent Safety refers to the achievement of safety through the elimination or exclusion of inherent hazards through the fundamental conceptual design choices made for the nuclear plant.’ The reference continues on to emphasize:

Potential inherent hazards in a nuclear power plant include radioactive fission products and their associated decay heat, excess reactivity and its associated potential for power excursions, and energy releases due to high temperatures, high pressures and energetic chemical reactions. Elimination of all these hazards is required to make a nuclear power plant inherently safe. For practical power reactor sizes this appears to be impossible. Therefore the unqualified use of ‘inherently safe’ should be avoided for an entire nuclear power plant or its reactor.

We will therefore use ‘inherent safety’ to imply inherent safety feature(s), not the overall inherent safety.

A similar concept is expressed by the safety-by-design term, which emphasizes the fact that conscious design and engineering choices may lead to elimination of initiators for certain accidents or classes of accidents, and thus to elimination of possibility for those classes of accidents to occur. Clearly, it is then not necessary to deal with hypothetical consequences of such accidents, that is, corresponding safety systems are not necessary and the whole system becomes simpler, safer and more economical, all at the same time. The safety-by-design is present to certain degree in all (viable) reactor designs, more so in SMRs and in particular iPWR SMRs for the reasons that we will discuss. Arguably, it was most systematically pursued from the very beginning and implemented to a high degree in the IRIS design (Carelli et al., 2004; Petrovic et al., 2012), which may serve to illustrate many specific points.

Table 8.2 summarizes implementation of safety-by-design (i. e. inherent safety features) in IRIS, but individual features are common with other iPWR SMRs. The intent of the safety-by-design approach in IRIS was to eliminate or reduce in severity — by design — as many of the Class IV accidents as possible.

Examining the table, it may be observed that out of the eight Class IV accidents typically considered in large loop PWRs, three have been eliminated (large break loss-of-coolant accident (LOCA), control rod ejection, reactor coolant pump shaft break) and four reduced in severity (reactor coolant pump seizure, steam generator tube rupture, steam system piping failure, and feed-water system pipe break). The first two are a direct consequence of the integral configuration, while for the remaining five accidents the positive impact is partly due or supported by the integral configuration. Obviously, the integral configuration by itself does not automatically resolve potential safety concerns, but it does facilitate addressing or eliminating many of them.

Most PWR SMR designs base many of their inherent safety features on their integral design, i. e. they are of the iPWR type (IAEA, 2012a). This is not by chance; it results from the synergy of two fundamental factors:

• PWRs are high-pressure systems, and thus very sensitive to any leak or breach of the primary boundary. In contrast, for example, low-pressure lead or liquid-salt cooled systems would tend to self-plug leaks due to the solidification of the coolant, and this issue is not nearly as critical for them. The integral configuration eliminates external piping and multiple pressure vessels, thus eliminating or minimizing the probability of such events.

• Since the integral primary circuit configuration tends to significantly increase the pressure vessel size, it is generally not feasible for a large PWR, with an already large vessel, while it is generally feasible for an SMR with power level up to a few hundred MWe. However, an approach aiming to enable large power integral PWRs and thus facilitate extending SMR safety characteristics to GWe power level reactors is pursued in the I2S-LWR concept (Petrovic, 2014).

Table 8.2 Implementation of Safety-by-Design in IRIS IRIS design Safety implication Positively impacted Class IV design basis Safety-by-design impact characteristic accidents and events accidents on Class IV accident Integral layout No large primary piping Large break loss-of-coolant accidents LOCAs Large break LOCA Eliminated Large, tall vessel Increased water inventory Other loss-of-coolant Increased natural circulation accidents (LOCAs) Decrease in heat removal events Accommodates internal control rod Control rod ejection Spectrum of control Eliminated drive mechanisms Head penetrations failure rod ejection accidents Heat removal from Depressurizes primary system by Other loss-of-coolant inside the vessel condensation and not by loss of accidents (LOCAs) mass Effective heat removal by steam Other LOCAs generator and emergency heat All events requiring removal system effective cooldown Anticipated transient without scram (ATWS) Reduced size, higher Reduced driving force through Other LOCAs design pressure primary opening containment Multiple, integral, No shaft Shaft seizure/break Reactor coolant pump Eliminated shaftless coolant shaft break pumps Decreased importance of single Locked rotor Reactor coolant pump Downgraded pump failure seizure

High design-pressure steam generator system No steam generator safety valves Primary system cannot over-pressure secondary system Steam generator tube rupture Steam generator tube rupture Downgraded Feed-water/steam piping designed for full reactor coolant system pressure reduces piping failure probability Steam line break Feed line break Steam system piping failure Downgraded Once-through steam generators Limited water inventory Feed line break Steam line break Feed-water system pipe break Downgraded Integral pressurizer Large pressurizer volume/reactor power Overheating events, including feed line break ATWS Spent fuel pool underground Security increased Malicious external acts Fuel handling accidents Unaffected

An overview of representative approaches and passive and inherent safety features pursued in different iPWRs follows. We note that some also may apply or be used in large loop PWRs, and some may not be fully passive, but instead have elements enabling passive safety, or are specific safety approaches typically found in iPWR SMRs.

• Integral primary circuit, integral configuration, integral vessel layout. As already discussed, several safety features are driven or assisted by integral configuration:

о inherent elimination of large break LOCA;

о inherent elimination of control rod ejection (with internal control rod drive mechanism (CRDM) enabled by integral configuration);

о better response to transients (with a large primary inventory and increased pressurizer volume to power ratio, typical of integrated pressurizers); о immersed pumps may eliminate some primary pressure boundary penetrations and associated failure modes;

о novel internal steam generators and primary heat exchangers eliminate or reduce in severity certain associated failure modes, such as the steam generator tube rupture (if primary is in the shell), or steam-line/feed-line break; о confinement of primary coolant to reactor vessel; о overall more compact design due to elimination of external loops.

• Guard vessel, reducing the impact of the primary boundary breach, but potentially impacting economics.

• Natural circulation-based heat removal in normal (power) operation, eliminating (auxiliary) pumps and the possibility of their failure. Typically limited to low power systems.

• Natural circulation-based decay heat removal in off-normal conditions, eliminating the need for pumps and external power, considered in many designs.

• Soluble boron-free core. This reduces corrosion, eliminates the need for a coolant volume control system (CVCS) and associated piping with primary pressure boundary (pressure vessel) penetrations. Of course, large PWRs may also be designed for soluble boron — free operation. However, cost considerations favor boron-free operation of (in particular smaller) SMRs, and use of soluble boron in larger plant. This is due to the fact that the CVCS cost does not depend strongly on size, while the number of required control rods and their cost does. The cost breakeven point is design dependent, but estimated to be in the 100-200 MWe range.

• Increased operational margin, sometimes at a cost of power downrating.

• Enhanced self-regulation. Typically achieved through enhanced negative temperature and power feedback, frequently in conjunction with a soluble boron-free core, it provides a self-regulating and self-stabilizing effect. It is of particular interest for smaller units where load-follow operation is intended. It has to be considered, however, that a very strong negative feedback may have negative safety implications due to the reactivity insertion in cooldown scenarios.

• Long life core. It reduces the probability of refueling accidents and refueling outages and associated penalty, and may increase proliferation resistance. However, it needs to be carefully assessed against the needed higher enrichment or reduced power density, offsetting these positive impacts. There is usually an economically optimum balance.

• Very low power reactors (with a small core fuel inventory) may reduce the source term to the level that a small EPZ (e. g. no off-site need for EPZ) is deterministically defendable.

• Increased heat capacity of ultimate heat sink, typically implemented through a combination of smaller power units and large pool, providing increased or indefinite decay heat removal capability and thus grace period after a hypothetical accident.

• Inerted containment to prevent hydrogen explosion (easier implemented for compact SMR designs).

• Passive containment heat removal system as another layer of defense.

• Coupled pressure vessel and containment vessel response to LOCA events, aiming to limit the loss of coolant inventory.

• Application of the traditional defense-in-depth (DID) implemented through use of passive features as much as possible.

• Passive reactivity control systems, including passive shut-down systems.

• Near zero self-regulating excess reactivity, eliminating the possibility of prompt criticality, but usually limited to (very) low power systems.

• Enhanced seismic isolation. Not specific to SMRs, but economically more feasible for compact iPWR SMR designs (cf. e. g. Petrovic et al., 2012).

It is instructive to review the implementation of the above features to specific iPSWR designs. These specific designs have been selected among the many SMR designs that have been proposed over the last several decades. It would have been impossible as well as ineffective to include all or most of them. Instead, a narrow selection aiming to be somewhat representative is presented here, together with the rationale for selection, while the reader interested in further designs is advised to examine review papers and several IAEA TECDOCs and OECD Handbooks that are being periodically prepared to capture all or most of the then-current designs under development (OECD, 1991, 2011; IAEA, 1995, 2005a, 2006, 2012a; DOE, 2001; Ingersoll, 2009).

The following rationale was used to guide our selection:

• The specific SMR design and safety concept had to be developed to a certain degree of completeness, maturity and integration. Otherwise, it is possible to claim attractive features that however may or may not work together when the integrated design is analyzed.

• The selection focuses on power plants providing at least 40 MWe. Several interesting very low power (typically <10 MWe) iPWR concepts have been proposed, but they are geared for a very specific purpose.

• The selection includes two prominent historical US designs that pushed the envelope and attracted broad attention by their overall safety characteristics and maturity of the design, SIR in 1990s (OECD, 1991; Matzie et al., 1992), and IRIS in 2000s (Carelli et al., 2004; IAEA, 2012a; Petrovic et al., 2012).

• The selection includes two prominent non-US design that have been under development for some time and are actively pursued, SMART (Chapter 15) (IAEA, 2005a; 2012a) and CAREM (Chapter 16) (IAEA, 2005a; 2012a), as well as RITM-200 (Chapter 17) (IAEA, 2012a).

• The selection includes three of the four SMR designs proposed to the US DOE funding solicitations in 2012 and 2013: mPower (Azad, 2012; Halfinger and Haggerty, 2012; IAEA; 2012a), NuScale (IAEA, 2012a; Ingersoll, 2012; Reyes, 2012) and Westinghouse SMR (IAEA, 2012a; Kindred, 2012). There was not much detailed information publicly available on the fourth design, SMR-160 or HI-SMUR (Holtec Inherently-Safe Modular Underground Reactor (HI-SMUR™; www. smrllc. com).

Table 8.3 summarizes safety-related characteristics for the selected integral designs. The table is intended for illustrative purposes only to show the safety benefits of iPWR SMR designs as a whole, and is not intended for comparison between the designs, since it is nearly impossible and would be very lengthy to capture all the features implemented in all specific designs.

It should be noted that while some of the listed and tabulated features have simultaneously positive impact on safety as well as economics (e. g., those passive safety systems that improve the safety while simplifying the design, thus making it more economical), others may challenge economics and require careful considerations and trade-off studies. Examples include power downrating which increases the capital cost and needs to be compensated by some other economic benefits, or which may enable certain design features not viable for current systems. Although economics is discussed in a separate chapter, the reader is reminded here that the impact of safety choices on economics has always to be considered.

9.5.1 Example Sodium Fast Reactor (ESFR) case study

The PR&PP methodology was developed and tested with the help of an example design. This was the Example Sodium Fast Reactor (ESFR). The design is described in detail in GenIV International Forum (2011a) and consists of four 300 MWe sodium reactors and associated fuel-processing facilities. It is based on the integral fast reactor design that was in development in the 1990s. While this section of the SMR Handbook is focused on iPWRs, the lessons learned from the use of the PR&PP methodology on other reactor concepts are sufficiently generic that they can mostly apply to iPWRs as well. The basic element in common is that the analysis would be performed on a novel reactor concept that is still in the design phase.

Basic lessons learned from the Case Study GenIV International Forum (2011a) included the following:

• Each PR&PP evaluation should start with a qualitative analysis allowing scoping of the assumed threats and identification of targets, system elements, etc.

• Detailed guidance for qualitative analyses should be included in the methodology.

• Access to proper technical expertise on the system design as well as on safeguards and physical protection measures is essential for a PR&PP evaluation.

• The use of formal expert elicitation techniques can ensure accountability and traceability of the results and consistency in the analysis.

• Qualitative analysis offers valuable results, even at the preliminary design level.

• Greater standardization of the methodology and its use is needed.

In addition, during the evaluation process the analyst must frequently introduce assumptions about details of the system design which are not yet available at early design stages: for example, the delay time that a door or portal might generate for a PP adversary. As the study progressed, the PR&PP working group realized that when these assumptions are documented, they can provide the basis for establishing functional requirements and design bases documentation for a system at the conceptual design stage. By documenting these assumptions as design bases information, the detailed design of the SMR can be assured of producing a design that is consistent with the PR&PP performance predicted in the initial conceptual design evaluation (or, if the assumptions cannot be realized in detailed design, the original PR&PP evaluations must be modified appropriately).

SMRs will be licensed and deployed in the global market. However, the deployment of SMRs as a global enterprise is not supported by an international licensing/certification framework that permits a ‘plug and play’ environment similar to electronics such as TVs, computers and smart phones. The current nuclear licensing strategy requires any SMR design, regardless of the pedigree and robustness of licensing in country of origin, to be licensed in the country of deployment. Contrast this licensing process with that of aircraft approval. In essence, an aircraft approved for air-worthiness by a competent approval authority is recognized worldwide through an international convention. While the international community has recognized the need to harmonize licensing processes and practices to the extent practicable, the reactor design in the country of origin still is licensed with significant reference to and adoption of that country’s approved industry codes and standards.

The nuclear energy community and standards development organizations (SDOs) (e. g., American Society of Mechanical Engineers (ASME), Institute of Electrical and Electronics Engineers (IEEE), American Nuclear Society (ANS), American Concrete Institute (ACI), ASTM International, American Welding Society (AWS))

recognize that the development of international nuclear codes and standards through the consensus process will facilitate worldwide licensing and deployment of SMRs. SDOs are spending much time and resources to support the development of international standards for all industries. The intent for world-wide consensus standards supporting SMR designs is that licensing authorities will adopt or reference these standards in the licensing basis for the designs. Adoption or reference of international standards as acceptable methods to meet a country’s licensing requirements will streamline the licensing process and facilitate the end goal of a global enterprise for SMRs.

A framework of international licensing based in part on the adoption and use of international codes and standards is a laudable goal. The NRC references approximately 520 standards in its regulations, regulatory guides, and the staff’s SRP. Over 160 NRC staff members participate in approximately 300 committees of SDOs. The NRC regularly reviews consensus standards developed by these SDOs and, if appropriate, endorses them in its regulations, regulatory guides, and the SRP. On a 5-year cycle, approximately 425 regulatory guides, the most common source of referenced consensus standards, are re-evaluated to determine whether they need updating, including the endorsement of new or revised consensus standards. More frequent revisions may occur based on technical evolutions and users’ needs.

The development of new and revised nuclear industry codes and standards was stalled over the past several decades commensurate with the hiatus of new NPP deployment. If new nuclear designs and technologies are not deployed commercially, SDOs have little business incentive to expend time and resources on new nuclear standards. However, new technologies that were applicable to the nuclear industry (digital instrumentation, wireless sensors, new materials and fabrication techniques, laser welding, etc.) were being developed and supported by new industry standards that were adopted worldwide.

In the US, the nuclear industry, NRC and DOE recognized the need to identify (a) what new industry standards were developed or being developed that supported new nuclear technologies, (b) what new or revised nuclear standards were needed, (c) what industry codes and standards were referenced in NRC licensing documents and whether those references were up to date, and (d) how nuclear industry codes and standards referenced by NRC should be incorporated in a web-based database to support international use and licensing of nuclear technologies.

In 2009, the Nuclear Energy Standards Coordination Collaborative (NESCC) was established under the sponsorship and coordination of the American National Standards Institute (ANSI) and the National Institute of Standards Technology (NIST), with the sponsorship of DOE and the NRC. NESCC provides a cross­stakeholder forum to bring together representatives of the nuclear industry, SDOs, subject matter experts, academia, and national and international governmental organizations to facilitate and coordinate the timely identification, development, or revision of standards that support new nuclear designs, licensing, operation, fabrication, and deployment. In addition, there are codes and standards activities in cross-cutting areas that are relatively technology-neutral in that the standards involve new materials, techniques, or methods that are applicable to essentially all reactor technologies for use in new design or construction. Examples include high-density polyethylene piping, digital instrumentation and controls, composite concrete construction, and risk methodologies for advanced reactors. The NRC also recognized that its regulatory guidance documents needed review and revision to ensure that they appropriately referenced current codes and standards. It proposed to develop a database of referenced standards. A high priority for the NESCC was to support the NRC in the development of its web-based database of standards for worldwide use. This database is expected to be published in mid-2014.