(1) Realization of prerequisites and conditions required to exclude brittle fracturing of the reactor vessel; these prerequisites include keeping the fast neutron fluence on the reactor vessel and the vessel temperature below allowable limits;

(2) High thermal inertia of the reactor, resulting in slow variation of reactor parameters;

(3) Accessibility of the base metal of welded joints for the purpose of diagnostics of the primary pressure boundary;

(4) Primary circuit in the premises designed to withstand external impacts, such as earthquakes, shock waves, aircraft crash, etc.;

(5) Provision of a sufficient design strength margin for all components of vessel equipment. For example, the vessel system retains its performance characteristics in all possible operation modes, including accidents;

(6) Seismic design of the primary circuit equipment;

(7) The overpressure protection system prevents overpressure in the primary circuit regardless of the condition of electric control circuits and of personnel actions.

Retention of radioactive fluids at primary circuit leaks is provided within the:

(1) Containment;

(2) Leaktight sections of the primary circuit are limited by redundant fast response isolation valves installed inside the containment;

(3) Isolation sections of the PCU and SCS cooling water systems are limited by redundant fast response isolation valves installed inside the containment.

Retention of radioactive products within the containment is achieved through:

(1) Arrangement of reactor plant equipment in a ferroconcrete leaktight containment;

(2) Keeping containment pressure lower than ambient pressure during normal operation;

(3) A system of leaktight hatches and gates in the containment;

(4) Containment resistance to impacts of external natural and human induced events, provided with a design strength margin;

(5) A system of containment radioactivity filtration during normal operation;

(6) Isolation of containment leaktight volume from groundwaters;

(7) Containment diagnostics systems (continuous monitoring for leaktightness).

Ingress of radioactive products to the cooling circuits connected with the environment is prevented through the use of intermediate circuits (+PCU and SCS cooling water circuits).

Some major highlights of passive safety design features in the GT-MHR, structured in accordance with the various levels of defence in depth [VII-3, VII-4], are related below.

Level 1: Prevention of abnormal operation and failure

The contributions to this defence in depth level generically come from:

— Proper evaluation and selection of a suitable NPP site;

— Design development based on a conservative approach with strong reliance on inherent safety features and preferential application of passive safety systems;

— Quality assurance of NPP systems and components; quality assurance of all steps in NPP design development and project realization;

— Compliance of NPP operations with the requirements of regulatory documents, technical regulations, and operation manuals;

— Maintenance of operability of safety related structures, systems and components with early detection of defects; application of preventive measures; and timely replacement of expired equipment; effective documentation of the output of all inspection and maintenance activities;

— Provision of required NPP staff qualifications, with a focus on operating personnel, who are to take action during normal and abnormal operation, including pre-accidental conditions and accidents; development of a safety culture.

The GT-MHR plant is being designed in compliance with a quality assurance programme. All design features and parameters incorporate required design margins.

In addition to the generic measures contributing to Level 1 of defence in depth, the GTMHR incorporates certain design features directly contributing to this level; they are:

— Direct closed gas turbine cycle, which provides considerable simplification, minimizes required NPP equipment and systems, and excludes the steam-turbine power circuit;

— TRISO coated particle fuel capable of reliable operation at high temperatures and burnup levels;

— Helium coolant, which offers good heat transfer properties, does not dissociate, is easily activated and chemically inert. Neutronic properties of helium exclude reactor power growth at coolant density variation;

— Large thermal inertia of the reactor core, large temperature margin between the operation limit and safe operation limit; slow temperature variation during power variation in a manoeuvring mode.

Level 2: Control of abnormal operation and detection of failure

The contributions to this level generically come from:

— Timely detection of defects; timely preventive measures; and on-time equipment replacement;

— Detection and correction of deviations from normal operation;

— Management of abnormal operation occurrences;

— Prevention of the progression of initiating events into design basis accidents using normal operation and safety systems.

The GT-MHR design provides for timely detection and correction of deviations from normal operation caused by malfunctions in external power grids, control systems, and by partial or complete inoperability of the equipment of redundant normal operation systems (pumps, heat exchangers, valves, etc.), as well as for other reasons. Management of abnormal operation is secured by:

— Self-control properties of the reactor, including a large temperature margin between the operation limit and safe operation limit;

— Neutronic properties of the reactor, including negative feedback on reactor temperature and power increase;

— The use of reliable automated control systems with a self-diagnostic capability;

— The use of state of the art operator information support systems.

Stable operation of the reactor plant is provided in case of individual equipment failure such as failure of the PCU cooler module, of the generator gas cooler module, of the SCS heat exchanger section, or of the SCS gas circulator cooler section.

The allowable time for detection and correction of deviations, as well as the allowable power level at various deviations, is determined by safe operation conditions defined by the safety design features of the GT — MHR, such as the use of TRISO coated particle fuel, helium coolant, and graphite as a structural material, etc.

Level 3: Control of accidents within the design basis

The objectives of this defence in depth level are:

— Prevention of progression of design basis accidents into beyond design basis accidents, executed through the use of safety systems;

— Mitigation of those accident consequences that could not be prevented by localization of released radioactive substances.

In the GT-MHR, effective control of design basis accidents is ensured by:

— Strong reliance on the inherent safety features, such as negative reactivity feedback and natural processes;

— Preferential use of passive safety systems;

— Conservative approach used in the design of protective barriers and safety systems;

— Residual heat removal from the reactor in accidents, carried out without external power sources, control signals or human intervention;

— The limitation of radiation consequences of accidents via localization of released radioactive substances and radiation.

Provisions for effective control of design basis accidents are incorporated in the GT-MHR design. The key design components for this are safety systems and localization safety systems. Support and control systems are provided too; however, their role is not as critical as in existing NPPs, due to broader use of inherent safety features and passive safety systems in the GT-MHR.

According to redundancy and diversity principles, two independent systems are provided to shut down the reactor and keep it in a safe subcritical state.

Heat removal systems include a passive heat removal system, the RCCS, which comprises two independent cooling channels of equal efficiency.

During primary circuit depressurization, reactor core cooling does not require compensation of coolant loss. Radioactive products are localized by the containment system and by fast response shut-off valves.

Level 4: Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents

The objectives of this defence in depth level are:

— Prevention of beyond design basis accidents and mitigation of their consequences;

— Protection of the leaktight boundary against destruction during beyond design basis accidents and maintenance of its operability;

— Return of the NPP to a controllable condition when the chain reaction of fission is suppressed and continuous cooling of the nuclear fuel and retention of radioactive substances within the established boundaries are provided.

The GT-MHR plant design provides for the means of beyond design basis accident management such as:

— Prevention (decrease) of radioactive product release into the environment, which is achieved through incorporated physical barriers;

— Ensuring that final stable and safe conditions are reached when the chain reaction of fission is suppressed

and when continuous cooling of nuclear fuel and retention of radioactive substances within established

boundaries are provided.

In the case of failure of safety components and systems, management of beyond design basis accidents can be executed by personnel. This requirement is fulfilled by:

— Reactor design safety features, which limit the progression of accidents;

— The characteristics of passive safety systems;

— The capabilities of normal operation systems;

— Large time margins for implementation of accident management measures.

High heat storage capacity of the reactor core and high acceptable temperatures of the fuel and graphite allow for passive shutdown cooling of the reactor in accidents, including LOCA (heat removal from the reactor vessel by radiation, conduction and convection), while maintaining fuel and core temperatures within allowable limits.

Safety for the population in beyond design basis accidents is secured by specific features of the reactor design, without on-line intervention of personnel required.

The time margin available for personnel to take action in an accident management scenario varies from several dozens of hours to several days from the moment of accident initiation.

Level 5: Mitigation of radiological consequences of significant release of radioactive materials

The objective of this level is generically achieved by preparation and implementation (if needed) of plans for response measures within and beyond the NPP site.

Analysis of radiological consequences of beyond design basis accidents (including the most severe accident with primary circuit depressurization accompanied by the actuation failure of shutdown systems, NPP blackout, and long term loss of all PCU and SCS active heat removal systems) performed at the GT-MHR plant design development stage, showed that no accident prevention measures are required either within or beyond the NPP site.

Some major highlights of passive safety design features in the 4S-LMR, structured in accordance with the various levels of defence in depth [VIII-2, VIII-3], are described below.

Level 1: Prevention of abnormal operation and failure

(A) Prevention of transient over-power:

• Elimination of feedback control of the movable reflectors;

—A pre-programmed reflector-drive system, which drives the reflector without feedback signals;

—The moving speed of the reflector is approximately lmm/week;

• The limitation of high speed reactivity insertion by adopting electromagnetic impulsive force (EMI) as a reflector driving system;

• The limitation of reactivity insertion at the startup of reactor operation;

• Negative whole core sodium void worth;

• Power control via pump flow rate in the power circuit (no control rods in the core).

(B) Prevention of loss of coolant:

• Double boundaries for primary and secondary sodium in SG tubes and continuously operating leak detection systems.

(C) Prevention of loss of flow:

• Primary EM pumps are arranged in two units connected in a series in which each single unit takes on one half of the pump head;

• A combined system of EM pumps and synchronous motor systems (SM) ensures sufficient flow coastdown characteristics.

(D) Prevention of loss of heat sink:

• Redundant and diverse passive auxiliary cooling systems (RVACS and IRACS or PRACS) with natural draught of environmental air acting as a heat sink.

(E) Prevention of sodium-water reaction:

• A leak detection system in the heat transfer tubes of the SG using wire meshes and helium gas, capable of detecting both:

—An inner tube failure (water/system side of the boundary);

—An outer tube failure (secondary sodium side of the boundary).

Level 2: Control of abnormal operation and detection of failure

The inherent and passive features contributing to such control are:

• All negative temperature reactivity feedback coefficient;

• Negative whole core sodium void worth;

• Effective radial expansion of core (negative feedback);

• Large thermal inertia of the coolant and the shielding structure;

• Two redundant power monitoring systems, the primary and the secondary; balance of plant temperature monitoring system; EM pump performance monitoring system, cover gas radioactivity monitoring system, etc.

Level 3: Control of accidents within the design basis

The inherent and passive features contributing to such control are:

• Metallic fuel (high thermal conductivity, low temperature);

• Low liner heat rate of fuel;

• Negative whole core sodium void worth;

• All negative temperature reactivity feedback coefficient;

• Low pressure loss in core region;

• Effective radial expansion of core (negative feedback);

• Redundant and diverse passive auxiliary cooling systems (RVACS and IRACS or PRACS) with natural draught of environmental air acting as a heat sink;

• Increased reliability of reactor shutdown systems achieved by the use of two independent systems, with each having enough reactivity for a shutdown, including:

—The drop of several sectors of the reflector;

— Gravity driven insertion of the ultimate shutdown rod.

• Increased reliability of the sodium leakage prevention systems achieved by the use of double wall SG tubes with detection systems for both inner and outer tubes.

Level 4: Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents

The inherent and passive features contributing to such control are:

• Redundant and diverse passive auxiliary cooling systems (RVACS and IRACS or PRACS) with natural draught of environmental air acting as a heat sink;

• Inherent safety features of a metal fuelled core, such as excellent thermal conductivity and low accumulated enthalpy;

• Low linear heat rate of fuel;

• Negative whole core sodium void worth;

• Large inventory of primary sodium to meet the requirements for increased grace periods;

• The rapid system of sodium drain from the SG to the dump tank as a mitigation system for sodium-water reaction.

Level 5: Mitigation of radiological consequences of significant release of radioactive materials

The inherent and passive safety features of the 4S are capable of eliminating an occurrence of fuel melting in any accident without scram (AWS) or anticipated transient without scram (ATWS), see Annex XIV and Annex XV in [VIII-1].

V — 4.1. List of design basis and beyond design basis accidents

Safety analysis of AHWR has identified an exhaustive list of 43 postulated initiating events [VI-1].

Events considered within the design basis are categorized as follows:

• Decrease in coolant inventory (Loss of coolant accidents);

• Increase in coolant inventory;

• Increase in heat removal;

• Increase in system pressure/Decrease in heat removal;

• Decrease in coolant flow;

• Reactivity anomalies;

• Start-up and shutdown transients;

• AHWR specific events (defuelling, refuelling of AHWR channel).

Events considered beyond the design basis are categorized as follows:

• Multiple failure events;

• Failure of wired shutdown systems and other BDBAs.

Specifically, safety analyses included the analysis of four transients due to failure of the wired (sensors, signal carriers and actuators) systems of the SDS-1 and the SDS-2, with reactor shutdown executed passively, through injection of a poison into the moderator by usage of the system steam pressure.

Probabilistic safety parameters determined in the probabilistic risk assessment (PRA) of a floating NPP with KLT-40S reactors are prescribed by a top level Russian regulatory document, the OPB-88/97 [I-5]. The parameters include core damage frequency and the probability of a large (limited) radioactivity release in accidents.

According to OPB-88/97, the PRA goal is to demonstrate that cumulative core damage frequency does not exceed 10-5 per reactor year, and the probability of a large radioactivity release is not higher than 10-7 per reactor year.

Level 1 PRA has been performed for a floating NPP with KLT-40S nuclear installations. According to its results, point estimate of the resulting core damage frequency of the KLT-40S under internal initiating events is about 10-7 per reactor year for initial reactor conditions, corresponding to normal power operation. Uncertainty analysis of probabilistic safety attributes, performed using a method of statistical testing (Monte Carlo method), has shown an upper confidence boundary (95 % quantile) that core damage frequency will not be higher than

[31]-6 per reactor-year.

Low probability of a severe accident with core damage is conditioned by inherent safety features (self­protection) and other design features of this modular reactor design, as well as by redundancy and diversity of safety systems in the NPP Both active and passive safety systems are incorporated in the KLT-40S; these systems are based on components with high reliability proven by multi-year operating experience of prototype (marine) reactors.

An analysis of design basis accidents considers the superposition of an initiating event and a failure (that does not depend on the initiating event) of any component of the active or passive safety system with mechanical moving parts, or an event independent personnel error.

The used definition of single failure is given in the previous subsection.

Analysis of design basis accidents in the GT-MHR also takes into account a superposition of initiating events and additional failures that affect the conditions of decay heat removal from a shutdown reactor.

Additional failures are those related to loss of the external power supply (blackout) or to a failure of the SCS to actuate upon request, which leads to reactor shutdown cooling by the RCCS.

Emergency cooling of a shutdown reactor by the RCCS is a long process accompanied by considerable temperature increases of the primary coolant, fuel, reactor core graphite structures, in-vessel metal structures, and the reactor vessel. At primary circuit depressurization and air ingress to the reactor core, such conditions of a shutdown reactor may result in considerable oxidation of the graphite blocks in the reactor core. Therefore, the progress of design basis accidents with a reactor shutdown cooling by the RCCS is analyzed considering the potential restart of any active channel for heat removal from the reactor core through the PCU and the SCS after their operability is recovered.

Tables VIII-5 to VIII-9 below provide the designer’s response to the questionnaires developed at the IAEA technical meeting “Review of passive safety design options for SMRs” held in Vienna on 13-17 June 2005. These questionnaires were developed to summarize passive safety design options for different SMRs according to a common format, based on the provisions of IAEA Safety Standards [VIII-2] and other IAEA publications [VIII-3, VIII-7]. The information presented in Tables VIII-5 to VIII-9 provided a basis for the conclusions and recommendations in the main part of this report.

TABLE VIII-5. QUESTIONNAIRE 1 — LIST OF SAFETY DESIGN FEATURES CONSIDERED FOR/ INCORPORATED INTO THE 4S-LMR DESIGN

# Safety design features What is targeted?

1. Low linear heat rate of fuel

2. Metallic fuel with high thermal conductivity

3. Double boundaries for primary and secondary sodium

4. Secondary sodium coolant loop (intermediate heat transport system)

5. Increased reliability of sodium leakage prevention systems, achieved by the use of double wall SG tubes with detection systems for both inner and outer tubes

6. All temperature reactivity feedback coefficients are negative

7. Negative whole core sodium void reactivity

8. Effective radial expansion of the core (with negative feedback on reactivity)

9. Simple flow path of coolant in the primary loop

10. Low pressure loss in the core area

11. Electro-magnetic pump

12. Two electro-magnetic pumps in series

13. Two redundant and diverse passive auxiliary cooling systems (RVACS and IRACS or PRACS) with natural draught of environmental air acting as a heat sink

14. Two diverse passive shutdown systems with each having enough reactivity for a reactor shutdown

15. No control rods used in core; power control executed via feedwater flow rate control in the power circuit [55]

A large margin to fuel melting

Decrease of fuel centreline temperature and temperature gradients in a fuel pin

Prevention of loss of coolant

Prevent sodium-water reaction from affecting the core Prevention of sodium-water reaction

Accomplish passive shutdown and prevent accidents with core disruption

Accomplish passive shutdown and prevent DBE from progressing into severe accidents

Passive insertion of negative reactivity in transients with temperature rise; simple reactor control in load following mode

Enhance natural convection of the primary sodium coolant Enhance natural convection of the primary sodium coolant Prevent immediate pump trips due to a stuck pump shaft Prevent loss of flow or limit its consequences Assure reliable removal of decay heat

Assure reliable reactor shutdown in normal operation and in accidents

Enhanced power range of reliable reactor operation; elimination of accidents with control rod ejection; simplified reactor design and operation

Prevention of transient over-power accidents

TABLE VIII-9. QUESTIONNAIRE 5 — POSITIVE/NEGATIVE EFFECTS OF PASSIVE SAFETY DESIGN FEATURES IN AREAS OTHER THAN SAFETY

Positive/negative effects of passive safety design features on economics, physical protection, etc. have not been investigated yet.

REFERENCES TO ANNEX VIII

[VIII-1] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Small Reactor Designs Without On-site Refuelling, IAEA-TECDOC-1536, IAEA, Vienna (2007).

[VIII-2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[VIII-3] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

[VIII-4] CLINCH RIVER BREEDER REACTOR PLANT PROJECT OFFICE, Clinch River Breeder Reactor Project Preliminary Safety Report, Clinch River Breeder Reactor Plant Project, Clinch River, USA (1978).

[VIII-5] AMERICAN NATIONAL STANDARDS INSTITUTE/AMERICAN NUCLEAR SOCIETY STANDARD, Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Power Plants, ANSI/ANS-51.1- 1983 (1983).

[VIII-6] AMERICAN NATIONAL STANDARDS INSTITUTE/AMERICAN NUCLEAR SOCIETY STANDARD, Nuclear Safety Criteria for the Design of Stationary Boiling Water Reactor Power Plants, ANSI/ANS-52.1-1983 (1983).

[VIII-7] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).

Annex IX

The acceptance criteria for all design basis accidents are as follows:

(a) Coolability criteria:

• Clad temperature to be less than 1473 K;

• Oxidation of clad surface should be less than 17%;

• Maximum energy deposition in fuel for fuel shattering shall not exceed 200 Cal/g;

• Maximum fuel temperature anywhere in the core shall not exceed UO2 melting temperature throughout a transient;

(b) Fuel failure criteria:

• Maximum energy deposition in fuel for fuel failure shall not exceed 140 Cal/g;

• Maximum clad surface temperature shall be 1073 K;

• The radially averaged fuel enthalpy, anywhere in the core, shall not exceed 586 J/g.

Actual calculations indicate that fuel clad temperatures do not exceed 1073 K in any design basis accident sequences mentioned above.

For the purpose of containment design, a double ended guillotine rupture of the 600 mm diameter inlet header has been considered a design basis accident. A large number of other accident scenarios would conventionally fall within the category of beyond design basis accidents (BDBA). However, even in these cases, including the case of an NPP blackout accompanied by failures of both independent fast acting shutdown systems (SDS-1 and SDS-2), it has been demonstrated that none of the acceptance criteria for design basis accidents as indicated above has been violated.

Analysis of the beyond design basis accidents is performed taking into account a superposition of the initiating events (including those not considered in design basis accidents) and the failure of safety systems on top of a single failure, as well as the additional failure of normal operation systems, and their possible combinations that may affect the propagation of accidents.

Additional failures affecting emergency heat removal from the reactor core include a blackout that leads to a reactor shutdown cooling by the RCCS.

In addition to this, the list of beyond design basis accidents for the GT-MHR includes the postulated simultaneous failure of all heat removal systems — the PCU, the SCS, and the RCCS. This beyond design basis accident is considered in the design to derive the maximum time margin for personnel to take accident management actions aimed at preventing the violation of safe operation limits for fuel temperature in the reactor core, for temperatures of in-vessel metal structures, the reactor vessel, and the reactor cavity concrete.

Failure of pneumatic double isolation valves to close (which leads to bypassing of the containment) is considered an additional failure, which affects the localization (isolation) function at primary circuit depressurization.

Analysis of the above mentioned beyond design basis accidents is performed under an NPP blackout, which results in the emergency cooling of a shutdown reactor by the RCCS.

Failure of the reactor emergency protection system is considered an additional failure which affects the reactor emergency shutdown function. Emergency protection failure in the GT-MHR means failure of all control rods to be inserted into the reactor core upon a signal by the reactor control system.

Beyond design basis accidents with actuation failure of the reactor emergency protection system are analyzed taking into account a superposition of initiating events and additional failures that affect conditions of emergency heat removal from the reactor, i. e., a NPP blackout and SCS failure to actuate upon request. An NPP blackout leads to a loss of PCU operability and requires SCS actuation. An SCS failure to actuate upon request leads to heat removal from the reactor by the RCCS.

In addition to this, the progression of beyond design basis accidents with primary circuit depressurization and emergency heat removal by the RCCS, including beyond design basis accidents with actuation failure of the reactor emergency protection system, is analyzed under an assumption that it is impossible to restart all active channels for heat removal from the reactor core — the PCU and the SCS — during the entire course of such an accident.

ANL, LLNL, LANL,

United States of America

The reactor concepts addressed in this section are the SSTAR and STAR-LM small lead cooled reactors without on-site refuelling, developed in the Argonne National Laboratory and other national laboratories of the USA. Detailed descriptions of these concepts are presented in [IX-1]; short summaries of the concepts are given in sections IX-1 (SSTAR) and IX-2 (STAR-LM) below. The inherent safety features and passive safety design options of the STAR-LM are similar to those of the SSTAR. Because it would be redundant to list them, they are not reproduced below; the reader is referred to section IX-3 and the following sections on SSTAR.

The safety design features of the AHWR intended to cope with external events and external/internal event combinations are described in detail in [VI-5].

The reactor is provided with an inner pre-stressed concrete containment designed to provide leaktightness in the case of a large break LOCA, and an outer secondary containment that protects the inner containment from external events including aircraft impacts.

Location at a high elevation counters the effects of flood related events as well as probable maximum precipitation, maximum possible sea level etc. in extreme environmental conditions.

AHWR structures, systems and equipment are being designed for high level and low probability seismic events such as an operating basis earthquake (OBE) and safe shutdown earthquake (SSE). These are also called S1 and S2 level earthquakes respectively. Seismic instrumentation is also planned in accordance with national and international standards.

Safety related buildings are protected from turbine generated low trajectory missiles.

Fire protection measures comprise physical separation, barriers, and the use of fire resistant materials at potential systems, and also minimize the inventory of combustible material.

Closing dampers in the ventilation systems provide for detection of poisonous gases and minimize their ingress into structures and air intakes. Air bottles with a capacity of 30 minutes are provided to supply fresh air to operating personnel.

Important nuclear auxiliary systems are located inside the reactor building and in the basement, to the extent possible.

As outlined in previous sections, the AHWR incorporates many inherent safety features (e. g., negative void coefficient of reactivity, and passive systems that require no external power and no operator actions to accomplish certain safety functions. The design provides for several heat sinks that remain available with loss of external coolant supply, such as the gravity driven water pool (GDWP) with 6000 m3 of storage capacity, ensuring a three day grace period for decay heat removal; fire water storage, providing cooling of the important auxiliary systems for eight hours; the moderator, which in AHWR acts as an ultimate heat sink; and the emergency water reservoir. All of these features/systems are intended to secure plant safety in the case of both internal and external events and their combinations.