Discussed below are the specific positive and negative effects of incorporating inherent and passive safety design features that, in view of the SMR designers, affect plant characteristics in areas other than safety.

4.1. WATER COOLED SMRS

Table 46 summarizes the positive and negative effects of the inherent and passive safety design features of pressurized water type SMRs in areas other than safety, based on inputs provided by SMR designers in Annexes I-V of this report.

As can be seen from Table 46, relying more on inherent and passive safety features and passive safety systems as compared to traditional solutions based on active safety systems is in all cases a trade-off regarding plant economy.

TABLE 46. SUMMARY OF POSITIVE AND NEGATIVE EFFECTS FROM INCORPORATION OF INHERENT AND PASSIVE SAFETY DESIGN FEATURES INTO PRESSURIZED WATER TYPE SMRs — AREAS OTHER THAN SAFETY

— Reduced operation and maintenance IRIS

costs resulting from simplified operation and maintenance;

-Higher capacity factor; IRIS

-Possibly reduced security costs IRIS

resulting from ‘inherent security’

-Certain economic benefits achieved CAREM-25,

via longer reactor pressure vessel IRIS

lifetime owing to a reduced fast neutron fluence

-Reduced plant costs resulting from CAREM-25,

simplification of certain safety IRIS

systems

Decrease in plant costs resulting from Certain deterioration of KLT-40S

Decrease in the operation costs KLT-40S

resulting from a decrease in the amount of radioactive waste

6 Reduced number of safety Improved plant economy owing to grade systems and simplified operation and maintenance

components requiring and reduced operation waste maintenance

Increase in plant construction and KLT-40S maintenance costs

Increase in plant construction KLT-40S and maintenance costs

9 All safety grade safety — Reduced operation and maintenance IRIS

systems are passive costs resulting from reduced

complexity and improved reliability of the plant;

-Added resilience to sabotage and other malevolent actions

Increased specific cost of reactor CAREM-25 pressure vessel; potentially increased complexity of reactor operation (startup, etc.)

Decrease in costs owing to simplified Increased specific cost of reactor SCOR operation and maintenance pressure vessel; potentially

increased complexity of reactor operation (startup, etc.)

Increased plant costs owing to MARS limited reactor power and energy conversion efficiency

the use of a passive emergency core cooling system with an infinite grace period, actuated upon flow rate decrease

a With a potential of being counteracted by modular construction of multiple units at a site. b Counteracted by reduced containment size and reduced plant footprint.

Regarding solutions intended to eliminate certain types of accidents or prevent their consequences through design features, see numbers 1-6 of Table 46. The commonly mentioned expected benefits are:

• Decrease in plant capital costs due to compact primary circuit and compact containment (except for the MARS);

• Decrease in plant capital costs due to simplicity of operation and maintenance, specifically due to a reduction of the number of systems requiring maintenance;

• Decrease in plant capital costs due to elimination or reduction of off-site emergency planning;

• Decrease in plant capital costs via an enhanced option to build several plants at a site or to use twin or multiple unit plants, owing to decreased core damage frequency and large early release frequency;

• Less concern regarding human actions of a malevolent character and, potentially, cost reduction resulting from ‘inherent security’ of the plant.

At the same time, the same solutions are expected to result in the following negative implications:

• Increased plant capital costs owing to the limited power of a single module (potentially counteracted by modular construction of multiple units at a site);

• Increased cost of a larger reactor pressure vessel (or additional pressure vessel in the case of the MARS design);

• Certain deterioration of burnup cycle characteristics (for example, when the liquid boron system is abandoned) or maintainability (for the compact modular design of the KLT-40S and for the MARS design with an additional pressure vessel).

In nearly all cases, the above mentioned benefits and disadvantages have a potential to counteract each other; for example, increased specific capital costs for a single unit plant could possibly be counteracted by modular construction of multiple units at a site; increased vessel costs could be counteracted by reduced containment costs; and certain deterioration of maintainability could be counteracted by a reduced number of systems needing maintenance.

Regarding positive and negative impacts resulting from the application of passive safety systems, the opinions of SMR designers may vary. For example, designers of the KLT-40S see only negative cost implications with use of passive safety systems, such as increased construction and maintenance costs; see numbers 7-8 of Table 46. Designers of the IRIS see only positive cost implications with use of passive safety systems, such as reduced operation and maintenance costs and enhanced resilience to sabotage; see number 9 of Table 46. Other designers mention both positive and negative features. The opinion of designers may also be conditioned by a specific passive safety system type, i. e., expectations might be different for, say, a gravity driven passively actuated shutdown system and a natural convection based decay heat removal system.

The inherent safety features of CAREM are:

• Integrated primary coolant system, eliminating large break LOCA;

• Long characteristic times in the event of a transient or severe accident, due to large coolant inventory and the use of passive safety systems;

• Natural convection core cooling in lower power modules (e. g., CAREM-25) eliminates loss of flow accidents (LOFA);

• Hydraulic control rod drive mechanisms located completely inside the RPV eliminate control rod ejection accidents;

• Negative reactivity effects and coefficients, see Table III-2.

Passive safety systems

The CAREM safety systems are based on passive features obviating the need for accident management over a long period [III-1, III-2]; see Fig. III-2. Systems are duplicated to fulfil redundancy criteria. According to Argentine regulations, the shutdown system is diversified.

Natural circulation and self-pressurization properties

Flow rate in the reactor’s primary systems is achieved by natural circulation. The driving forces resulting from differences in density along the circuit are balanced by friction and shape change losses, producing an adequate flow rate in the core and securing a sufficient thermal margin to critical phenomena. Natural convection of reactor coolant is due to the location of the steam generators above the reactor core.

Self-pressurization of the primary system in the steam dome results from liquid-vapour equilibrium. The large volume of the integral pressurizer also contributes to damping of eventual pressure perturbations. Heaters and sprinkles typical of conventional pressurized water reactors (PWRs) are, therefore, eliminated.

Eliminating primary pumps and the pressurizer results in added inherent safety features (loss of flow accident elimination), and in advantages for maintenance and availability.

At the moment, there is no consensus definition of a passive safety system.

In IAEA-TECDOC-626 [3], four different categories of passive safety features have been proposed, as described below.

Category A passive safety features are those which do not require external signal inputs of ‘intelligence’, or external power sources or forces, and have neither any moving mechanical parts nor any moving working fluid. Examples of safety features included in this category are:

• Physical barriers against the release of fission products, such as nuclear fuel cladding and pressure boundary components and systems;

• Hardened building structures for the protection of a plant against external event impacts;

• Core cooling systems relying only on heat radiation and/or convection and conduction from nuclear fuel to outer structural parts with the reactor in hot shutdown;

• Static components of safety related passive systems (e. g., tubes, pressurizers, accumulators, surge tanks), as well as structural parts (e. g., supports, restraints, anchors, shields).

Category B passive safety features are those which do not require external signal inputs of ‘intelligence’, or external power sources or forces, and have no moving mechanical parts. They do, however, have moving working fluid. Examples of safety features included in this category are:

• Reactor shutdown/emergency cooling systems based on injection of borated water produced by the disturbance of a hydrostatic equilibrium between the pressure boundary and an external water reservoir;

• Reactor emergency cooling systems based on air or water natural circulation in heat exchangers immersed in water reservoirs (inside containment) to which the decay heat is directly transferred;

• Containment cooling systems based on natural circulation of air flowing around the containment walls, with intake and exhaust through a stack or through tubes covering the inner walls of silos of underground reactors;

• Fluidic gates between process systems, such as ‘surge lines’ of PWRs.

Category C passive safety features are those which do not require external signal inputs of ‘intelligence’, or external power sources or forces. They do, however, have moving mechanical parts whether or not moving working fluids are present. Examples of safety features included in this category are:

• Emergency injection systems consisting of accumulators or storage tanks and discharge lines equipped with check valves;

• Overpressure protection and/or emergency cooling devices of pressure boundary systems based on fluid release through relief valves;

• Filtered venting systems of containments activated by rupture disks;

• Mechanical actuators, such as check valves and spring loaded relief valves, as well as some trip mechanisms (e. g., temperature, pressure and level actuators).

Category D passive safety features, referred to as ‘passive execution /active initiation’ type features, are those passive features where the execution of the safety function is made through passive methods as described in the previous categories except that internal intelligence is not available to initiate the process. In these cases an external signal is required to trigger the passive process. Since some desirable characteristics usually associated with passive systems (such as freedom from external sources of power, instrumentation and control and from required human actuation) are still to be ensured, additional criteria such as the following are generally imposed on the initiation process:

• Energy must only be obtained from stored sources such as batteries or compressed or elevated fluids, excluding continuously generated power such as normal AC power from continuously rotating or reciprocating machinery;

• Active components in passive systems are limited to controls, instrumentation and valves, but valves used to initiate safety system operation must be single action, relying on stored energy, and manual initiation is excluded.

Some major highlights of the passive safety design features in the SCOR, structured in accordance with the various levels of defence in depth [IV-5, IV-6], are brought out below.

Level 1: Prevention of abnormal operation and failure

• Integral design of the primary circuit;

• Internal CRDMs;

• Relatively low core power density;

• Elimination of soluble boron reactivity control system;

• Substantially negative moderator temperature reactivity coefficient throughout the whole burnup cycle. Level 2: Control of abnormal operation and detection of failure

• Large coolant inventory in the main coolant system, large thermal inertia of the primary circuit;

• Substantially negative moderator temperature reactivity coefficient throughout the whole burnup cycle.

Level 3: Control of accidents within the design basis

• For a steam line rupture, no possibility of return to criticality and no need for safety injection;

• Large inventory of water inside the RPV; long term cooling by the RRP systems in a passive mode during LOCA;

• For a steam generator tube rupture, no steam release to the atmosphere (steam is condensed in a dedicated pool);

• Primary circuit has no soluble boron; therefore, no risk of dilution by water of the secondary circuit;

• Natural circulation heat removal during a loss of flow accident (LOFA);

• Increased reliability of decay heat removal system achieved through the use of natural convection.

Level 4: Control of severe plant conditions, including prevention of accident progression and mitigation of severe accident consequences [48]

Level 5: Mitigation of radiological consequences of significant release of radioactive materials

The following features help in passively bringing down the containment pressure and in minimizing any releases from the containment following a LOCA:

• As large break LOCAs are eliminated by design, the maximum break size in LOCA is limited by 2 x 50 mm;

• Relatively small, inerted, pressure suppression containment;

• Relatively small fuel inventory;

• Increased retention of fission products (flooding of reactor cavity, dedicated pool for steam condensation under a steam generator tube rupture, etc.).

1.2. GENERAL CONSIDERATIONS

General considerations for the incorporation of inherent and passive safety design features into SMRs are not different from those of advanced reactors of any capacity and type. Clearly, the implementation of inherent and passive safety design features can facilitate improved defence in depth. It can also positively affect plant economy through:

— Reduced design complexity and reduced necessity for human intervention resulting in fewer potentially unsafe actions;

— Reduced investment requirements, due to a reduction in qualifications as well as operation and maintenance and, depending on specific design and regulations, reduced off-site emergency planning;

— Increased operability and capacity factors.

It is also noted that the use of inherent and passive safety features can facilitate advantages in areas other than economy, for example:

— Reduced adverse environmental impacts, for example through a reduced number of systems requiring maintenance and associated waste;

— Reduced vulnerability to sabotage through semi-autonomous operation, better reactor self-control in accidents, and ‘passive shutdown’[2] capabilities;

— Deployment in developing countries through simplified infrastructure requirements matching human resource limitations in such countries.

In the view of SMR designers, smaller capacity reactors have the following generic features, potentially contributing to a particular effectiveness in the implementation of inherent and passive safety features:

— Larger surface-to-volume ratio, facilitating easier decay heat removal, specifically, with a single phase coolant;

— An option to achieve compact primary coolant system design, e. g. the integral pool type primary coolant system, which could contribute to the effective suppression of certain initiating events;

— Reduced core power density, facilitating easy use of many passive features and systems, not limited to natural convection based systems;

— Lower potential hazard that generically results from lower source term owing to lower fuel inventory, less non-nuclear energy stored in the reactor, and a lower decay heat generation rate.

Section 2.2. below summarizes considerations of SMR designers regarding inherent and passive safety features that could be easier to achieve in a reactor of smaller capacity for each reactor line considered in this report.

International Team Led by Westinghouse,
United States of America

II — 1. DESCRIPTION OF THE IRIS DESIGN

The International Reactor Innovative and Secure (IRIS) is an advanced, integral, light water cooled reactor of medium generating capacity (335 MW(e)), that features an integral reactor vessel containing all the reactor primary system components, including steam generators, coolant pumps, pressurizer and heaters, and control rod drive mechanisms; in addition to the typical core, internals, control rods and neutron reflector [II-1,

I — 2]. This integral configuration allows for the use of a small, high design pressure, spherical steel containment which results in a significant reduction in the size of the nuclear island. Other IRIS innovations include a simplified passive safety system concept and equipment features that derive from the ‘safety-by-design’™ philosophy [II-3]. This design approach allows for elimination of certain accident initiators at the design stage, or when outright elimination is not possible, decreases accident consequences and/or their probability of occurrence. Major design characteristics of the IRIS are given in Table II-1. As part of the IRIS pre-application licensing review by the U. S. Nuclear Regulatory Commission (NRC), the IRIS design team has developed a test plan that will provide the necessary data for safety analysis computer model verification, as well as for verifying the manufacturing feasibility, operability, and durability of new component designs.

IRIS is innovative in design — employing an integrated primary system that incorporates all the main primary circuit components within a single vessel, i. e., the core with control rods and their drive mechanisms, eight helical coil steam generators with eight associated fully immersed axial flow pumps, and a pressurizer, see Fig. II-1.

The integral configuration offers intrinsic design improvements as briefly discussed below: [38]

• Large downcomer: The 1.7 m wide downcomer reduces the fast neutron flux on the reactor vessel by 5 orders of magnitude. This leads to a ‘cold’ (i. e., not activated) vessel with almost no outside dose, no vessel embrittlement, and no need for surveillance. The vessel is essentially ‘eternal’, and decommissioning is simplified;

• Fuel assembly: The same assembly as in standard Westinghouse PWRs is used, but it can provide an extended cycle up to 48 months;

• Maintenance: Intervals between maintenance outages can also be extended up to 48 months, thus enabling uninterrupted operation for up to 4 years.

While leading to a larger reactor vessel, the integral layout results in a smaller containment (as illustrated in Fig. II-2) and overall a more compact site, with a positive impact on safety and economics.

The enveloping design approach for SMR designs considered in the present report is meant to eliminate as many accident initiators and/or prevent as many accident consequences as possible by design, and then to deal with the remaining accidents/consequences using reasonable combinations of active and passive safety systems and consequence prevention measures.

To prevent accidents, inherent safety features are used in the design, making direct contributions to defence in depth Level 1. These features may be very different for different reactor lines, e. g., eliminated piping or internal location of control rod drives in pressurized water reactors; eliminated steam generators and steam power circuit in direct cycle HTGRs; optimum combinations of reactivity effects and negative void worth in sodium cooled and lead cooled fast reactors; they are summarized in more detail below.

When available, contributions of inherent safety features to subsequent levels of defence in depth can help reduce hazards associated with accidents by ensuring increased reactor self-control, by slowing down accident progression, or by limiting accident scope. Relatively high heat capacity of the primary circuit is typical here, for many reactor lines.

Certain inherent safety features, such as high temperature fission product confinement properties of fuel and high temperature margin to fuel failure contribute directly to defence in depth Levels 3 and 4.

In addition to inherent safety features, some reliable passive features, such as additional passive structures (containment, guard vessel, or additional pressure boundary around the primary circuit, or coaxial double pipes — categorized as Category A passive systems in [12] but often referred to as inherent or by-design safety features [2, 3]), or reliable mechanisms of heat transfer, such as heat transfer by conduction and radiation via reactor core and reactor internals, or ultimate heat sink based on natural draught of air outside of the reactor vessel, could contribute to various levels of defence in depth in a way similar to inherent safety features, i. e., help to prevent certain accidents or accident consequences or reduce their scope.

With maximum possible use of the inherent and passive safety features provided by design, the remaining accident sequences are then dealt with using dedicated active or passive safety systems.

There is no single approach in selecting an optimum combination of active and passive safety systems, even for a single reactor line. A balanced view is that passive safety systems that use natural mechanisms such as gravity or buoyancy, or spring force for their operation require no operator action to get actuated, and rely on no external power or working media supply, have a potential to make plant design, maintenance and operation more simple, to enhance plant safety under a variety of internal and external events and combinations thereof, to improve plant resilience to human actions of malevolent character (add ‘intrinsic security’), and to improve plant economy. At the same time, it is recognized that the incorporation of passive safety systems in reactor designs needs to be adequately validated and tested due to several issues highlighted in Appendix 1.

For a passive safety system, functional failure (i. e., a failure of the system to perform its function) may happen if the initial or boundary conditions deviate from a specified range of values on which the performance of the system depends. Mainly because the driving forces in passive systems are most often small, the overall balance of forces defining the functional operation of a system may easily get changed even with a small disturbance or change in operating parameters [19-28]. The difficulties in evaluation of a functional failure of passive safety systems may be related to:

• Lack of plant data and operating experience;

• The experimental data obtained from integral facilities or even from separate effect tests is insufficient to understand system performance characteristics in normal operation and in transients and accidents;

• Lack of a clear definition of failure mode for passive safety systems;

• Difficulties in modelling the physical performance of such systems; for example, for natural convection based systems, such difficulties may be related to:

—Low flow rate of natural convection, under which the flow cannot be fully developed and which is multi­dimensional in its nature;

—Flow instabilities, which include flashing, geysering, density waving, flow pattern transition instabilities, etc.;

— Critical heat flux changes under oscillatory conditions;

— Flow stratification with kettle type boiling, particularly in large diameter vessels;

— Thermal stratification in large water pools;

— Effects of non-condensable gases on condensation, etc.

• Unknown capability of the so-called ‘best estimate codes’ to simulate performance of passive safety systems, owing to the fact that such codes were mainly developed to model active safety systems.

Therefore, before incorporating passive safety systems into plant design, their capacity and reliability need to be validated and tested over a broad range of states, from normal power operation to transients and accidental conditions [22, 23].

In addition to what was mentioned above:

• Economics of advanced reactors with passive safety systems should be assessed, taking into account all related aspects of construction and decommissioning;

• Ageing of passive safety systems should be considered, especially for longer plant lifetimes; for example, corrosion and deposits on heat exchanger surfaces could impair the functional performance of passive safety systems;

• Passive safety systems should be designed with a provision for easy in-service inspection, testing and maintenance, and ensure that the dose rate to workers is within the limits prescribed by regulations.

With all these aspects in mind, selection of an optimum combination of active and passive safety systems depends on previous experience of their validation and testing, on the availability of a system prototype, on a function that the system is expected to perform, and on considerations of redundancy, diversity and independence as measures to cope with common cause failure [7], as well as on considerations of plant economy, operating complexity, applications, security, and other factors.

It should be noted that passive safety systems in the SMRs considered in this report are not limited to natural convection based systems for passive decay heat removal, such as emergency core cooling systems, or to passive safety injection systems, but also include passive shutdown systems, such as those based on gravity or spring-force driven insertion of control rods, actuated upon flow disruption or system de-energization; passive systems of gas gap filling with (liquid metal) coolant to boost conduction for heat removal to the outside of the reactor vessel; passive mechanisms of fuel carry over from the core in the case of a fuel element failure to avoid recriticality in fast reactors; and others.

A useful categorization of passive systems is provided in IAEA-TECDOC-626 [12]; for convenience, some definitions from this reference are reproduced in Appendix 1 of this report.

Particular approaches to application of passive versus active safety systems applied by the designers of the SMRs considered in the present report are highlighted in Section 3.2., in conjunction with Level 3 of defence in depth. A common feature of all SMRs considered in the present report is that they all use passive decay heat removal systems. In all cases these systems are redundant and safety grade. Regarding shutdown systems, they could be active or passive, safety grade or non-safety-grade, based on different principles and using different components — control rods, absorber balls, or safety injections. Where applicable, depressurization systems are provided, which in most cases are actuated passively, by safety relief valves (check valves).

All solutions with active and passive safety systems described in the present report follow the principles of redundancy, diversity and independence [7].

In the case of light water reactors, there are certain advantages regarding passive safety systems, because more experience in validation, testing, certification and operation of such systems has been accumulated [19]. Certain, although more limited, experience is available for HTGR type reactors [17]. For SMRs of other types, extensive R&D programmes are required; in some cases such programmes were already in progress during preparation of this report [2, 3].

Performance assessment issues for passive safety systems are highlighted in more detail in Appendices I and II.

The FSS is designed to shut down the core when an abnormality or a deviation from normal operation occurs and to maintain the core in a subcritical condition during all shutdown states. This function is achieved by dropping neutron absorbing elements into the core, driven by gravity. Each neutron absorbing element is a cluster composed of a maximum of 18 individual rods coupled together in a single unit. Each unit fits into the guide tubes of a fuel assembly.

The internal hydraulic control rod drive (CRD) eliminates the mechanical shafts passing through the reactor pressure vessel (RPV) or through the extension of the primary pressure boundary and, as the whole device is located inside the RPV, contributes to the elimination of large break LOCAs. This design is an important element in the CAREM concept. Many of the control rods belong to a fast shutdown system. A simplified diagram of the fast shutdown system hydraulic CRD is shown in Fig. III — 3. During normal operation, fast shutdown system control rods are kept in the upper position, where the piston partially closes the outlet orifice and reduces water flow leaking into the RPV dome.

The CRD of the control and adjustment system is a hinged device controlled in steps and fixed in position by pulses over a base flow, designed so that each pulse produces only one step.

Both types of devices perform the reactor scram function by using the same principle: ‘rods are dropped driven by gravity when the flow is interrupted’, so that the malfunction of any powered part of the hydraulic circuit (i. e., a valve or a pump failure) causes immediate shutdown of the reactor. CRD of the fast shutdown system is designed with a large gap between piston and cylinder to obtain a minimum dropping time (of a few seconds) to insert absorbing rods completely into the core. CRD manufacturing and assembling allowances are stricter, and clearances are narrower for rods of the control and adjustment system, but there is no stringent requirement on dropping time.

1: First shutdown system 2: Second shutdown system

3: Residual heat removal system 4: Emergency injection system 5: Pressure suppression pool 6: Containment

7: Safety valves

A: Core B: Steam generators C: Reactor building

FIG. III-2. Containment and safety systems of CAREM.

Second shutdown system (SSS)

The SSS is a gravity driven injection device using borated water at high pressure. It acts automatically when the reactor protection system detects a failure of the FSS or in the case of a LOCA. This system consists of two tanks located in the upper part of the containment. Each of them is connected to the reactor vessel by two pipelines; one is from the steam dome to the upper part of the tank, and the other is from a position below the reactor water level to the lower part of the tank. When the system is triggered, the valves open automatically and the borated water drains into the primary system, driven by gravity. The discharge of a single tank produces the complete shutdown of the reactor.

• Emergency core cooling/injection systems, based on gravity driven or compressed nitrogen driven fluid circulation, initiated by fail safe logic actuating battery powered electric or electro-pneumatic valves;

• Emergency core cooling systems, based on gravity driven flow of water, activated by valves which break open on demand (if a suitable qualification process of the actuators can be identified);

• Emergency reactor shutdown systems based on gravity driven, or static pressure driven control rods, activated by fail-safe trip logic.

Some non-conventional terms used in this report

(1) The wording ‘reactor line’ is used to denote the totality of known designs of reactors of a given type, e. g., the reactor lines considered in the present report are pressurized water reactors, pressurized light water cooled heavy water moderated reactors, high temperature gas cooled reactors, sodium cooled and lead cooled fast reactors, and non-conventional reactor designs.

(2) Several designers of SMRs addressed in this report use the wording ‘passive shutdown’ to denote bringing the reactor to a safe low-power state with balanced heat production and passive heat removal, with no failure to the barriers preventing radioactivity release to the environment; all relying on inherent and passive safety features only, with no operator intervention, no active safety systems involved, and no external power and water supplies necessary, and with an infinite grace period for practical purposes.

(3) The wording ‘reactor self-control’ is used by the designers of SMRs to refer to the capability of an reactor to self-adjust reactivity and power levels in a way that prevents the progression of a abnormal operation occurrence or a design basis accident into a more severe stage, without the operation of active safety systems or operator intervention.

(4) Descriptions of the passive safety design features of SMRs, contributed by Member States and given in Annexes I-X of this report, may occasionally include the following terms that are not accepted internationally but are in use in certain Member States:

• In India they may use the term ‘incident conditions’ instead of ‘accident conditions’ defined in NS-R-1 [2];

• In France they may use the term ‘intrinsic safety feature’ with a meaning corresponding to ‘inherent safety feature’ used by the IAEA [2];

• In the Russian Federation, the term ‘self-protection feature’ is sometimes used to denote a capability of a reactor to bring itself in safe state in a certain unprotected transient without human intervention. It is used to denote a combination of inherent and passive safety features and also includes passively actuated or permanently operating passive safety systems;

• Also in the Russian Federation, the term ‘self-defence principle’ is sometimes used in application to innovative reactors to define use of reactor inherent and passive safety features and passive safety systems to ensure ‘deterministic type’ protection from more important severe accidents;

• In the USA, within I-NERI and Generation IV programmes, the term ‘passive safety’ is used in a meaning very close to what IAEA-TECDOC-626 defines as inherent safety characteristic. Specifically, ‘passive safety’ includes such phenomena: the core is always covered with coolant, or elimination of a possibility to lose the flow of a primary system;

• The IRIS team led by Westinghouse (USA) uses the term ‘safety-by-design’ to characterize an inherent safety feature where postulated accidents by design: 1) are outright eliminated, or 2) have reduced probability of occurring, and/or 3) have reduced consequences;

• Regarding passive design options not related to safety, the term ‘passive load follow’ is used in the USA to denote self-adjustment of a reactor power due to reactivity feedbacks following changes of heat removal;

• In the USA, the term ‘pre-conceptual design’ is used to denote the early design stage, referred to as ’feasibility study’ in [7];

• Also in the USA, the term ‘to design-out certain events’ is used to denote essential suppression or elimination of certain events by design.

REFERENCES TO APPENDIX III

[1] INTERNATIONAL ATOMIC ENERGY AGENCY, Innovative Small and Medium Sized Reactors: Design Features, Safety Approaches and R&D Trends, IAEA-TECDOC-1451, IAEA Vienna (2005)

[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design IAEA Safety Standards Series No. NS-R-1, IAEA, Vienna (2000)

[3] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA — TECDOC-626, IAEA, Vienna (1991).

[4] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

[5] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Basic Safety Principles for Nuclear Power Plants: 75-INSAG-3 Rev. 1, INSAG-12, IAEA, Vienna (1999).

[6] INTERNATIONAL ATOMIC ENERGY AGENCY, Terms for Describing New, Advanced Nuclear Power plants, IAEA-TECDOC-936, IAEA, Vienna (1997).

[7] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Innovative Small and Medium Sized Reactor Designs 2005: Reactors with Conventional Refuelling Schemes, IAEA-TECDOC-1485, IAEA, Vienna (2006).

Table IV-3 gives a comparison of the progression of typical design basis accidents between a standard PWR and the SCOR.

The calculations performed for the SCOR show that all transients could be adequately managed in a passive way (in the vessel, in the RRP loop, and in the heat sink) with only 4 out of 16 RRP loops, no matter what the heat sink is: a pool or an air cooling tower. This represents a redundancy of 16 times 25%. RRP operation is compatible with an active or passive mode, whatever the primary pressure or temperature. As the in-vessel heat exchangers of the RRP loop are located very close to the core, and thanks to the flow bypass of the venturi, the RRP are operational in a two phase flow mode (primary side), in the case of a small primary water inventory. Long term cooling may be ensured in a totally passive mode due to the RRP with an air cooling tower. A safety injection at 2.0 MPa with a small flow rate is needed only one hour after the beginning of the biggest possible LOCA, that is, a double break of the pressurizer line (2 x 50 mm). In the event of a steam generator tube rupture, the steam released from the safety valves of the secondary circuit is condensed in a dedicated pool. No steam is released to the atmosphere.

TABLE IV-3. DESIGN BASIS ACCIDENTS IN STANDARD PWRS AND IN SCOR [IV-1]