Category Archives: DESIGN FEATURES TO ACHIEVE. DEFENCE IN DEPTH IN SMALL AND. MEDIUM SIZED REACTORS

REACTOR LINE SPECIFIC CONSIDERATIONS

1.2.1. Pressurized water reactors

The designers of pressurized water SMRs cumulatively mention the following inherent and passive safety design features as facilitated by smaller reactor capacity and size:

— Integral design of the primary circuit with in-vessel location of steam generators and control rod drives, to eliminate large diameter piping, minimize reactor vessel penetrations, and prevent large-break loss of coolant accidents (LOCA) and reactivity initiated accidents with control rod ejection, as well as to limit the scope of small and medium-break LOCA;

— Compact modular loop-type designs with reduced piping length, an integral reactor cooling system accommodating all main and auxiliary systems within a leaktight pressure boundary, and leak restriction devices, all to prevent LOCA or limit their scope and hazard;

— A primary pressure boundary enclosed in an enveloping shell with low enthalpy slow moving water, intended to prevent LOCA or limit their scope and hazard;

— Increased thermal inertia at a reasonable reactor vessel size, contributing to long response time in transients and accidents;

— Enhanced levels of natural convection, sufficient to passively remove decay heat from a shutdown reactor over an indefinite time;

— In-vessel retention of core melt through, for example, passive external cooling of the reactor pressure vessel;

— Compact design of the primary circuit and the containment, to facilitate protection against missiles and aircraft crash.

IRIS new design features and components

The integral reactor coolant system (Integral RCS) is characterized by:

• Entire RCS located in a single pressure vessel;

• No additional pressure vessels, connecting loop piping, or supports.

The integral reactor vessel includes:

• Axial flow, fully immersed coolant pumps with high temperature bearings and high temperature sealed rotor and stator windings;

• Helical-coil, once through steam generators (SGs);

• Internal control rod drive mechanisms (I-CRDMs) designed for in-vessel environment;

• Pressurizer and related heaters.

IRIS three tier safety concept

The overall approach to safety in the IRIS is represented by the following three tier approach:

(1) The first tier is safety-by-design™ [II-3], which aims at eliminating by design the possibility for an accident to occur, rather than dealing with its consequences. By eliminating some accidents, the corresponding safety systems (passive or active) become unnecessary as well;

(2) The second tier is provided by simplified passive safety systems, which protect against the accident possibilities still remaining and mitigate their consequences;

(3) The third tier is provided by active systems which are not required to perform safety functions (i. e., are not safety grade) and are not considered in deterministic safety analyses, but do contribute to reducing core damage frequency (CDF).

First Tier

The first tier is embodied in the IRIS ‘safety-by-design’™ philosophy [II-3]. Nuclear power plants consider a range of hypothetical accident scenarios. The IRIS ‘safety-by-design’™ philosophy is a systematic approach that aims — by design — to eliminate altogether the possibility for an accident to occur, i. e., to eliminate accident initiators, rather than having to design and implement systems to deal with the consequences of an accident. It should be noted that integral configuration is inherently more amenable to this approach than a loop type configuration, thus enabling safety improvements not possible in a loop reactor. To consider only the most obvious example, loss of coolant accidents caused by a large break of external primary piping (large break loss of coolant accidents — large break LOCAs) are eliminated by design since no large external piping exists in IRIS. Additionally, in cases where it is not possible or practical to completely eliminate potential initiators of an accident, safety-by-design™ aims at reducing the severity of the accident’s consequences and the probability of its occurrence. As a result of this systematic approach, the eight Class IV design basis events [II-3] (potentially leading to the most severe accidents) that are usually considered in light water reactors (LWRs), are reduced to only one in the IRIS, with the remaining seven either completely eliminated by design, or their consequences (as well as probability) reduced to a degree that they are no longer considered Class IV events [II-1, II-2].

Second Tier

The second tier consists of passive safety systems needed to cope with remaining potential accidents. Because of safety-by-design™, they are fewer and simpler than in typical passive loop type LWRs [II-1]. Notably, the elimination of the possibility for some accidents to occur enables simplifications of the IRIS design and passive safety systems, resulting simultaneously in enhanced safety, reliability, and economics. In other words, increased safety and improved economics support each other in the IRIS design.

Third Tier

The third tier has been addressed within the probabilistic risk assessment/probabilistic safety assessment (PRA/PSA) framework. In fact, PRA was initiated early in the IRIS design, and was used iteratively to guide and improve the design safety and reliability (thus adding ‘reliability by design’). The PRA has suggested modifications to reactor system designs, resulting in reduction of the predicted core damage frequency (CDF). After these modifications, the preliminary PRA level 1 analysis [II-4] estimated the CDF due to internal events (including anticipated transients without scram, ATWS) to be about 2 x 10—8, more than one order of magnitude lower than in typical advanced LWRs [II-1]. A subsequent evaluation [II-5] of the large early release frequency (LERF) also produced a very low value, of the order of 6 x 10—10, which is more than one order of magnitude lower than in typical advanced loop LWRs [II-1], and several orders of magnitude lower than in present LWRs.

SUMMARY AND CONCLUSIONS

This report presents a description of design features used to achieve defence in depth in eleven concepts of small and medium sized reactors (SMRs), representing different reactor lines. The descriptions are structured to follow the definitions and recommendations of IAEA safety standard Safety of Nuclear Power Plants: Design [7], with some references made to other IAEA safety standards and publications, such as [8, 12, 13].

The selected SMRs represent different reactor lines, intended for different applications, and targeting different deployment timeframes. The reactor lines considered are pressurized water reactors — the KLT-40S, the IRIS, the CAREM-25, the SCOR, and the MARS — targeted for cogeneration or electricity production; pressurized boiling light water cooled heavy water moderated reactors — the AHWR — targeted for electricity generation with potable water production; a high temperature gas cooled reactors — the GT-MHR — targeted for electricity generation and advanced non-electrical applications, including complex cogeneration with bottoming cycles; sodium cooled and lead cooled fast reactors — the 4S-LMR and the SSTAR and the STAR — LM — targeted for electricity production or cogeneration; and a non-conventional very high temperature design — the CHTR — targeted for hydrogen production and other advanced non-electrical applications. Design descriptions, design status, targeted deployment dates, and applications of the SMRs considered in this report are presented in more detail in Refs [2, 3, 4].

One of the reactors, the KLT-40S, to be used for a floating NPP, is under construction with deployment of the plant scheduled for 2010. The IRIS, the CAREM-25, and the AHWR are likely to be commercialized by 2012-2015. The SCOR, the MARS, and the 4S-LMR have the potential to be deployed as first of a kind or prototype plants by 2015. The GT-MHR, the SSTAR, the STAR-LM, and the CHTR are targeted for deployment by 2020—2025; they are still at pre-conceptual design stages.

An enveloping design approach for the SMR designs considered in this report is to eliminate as many accident initiators and/or to prevent as many accident consequences as possible through design, and to deal with the remaining accidents/consequences using plausible combinations of active and passive safety systems and consequence prevention measures. This approach is also targeted for Generation IV energy systems and, to a certain extent it is implemented in some near term light water reactor designs of larger capacity, such as the VVER-1000, the AP1000, and the ESBWR [4].

General features of SMRs that, in view of their designers, contribute to a particular effectiveness of the implementation of inherent and passive safety design features in smaller reactors are:

• Larger surface to volume ratio, which facilitates easier decay heat removal, especially with a single phase coolant;

• An option to achieve compact primary coolant system design, e. g. integral pool type primary coolant system, which could contribute to the effective suppression of certain initiating events;

• Reduced core power density, facilitating easy use of many passive features and systems;

• Lower potential hazard that generically results from lower source term owing to lower fuel inventory, lower non-nuclear energy stored in the reactor, and lower integral decay heat rate.

For pressurized water reactors, there are three distinct design approaches, including: designs with integral primary circuit, with the reactor vessel accommodating steam generators and internal control rod drives, as well as elimination of large diameter piping, and minimizing of reactor vessel penetrations; compact modular loop — type designs with reduced piping length, an integral reactor cooling system accommodating all main and auxiliary systems within a leaktight pressure boundary, and leak restriction devices; and a design which has the primary pressure boundary enclosed in an enveloping shell with low enthalpy slowly moving water.

All pressurized water small and medium sized reactors incorporate design features to prevent loss of coolant (LOCA) accidents or reduce their scope. In addition to this, the pressurized water SMRs also incorporate features for the prevention of certain reactivity initiated accidents (integral designs of the primary circuit with in-vessel location of the control rod drives), for the smooth and slow character of transients owing to internal or ‘soft’[21] pressurization and a relatively large water inventory, and for the de-rating of events with steam generator tube rupture. Whether or not these features are unique to SMRs is an open question. For example, conceptual design studies performed for PWRs with the integral design of the primary circuit accommodating both steam generators and control rod drives, point to an option to realize such features in reactors of up to 1000 MW(e) capacity. However, such proposals are still at an early conceptual design stage [16]. Regarding compact modular loop-type designs, based on the experience of marine propulsion reactors, their maximum possible unit size (known from completed design studies) is around 400 MW(e) [2]. There are no known large capacity reactor proposals for a design which has the primary pressure boundary enclosed in an enveloping shell with slowly moving water of low enthalpy.

Advanced pressurized boiling light water cooled heavy water moderated reactors are represented by one design (the AHWR), with its principal feature being heat removal by natural circulation in all modes. Main circulation pumps are excluded, thus loss of flow accidents are prevented by design. Maximum unit size within which such a technical solution can be maintained has not been examined.

For high temperature gas cooled reactors (HTGRs), the concept considered (GT-MHR) corresponds to one of two known fuel design options — that with pin-in-block TRISO based fuel. HTGR concepts incorporating an alternative fuel design — pebble bed TRISO fuel — were not considered in the present report. Independent of fuel design, all HTGRs incorporate design provisions to reduce hazards in accident scenarios that are potentially severe in reactors of other types, including loss of coolant (LOCA), loss of flow (LOFA), and reactivity initiated accidents. These provisions are based on the proven fission product confinement capability of TRISO fuel at high temperatures and high fuel burnups, which also enables long term passive decay heat removal, even from a voided reactor core, via natural processes of conduction, radiation, and convection. For the known materials of reactor vessels and known HTGR core designs, passive decay heat removal is possible only when reactor unit power is below ~600 MW(th). Direct gas turbine cycle HTGRs also do not have steam generators and steam turbine power circuits, which could otherwise lead to initiating events.

For fast reactor lines, the sodium cooled 4S-LMR and the lead cooled SSTAR and STAR-LM concepts have been considered. Both designs incorporate optimum sets of reactivity feedbacks and other inherent safety features, provided by design, to effectively reduce the scope and hazard of certain accidents and combinations of accidents that are potentially severe in reactors of other types. This is specifically the case for transient overpower events.

In the 4S-LMR, corresponding features include a negative whole-core void reactivity effect, contributing to defence in depth Level 3, and the absence of control rods in the core, with power being controlled via a feedwater flow rate in the power circuit. Burnup reactivity compensation is then performed with an active system based on a very slow upward movement of pre-programmed radial reflectors, with no feedback control. Should a reflector get stuck, the reactor would operate safely for a certain time and then get ‘passively shut down’[22] by the increasing negative reactivity. At the same time, the drop of axial reflectors is a standard reactor shutdown feature. Altogether, the features mentioned above are unique to small size reactors.

For the lead cooled SSTAR and STAR-LM, the inherent safety features contributing to the prevention of possible accidents or to a reduction of their scope are generally typical of the lead cooled reactor line. They include the very high boiling point of lead; a pool type design with a free surface of lead to allow removal of gas bubbles from primary coolant before they enter the core; location of the guard vessel and reactor in the concrete shaft; optimum sets of reactivity effects, and; high heat capacity and small overall reactivity margin in the reactor core. Although some designers see it as capacity independent, the ‘passive shutdown’ option for larger sized lead cooled reactors needs to be further examined and proven. It should be noted that some designers mention the unit size of the lead and lead-bismuth cooled reactors is limited because of seismic considerations. According to studies performed in Japan, size cannot exceed ~750 MW(e), which is slightly above the SMR range boundary of 700 MW(e); see Annex XV in reference [2].

Finally, the CHTR, a non-conventional design lead-bismuth cooled very high temperature reactor, designed to operate with 233U-Th based TRISO fuel, merges the technologies and inherent safety features of the lead cooled and HTGR type reactors, and also incorporates other features intended to prevent failures through increased temperature margins, to eliminate loss of flow accidents via natural circulation, to incorporate reliable heat pipe based systems for heat removal, and to reduce the scope and hazard of transient overpower accidents by limiting the reactivity margin in the core. The application of all these features is supported by the relatively small core power density typical of a TRISO type fuel. Although the CHTR is a very small reactor with 100 kW(e), similar technologies are planned for use in future reactors of larger capacity (up to 600 MW(th)).

The information on passive and active safety systems incorporated in the designs of the SMRs considered in this report indicates there is no single strategy; a variety of approaches are being applied in different SMRs even when they belong to the same reactor line. It is important to note that broad incorporation of inherent and passive safety features pursued by SMR designers to prevent certain accidents and accident consequences or reduce their scope and hazard is in several cases conditioned or facilitated by smaller reactor capacity and size. However, the design solutions used for active and passive safety systems are, in general, not capacity dependent. With smaller reactor capacity, it is possible to facilitate the application of passive safety features and systems, specifically, those based on the natural convection of a single phase coolant, or those incorporating mechanisms of heat transfer by conduction and radiation.

Selection of reasonable combinations of active and passive safety systems is based on specific design considerations, validation and testing experience, regulatory practice, plant economy and plant lifetime considerations, provisions for in-service inspection and other aspects, and may vary from case to case.

It should be noted that all SMRs addressed in the present report incorporate redundant passive systems or passive mechanisms of decay heat removal. Regarding reactor shutdown systems, a variety of approaches is proposed ranging from standard active mechanical control rods to gravity or spring force driven absorber insertion actuated upon de-energization or coolant flow disruption, to passively operated safety injections, to a ‘passive shutdown’ mechanism based on the inherent safety features of a reactor design, and to a mechanism of fuel carry over from the core in the case of a cladding failure (intended to prevent recriticality in fast sodium cooled reactors). Depressurization and isolation systems, where applicable, often use direct action devices, e. g., check valves, to become actuated. An approach that needs to be mentioned, as it is applied in several water cooled, gas cooled and liquid metal cooled SMRs, is to have all safety systems passive and safety grade. In this, it is assumed that certain non-safety-grade active systems/components of normal reactor operation are capable of making an (auxiliary) contribution to the execution of safety functions in accidents.

All SMRs considered in the present report incorporate a containment — in many cases a double containment — or a containment and a protective shell or enclosure. Compact containment design and plant embedment below ground level are commonly mentioned as factors contributing to enhanced protection against an aircraft crash.

The designers of SMRs mention that features of their reactors such as the capability to survive design basis accidents and combinations thereof relying only on inherent and passive safety features, with no operator or emergency team interventions, and without external supplies of energy and working media, could also contribute to plant protection against a variety of natural and human induced external events.

Altogether, passive safety systems are broadly applied in the SMR designs considered. At the same time, there are potential concerns related to passive safety systems, derived from a small amount of experience with reactor design using such systems. In particular, these concerns are the following:

• Reliability of passive safety systems may not be understood as well as that of active safety systems;

• There may be a potential for undesired interaction between active and passive safety systems;

• It may be more difficult to ‘turn off’ an activated passive safety system, if so desired, after it has been passively actuated;

• Implications of the incorporation of passive safety features and systems into advanced reactor designs to achieve targeted safety goals needs to be proven, and the supporting regulatory requirements need to be worked out and put in place.

To address these and other issues related to the performance assessment of passive safety systems, the IAEA recommended coordinating a research project called “Development of Methodologies for the Assessment of Passive Safety System Performance in Advanced Reactors” in 2008-2011. The objective is to determine a common analysis and test method for reliability assessment of passive safety system performance.

For all SMRs considered in this report, designers expect that prototype or first of a kind plants with their respective SMRs would be licensed according to currently emplaced regulatory norms and practices in Member States. Further advancement of regulatory norms could facilitate design improvements in the next generation of plants.

Further revisions of the IAEA safety standards toward a technology neutral approach[23] could be of value to facilitate design development and safety qualification of non-water-cooled SMRs, such as the GT-MHR, the 4S — LMR, the SSTAR and STAR-LM, and the CHTR.

The designers of most of the SMRs considered in the present report foresee that safety design features contributing to defence in depth Levels 1-4 [7] could be sufficient to meet the objective of the defence in depth Level 5 “Mitigation of radiological consequences of significant release of radioactive materials”, i. e., that emergency planning measures outside the plant boundary might be reduced or even not needed at all. The design features of the SMRs indicated to make a contribution directly to Level 5 of defence in depth are lower fuel inventory, lower non-nuclear energy stored in the reactor, and lower integral decay heat rate of a smaller reactor as compared to a large capacity one.

As a desired or possible feature, reduced off-site emergency planning is mentioned in the Technology Goals of the Generation IV International Forum [15], in the user requirements of the IAEA’s International Project on Innovative Reactors and Nuclear Fuel Cycles (INPRO) [14], and in the recommendations of the International Nuclear Safety Advisory Group (INSAG-12) [11], with the caution that full elimination of off-site emergency planning may be difficult to achieve or with the recommendation that Level 5 of defence in depth still needs to be kept, notwithstanding its possibly decreased role. Achieving the goal of reduced off-site emergency planning would require both development of a methodology to prove that such reduction is possible in the specific case of a plant design, and adjustment of existing regulations. A risk informed approach to reactor qualification and licensing could facilitate licensing with reduced off-site emergency planning for smaller reactors, once it gets established.[24] Within the deterministic safety approach it might be very difficult to justify reduced emergency planning in view of a prescribed consideration of a postulated severe accident with radioactivity release to the environment owing to a common cause failure. Probabilistic safety assessment (PSA), as a supplement to the deterministic approach, might help justify very low core damage frequency (CDF) or large early release frequency (LERF), but it does not address the consequences and, therefore, does not provide for assessment of the source terms. A risk-informed approach that introduces quantitative safety goals, based on the probability-consequences curve could help solve the dilemma by providing a quantitative measure for the consequences of severe accidents and by applying a rational technical and non-prescriptive basis to define a severe accident. An example of such an approach is in the recently published IAEA-TECDOC-1570 Proposal of a Technology-Neutral Safety Approach for New Reactor Designs [13]. When this report was prepared, such an approach had yet not been established as an IAEA safety standard.

The report provides a review of the positive and negative effects of the incorporation of inherent and passive safety design features of the addressed SMRs in areas other than safety, based on inputs provided by SMR designers in Annexes I-X. Positive developments include:

• Simplicity of plant design, resulting from a reduction of the number of systems and components, and simplicity of plant operation and maintenance, resulting from a reduced number of systems and components requiring maintenance — both factors contribute to a reduction in plant costs;

• For many designs reduced plant costs, resulting from a compact primary circuit design and a compact containment design;

• Simplicity of plant operation and maintenance,[25] resulting from increased reactor self-control in accidents and a higher margin to fuel failure, has the potential to result in reduced requirements to operating personnel and reduced necessary plant staffing. Should this be accepted by regulators, it might contribute to reduced operating costs and facilitate deployments in countries with limited infrastructure;

• For nearly all designs, the potential to benefit from cost reduction resulting from reduced or eliminated off­site emergency planning; this still needs to be proven and accepted by regulators;

• Owing to increased reactor self-control in accidents and higher margin to fuel failure, less concern regarding human actions of a malevolent character and, potentially, a cost reduction owing to ‘inherent security’ of the plant.

On the other side, for all designs considered, the implementation of inherent and passive safety design features results in an increase in specific plant capital costs due to lower core power density or a larger required size of the reactor vessel to accommodate certain components of the primary circuit, etc. Elimination or reduction of liquid boron system (in PWR type reactors) or operation without on-site refuelling provided for in the sodium cooled and lead cooled SMRs results in certain deterioration of burnup cycle characteristics. Taller and broader reactor vessels or piping, necessary to enhance natural convection based heat removal, are also factors contributing to plant cost increase.

Designers expect that the above mentioned negative implications of passive safety design options could be counteracted by an enhanced option to build twin or multi unit plants at the same site (see Fig. 1 in Section 1.1.1), by enhanced pre-fabrication and, in some cases, by higher energy conversion efficiency, as well as by the positive implications highlighted earlier.

REFERENCES

[1] INTERNATIONAL ATOMIC ENERGY AGENCY, Innovative Small and Medium Sized Reactors: Design Features, Safety Approaches and R&D Trends, IAEA-TECDOC-1451, IAEA, Vienna (2005).

[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Innovative Small and Medium Sized Reactor Designs 2005: Reactors with Conventional Refuelling Schemes, IAEA-TECDOC-1485, IAEA, Vienna (2006).

[3] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Small Reactor Designs Without On-site Refuelling, IAEA-TECDOC-1536, IAEA, Vienna (2007).

[4] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Advanced Light Water Reactor Designs 2004, IAEA-TECDOC-1391, IAEA, Vienna (2004).

[5] INTERNATIONAL ATOMIC ENERGY AGENCY, Terms for Describing New, Advanced Nuclear Power Plants, IAEA-TECDOC-936, IAEA, Vienna (1997).

[6] INTERNATIONAL ATOMIC ENERGY AGENCY, Advanced Nuclear Power Plant Design Options to Cope with External Events, IAEA-TECDOC-1487, IAEA, Vienna (2006).

[7] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of the Nuclear Power Plants: Design IAEA Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[8] INTERNATIONAL ATOMIC ENERGY AGENCY, Evaluation of Seismic Hazard for Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-3.3, IAEA, Vienna (2002).

[9] INTERNATIONAL ATOMIC ENERGY AGENCY, External Events Excluding Earthquakes in the Design of Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.5, IAEA, Vienna (2004).

[10] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

[11] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Basic Safety Principles for Nuclear Power Plants: 75-INSAG-3 Rev. 1, INSAG-12, IAEA, Vienna (1999).

[12] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).

[13] INTERNATIONAL ATOMIC ENERGY AGENCY, Proposal for a Technology-Neutral Safety Approach for New Reactor Designs, IAEA-TECDOC-1570, IAEA, Vienna (2007).

[14] INTERNATIONAL ATOMIC ENERGY AGENCY, Methodology for the Assessment of Innovative Nuclear Reactors and Fuel Cycles — Report of Phase 1B (First Part) of the International Project on Innovative Reactors and Fuel Cycles (INPRO), IAEA-TECDOC-1434, IAEA, Vienna (2004).

[15] UNITED STATES DEPARTMENT OF ENERGY, A technology roadmap for Generation IV Nuclear Energy Systems, Nuclear Energy Research Advisory Committee, Washington, DC (2002).

[16] GAUTIER, G. M., CHENAUD, M. S., TOURNIAIRE, B. “SCOR 1000: An economic and innovative conceptual design PWR”, paper 7417, Proc. ICAPP’07, Nice, France, 13-8 May 2007.

[17] SHOUYIN HU, RUIPIAN WANG, ZUYING GAO, “Safety demonstration tests on HTR-10”, paper H06, Proc. 2nd Int. Topical Mtg. on High Temperature Reactor Technology, Beijing, China, 22-24 September 2004.

[18] INTERNATIONAL ATOMIC ENERGY AGENCY, Fast Reactor Database: 2006 Update, IAEA-TECDOC-1531, IAEA, Vienna (2006).

[19] INTERNATIONAL ATOMIC ENERGY AGENCY, Natural Circulation in Water Cooled Nuclear Power Plants. Phenomena, Models and Methodology for System Reliability Assessments, IAEA-TECDOC-1474, IAEA, Vienna (2005).

[20] AMERICAN SOCIETY OF MECHANICAL ENGINEERS, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME RA-S-2002, ASME, New York (2002).

[21] INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of Level-1 PSA for Nuclear Power Plants, (2007).

[22] MARQUES, M., et al., Methodology for the reliability evaluation of a passive system and its integration into a Probabilistic Safety Assessment, Nucl. Eng. Des. 235 (2005) 2612-2631.

[23] NAYAK, A. K., et al., “Reliability analysis of a boiling two-phase natural circulation system using the APSRA methodology”, paper 7074, Proc. of ICAPP’07, Nice, France, 13-18 May 2007.

[24] DELANEY, M. J., APOSTOLAKIS, G. E., DRISCOLL, M. J., Risk-informed design guidance for future reactor systems, Nucl. Eng. Des. 235 (2005) 1537-1556.

[25] BURGAZZI, L., State of the Art in Reliability of Thermal-Hydraulic Passive Systems, Reliab. Eng. Sys. Saf. 92 (2007) 671-675.

[26] CAHALAN J., et al., "Performance of metal and oxide fuels during accidents in a large liquid metal cooled reactor”, Fast Reactor Safety (Proc. Top. Mtg. Snowbird, UT, 1990), American Nuclear Society (1990).

[27] ROYL P., et al., "Influence of metal and oxide fuel behavior on the ULOF accident in 3500 MWth heterogeneous LMR cores and comparison with other large cores", ibid.

[28] ROYL P. et al., "Performance of metal and oxide fuel cores during accidents in large liquid metal cooled reactor", Nucl. Technol. 97 (1992) 198-211.

Appendix I

Residual heat removal system (RHRS)

The RHRS is a simple and reliable system that operates by condensing steam from the primary system in the emergency condensers. The emergency condensers are heat exchangers consisting of an arrangement of parallel horizontal U tubes located between the two common headers. The top header is connected to the reactor vessel steam dome, while the lower header is connected to the reactor vessel at a position below the reactor water level. The condensers are located in a pool filled with cold water inside the containment building. The inlet valves of the steam line are always open, while the outlet valves are normally closed (the tube bundles are filled with condensate). When the system is triggered, the outlet valves open automatically. Water drains from the tubes and steam from the primary system enters the tube bundles and condenses on the cold surface of the tubes. The condensate is returned to the reactor vessel forming a natural circulation circuit. In this way, heat is removed from the reactor coolant. During the condensation, heat is transferred to water of the pool by a process of boiling. The evaporated water is then condensed in the suppression pool of the containment.

OUTLINE DESCRIBING SAFETY DESIGN FEATURES OF SMRs

1. Reactor full and abbreviated name

2. Brief description of the design and safety design concept with reference to previous publications

3. Description of inherent (by-design) and passive safety features, passive and active systems

• Inherent and passive safety features (Category A in IAEA-TECDOC-626)

• Passive systems (Categories B, C, D in IAEA-TECDOC-626)

• Active systems

IMPORTANT: For each passive and active system, please, indicate whether it is safety grade or a backup system

4. Role of inherent and passive safety features and passive and active systems in defence in depth (NS-R-1, with a reference to questionnaire Q4)

Level 1: Prevention of abnormal operation and failure Level 2: Control of abnormal operation and detection of failure Level 3: Control of accidents within the design basis

Level 4: Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents

Level 5: Mitigation of radiological consequences of significant release of radioactive materials

Note: Please try to follow this IAEA-supported DID structure, even if in your domestic practice the concept of DID is different.

5. Acceptance criteria for design basis accidents (DBA) and beyond design basis accidents (BDBA)

• List of DBA and BDBA (NS-R-1)

• Acceptance criteria for DBA and BDBA (deterministic and probabilistic, if applicable)

• Protection against the impacts of external events, and combinations of events considered in the design (NS-G-3.3, and NS-G-1.5)

• Probability of unacceptable radioactivity release beyond the plant boundaries

• Measures planned in response to severe accidents

6. Questionnaires

Q1. List of safety design features considered for/incorporated into a SMR design

#

SAFETY DESIGN FEATURES

WHAT IS TARGETED?

Q2. List of internal hazards

#

HAZARDS THAT ARE OF SPECIFIC CONCERN FOR A REACTOR LINE

EXPLAIN HOW THESE HAZARDS ARE ADDRESSED IN AN SMR

Q3. List of initiating events for safety analysis

#

LIST OF INITIATING EVENTS FOR SAFETY ANALYSIS (BOTH TYPICAL FOR THIS REACTOR LINE AND CHARACTERISTIC OF THIS INDIVIDUAL DESIGN)

MARK INITIATING EVENTS THAT ARE SPECIFIC TO THIS PARTICULAR SMR

SPECIFY DESIGN FEATURES OF AN SMR USED TO PREVENT PROGRESSION OF INITIATING EVENTS TO AOO/DBA/BDBA, USED TO CONTROL DBA, USED TO MITIGATE BDBA CONSEQUENCES, ETC.

Q4. Safety design features attributed to defence in depth levels

#

SAFETY DESIGN FEATURE

(1) INDICATE AOO/DBA/BDBA OF RELEVANCE (2) INDICATE CATEGORY: A-D*

(FOR PASSIVE SYSTEMS ONLY)

RELEVANT DID LEVEL ACCORDING TO NS-R-1**

* Categories A-D correspond to IAEA-TECDOC-626

** An outline of approaches to DID for advanced NPPs is provided in INSAG-10 and IAEA-TECDOC-1434

Подпись: 00 4^ Q5. Positive/negative effects of passive safety design features in areas other that safety (if any)

PASSIVE SAFETY DESIGN FEATURES

POSITIVE EFFECTS ON ECONOMICS, ETC.

NEGATIVE EFFECTS ON ECONOMICS, ETC.

Beyond design basis accidents (BDBA)

For the SCOR, transients leading to an extension of design basis conditions are either eliminated by design or managed using the following passive provisions:

• H1 (total loss of the heat sink): the SCOR concept is based on several independent decay heat removal (RRP) loops ready to operate in a passive mode with a heat sink either in the pools with a limited autonomy of several hours or in an air cooling tower in which autonomy is infinite;

• H2 (total loss of feedwater supply to the steam generator): decay heat is removed by systems of the primary circuit with a redundancy of 16 x 25%. There is no need for a safety grade auxiliary feedwater system;

• H3 (total loss of all power supplies): natural convection is possible in all decay heat removal systems with integrated exchangers, from the primary circuit to the heat sink;

• H4 (loss of the containment spray or the low pressure safety injection): the SCOR has no containment spray system, because it uses a pressure suppression type containment. The low pressure safety injection plays a less significant role than in standard PWRs because of large thermal inertia of the primary circuit; large break LOCAs are eliminated by design; the decay heat removal systems are sufficiently effective and redundant;

• ATWS (anticipated transient without scram): the SCOR has two independent shutdown systems so that the overlapping transients will be treated individually as in standard PWRs. Accident management would be simplified due to the permanently negative and higher moderator temperature reactivity coefficient, as compared to standard PWRs. In the case of a LOFA, power is removed by 4 RRP and the primary temperature is stabilized at a value below the saturation temperature, corresponding to the opening of the pressure safety valve;

• Multiple rupture of steam generator tubes and loss of containment isolation: steam from the steam generator is discharged to a dedicated pool;

• Failure of HPSI: no HPSI is provided for in the SCOR.

The hypothetical case of a core meltdown is managed through the following measures:

• In-vessel retention: corium cooling can be ensured by natural convection of water in the flooded reactor cavity, because power density in the core is relatively low and the grace period before a hypothetical core meltdown is long, which altogether reduces decay heat by the time the corium enters the lower plenum;

• Hydrogen risk: the atmosphere of the reactor vessel compartment is inerted to prevent hydrogen combustion (similar to boiling water reactors).

Pressurized light water cooled heavy water moderated reactors

For the boiling light water cooled heavy water moderated reactor considered in the present report (the AHWR, incorporating pressure channels and calandria; see Annex VI), smaller capacity — in view of the designers — facilitates:

— The use of natural convection for heat removal in normal operation, eliminating, for example, main circulation pumps;

— Achievement of a slightly negative void coefficient of reactivity;

— Provision of a relatively large coolant inventory in the main coolant system to ensure its high thermal inertia and slow pace of transients;

— Provision of a relatively large inventory of water in a reasonably sized gravity driven water pool (GDWP), located inside the containment and intended for passive emergency injection of cooling water, passive containment cooling, and passive decay heat removal via the isolation condensers.

PASSIVE SAFETY DESIGN FEATURES OF IRIS Inherent safety features

The IRIS design significantly increases defence in depth by adding as the first layer of safety an inherent elimination of as many accidents as practical through the safety-by-design™ philosophy [II-3], as previously described. The postulated accident scenarios eliminated include: [39]

Подпись: 1The postulated accidents whose severity or consequences are reduced include:

• Small/medium break LOCAs;

• Steam generator tube rupture;

• Steam line break;

• Feed line break;

• Reactor coolant pump seizure.

Passive safety systems

The passive safety systems in IRIS are fewer and simpler than in typical passive LWRs [II-1]. Their function is to protect against remaining possible accidents and mitigate their consequences.

When compared with typical passive LWRs, the IRIS’s safety systems are not novel. Most of them are similar to those in the AP600/AP1000 but simplified and fewer in number, while the pressure suppression system is similar to that of a BWR [II-1].

Active systems

In IRIS, no active safety grade systems are required. However, active non-safety-grade systems, while not assumed available in deterministic safety analysis, may be used (if available) to help mitigate accidents, and thus enhance defence in depth (DID) and contribute to reducing the probability of core damage in the PRA analysis. The active, non-safety related features include:

(1) Standby diesel generators which provide power to DID systems in the event that normal plant alternate current (AC) power supplies are not available1;

(2) A startup feedwater system that can provide feedwater to the steam generators in order to remove core decay heat, in the event that the normal feedwater system is unavailable;

(3) Functioning of the normal plant cooling water systems (service water and component cooling water) can provide support for other DID components as well as remove core decay heat;

(4) The chemical and volume control system normal make-up pumps with their boric acid tank as suction source can provide high pressure make-up water to the RCS in the event of a small loss of coolant accident;

(5) The normal residual heat removal pumps with their in-containment water source can provide low pressure make-up water to the RCS and heat removal capability when RCS pressure is reduced;

(6) Diverse means of containment cooling are provided to significantly reduce the chance of containment failure.