The operation modes of the GT-MHR categorized as abnormal operation occurrences or pre-accidental conditions are listed below.

(1) Modes with reactivity and power distribution variations:

1.1. Inadvertent removal of one or several of the most effective control rods from the reactor core;

1.2. Inadvertent insertion of one or several of the most effective control rods into the reactor core;

1.3. Inadvertent insertion of absorbing elements from the reactor shutdown system hoppers into the reactor core;

1.4. Incorrect loading of a fuel assembly into the reactor core and the operation of such a fuel assembly.

(2) Modes with a decrease in heat removal from the primary circuit:

2.1. Complete stop of water circulation through PCU heat exchangers;

2.2. Ruptures of PCU cooling water system pipelines within and beyond the containment;

2.3. SCS failures in standby mode (ceasing of water circulation and ruptures of SCS cooling water system pipelines within the containment).

(3) Modes with a decrease in coolant flow rate through the reactor core:

3.1. Failure of a turbomachine or failure of individual turbomachine components which require the emergency shutdown of a turbomachine;

3.2. Inadvertent opening of the bypass shut-off and control valves of the control and protection system of the turbomachine;

3.3. Increase of bypass flows in the primary coolant circulation system due to inadvertent opening of valves or due to depressurization of in-vessel components.

(4) Modes with inter-circuit depressurization:

4.1. Inter-circuit depressurization involving the primary circuit and circuits of the PCU and SCS cooling water systems.

(5) Modes with loss of power supply:

5.1. NPP blackout — loss of normal (main and backup) power supply for the system’s own needs with a loss of the external load of the generator.

(6) Modes with abnormal refuelling and nuclear fuel handling:

6.1. Inadvertent withdrawal of a control rod during refuelling;

6.2. Failure of heat removal from the reactor core during refuelling;

6.3. Failure of the drum of spent fuel assemblies to cool;

6.4. Drop of a fuel assembly during refuelling (into the reactor or into the drum of spent fuel assemblies);

6.5. Drop of a fuel assembly transportation container during refuelling.

(7) Modes with external impacts:

7.1. Design basis or maximum design basis earthquake;

7.2. Impact of air shock wave;

7.3. Aircraft crash.

The initiating events of design basis accidents for the GT-MHR are categorized in brief below.

(1) Accidents with primary circuit depressurization:

1.1. Primary circuit depressurization due to a loss of leaktightness or the guillotine break of a primary circuit pipeline with a coolant leak into the containment and further air ingress to the primary circuit: —Rupture of small lines (with equivalent outer diameter of less than or equal to 30 mm);

—Rupture of a bypass pipeline in the control and protection system of the turbomachine (the

equivalent outer diameter is 250 mm);

—Depressurization of a standpipe of the reactor control and protection system.

1.2. Rupture of the pipelines of the helium transportation and storage system beyond the containment.

(2) Accidents with abnormal fuel assembly cooling conditions:

2.1. Partial clogging of the fuel assembly flow area by a fuel assembly fragment.

(3) Accidents with disruption of normal refuelling and nuclear fuel handling modes:

3.1. Dropping of heavy objects and damage of fuel assemblies during refuelling;

3.2. Depressurization of fuel assembly handling equipment;

3.3. Fuel assembly damage during refuelling.

The Small Secure Transportable Autonomous Reactor (SSTAR, [IX-1]) is a 20 MW(e) (45 MW(th)) exportable, small, proliferation resistant, fissile self-sufficient, autonomous load following, and passively safe lead cooled fast reactor (LFR) concept for international deployment and deployment at remote sites. Potential users for the SSTAR include customers looking for energy security with small capital outlay; cities in developing countries, and deregulated power producers in developed countries. SSTAR makes extensive use of inherent and passive safety features, most notably, natural circulation heat transport, lead (Pb) coolant, and transuranic nitride fuel. The SSTAR nuclear power plant incorporates a supercritical carbon dioxide (S-CO2) Brayton cycle power converter for higher plant efficiency and lower balance of plant costs. The efficiency of the S-CO2 Brayton cycle increases as the reactor core outlet temperature increases; an efficiency of about 45% can be attained for a turbine inlet temperature of about 550°C. To take advantage of the economic benefits of such high plant efficiency, there has been interest in operating at higher Pb coolant temperatures. In particular, a peak cladding inner surface temperature of 650°C has been an objective. SSTAR is scalable to a higher power level of 181 MW(e) (400 MW(th)); this is the STAR-LM concept discussed in section IX-2. SSTAR is currently at a pre­conceptual level of development. The engineering design for manufacturing the components and systems has not yet been carried out. A probabilistic risk assessment has not been performed. Accident analyses of a set of design basis and beyond design basis accidents have not yet been carried out.

Figure IX-1 illustrates SSTAR, which is a pool type reactor. Lead coolant is contained inside a reactor vessel surrounded by a guard vessel. Lead is chosen as the coolant rather than lead-bismuth eutectic (LBE) to reduce the amount of alpha-emitting 210Po isotope formed in the coolant by two to three orders of magnitude relative to LBE, and to eliminate dependency upon bismuth, which might be a limited resource.

The Pb coolant flows through a perforated flow distributor head located beneath the core; this structure provides an essentially uniform pressure boundary condition at the inlet to the core. The Pb flows upward through the core and through a chimney above the core formed by a cylindrical shroud. SSTAR is a natural circulation reactor such that the vessel has a height to diameter ratio large enough to facilitate natural circulation heat removal at all power levels up to and exceeding 100% of the nominal. The coolant flows through flow openings near the top of the shroud and enters four modular Pb to CO2 heat exchangers located in the annulus between the reactor vessel and the cylindrical shroud. Inside each heat exchanger, the Pb flows downwards over the exterior of tubes through which the CO2 flows upwards. The CO2 enters each heat exchanger through a top entry nozzle, which delivers the CO2 to a lower plenum region in which the CO2 enters each of the vertical tubes. The CO2 is collected in an upper plenum and exits the heat exchanger through two smaller top diameter top entry nozzles. The Pb exits the heat exchangers and flows downward through the annular downcomer to enter the flow openings in the flow distributor head beneath the core.

A thermal baffle is provided near the Pb free surface. The baffle consists of a cylindrical shell welded to the reactor vessel and filled with argon cover gas providing thermal insulation to the reactor vessel. The insulating effect of the shroud is necessary to protect the vessel from thermal stresses that would result from exposure to

the heated Pb coolant during startup and shutdown transients. SSTAR does not incorporate an intermediate heat transport circuit. This is a simplification possible with Pb coolant which is calculated not to react chemically with working fluid below about 250°C (i. e., well below the 327°C Pb melting temperature). A passive pressure relief system is provided on the reactor system to vent CO2 from the reactor, in the event of a heat exchanger tube rupture.

STAINLESS STEEL PINS OF RADIAL REFLECTOR (SST AND Pb)

TWO INDEPENDENT GROUPS OF CONTROL RODS

LOW ENRICHMENT CENTRAL REGION (TWO ENRICHMENT ZONES)

DRIVER (THREE ENRICHMENT ZONES)

Figure IX-2 shows the 30-year lifetime core configuration. The core has an open lattice configuration of large diameter (2.5 cm) fuel pins arranged on a triangular pitch. This eliminates potential flow blockage accidents since crossflow paths are always available for cooling. The fuel consists of pellets of transuranic nitride fuel clad with a silicon enhanced ferritic/martensitic steel layer, providing protection against corrosion, co­extruded with a ferritic/martensitic base providing structural strength and irradiation stability. The fuel pellets are bonded to the cladding by molten Pb to reduce the temperature difference between the pellet outer surface and the cladding inner surface.

An active core diameter of 1.22 m is selected to minimize burnup reactivity swing over the 30-year core lifetime. The power level of 45 MW(th) is conservatively chosen to limit the peak fluence on the cladding to 4 x 1023 neutrons/cm2; this is the maximum exposure for which HT9 ferritic/martensitic cladding has been irradiated. The core has three enrichment zones to reduce power peaking and two central low enrichment zones which further reduce burnup reactivity swing. The core has strong reactivity feedback coefficients, which enable autonomous load following, whereby the reactor power adjusts itself to heat removal from the reactor as a result of reactivity feedbacks. Because heat transport is accomplished by natural circulation, the primary coolant flow rate and system temperatures also adjust themselves to transport heat from the core.

The core does not consist of individual removable fuel assemblies but is a single cassette/assembly. The fuel pins are permanently attached by welding or other means to a core support plate at the bottom of the core. This limits access to either fuel or neutrons. Normally, refuelling equipment is not present at the site. Refuelling equipment, including a crawler crane, is brought onsite only following the 30-year lifetime. The upper closure head for the guard and reactor vessels is removed, the spent core is removed from the vessel and placed inside of a shipping cask; it is then transported to a fuel cycle support centre for reprocessing and refabrication under international oversight. A fresh core is installed in the reactor vessel and the refuelling equipment is removed from the site.

Two sets of control rods are provided for independence and redundancy of the scram. Small adjustments of the control rods are carried out to compensate for small changes in the burnup reactivity swing. The control rod locations have been uniformly distributed throughout the core. Each control rod moves inside of a control rod guide tube occupying a position in the triangular lattice. Spacing between fuel pins is maintained by two levels of grid spacers. Each grid spacer is welded to a control rod guide tube; the grid spacer holds the surrounding fuel pins by means of spring clips allowing for thermal expansion of the fuel pins relative to the control rod guide tube. The active core is surrounded by a radial reflector, which is an annular ‘box’ containing stainless steel rods and Pb having approximately equal volume proportions. Stainless steel is needed to shield the reactor vessel from neutron fluxes. There is a small Pb flow through the reflector removing the power deposition that takes place there.

SSTAR incorporates a reactor vessel auxiliary cooling system (RVACS) for decay heat removal, should the normal heat removal path involving Pb to CO2 heat exchangers be unavailable. The RVACS involves heat removal from outside of the guard vessel due to natural circulation of air, which is always in effect. The RVACS is a safety grade system. To provide for greater reliability of emergency heat removal beyond that corresponding to the single RVACS system, it is planned to also incorporate safety grade direct reactor auxiliary cooling system (DRACS) heat exchangers into the reactor vessel.

Conditions, dimensions, and other parameters for SSTAR are included in Table IX-1. Notable achievements of the SSTAR development include:

Pb coolant;

30-year core lifetime;

Average (peak) discharge burnup of 81 (131) MW day/kg of heavy metal;

Burnup reactivity swing < 1 $;

Peak cladding temperature = 650°C;

Core outlet/inlet temperatures = 564/420°C;

Peak transuranic nitride fuel temperature = 882°C;

Small shippable reactor vessel (12 m height by 3.23 m diameter);

Autonomous load following;

Supercritical CO2 Brayton cycle energy conversion efficiency = 44.1%;

Plant efficiency = 43.8%;

Cost of energy generation < 5.5 US$ cents/kWh (55 US$/MWh).

Reactor name Power, MW(e) (MW(th))

Customer — Assume 4.0 tonnes of oil equivalent per capita per year = 167 GJ per capita per year = 5.3 KW(th)-year per capita per year, of which ~ 1/3 is used for electricity

Coolant

Fuel

Enrichment, %

Core lifetime, years

Core inlet/outlet temperatures, °C

Coolant flow rate, kg/s

Power density, W/cm3

Average (peak) discharge burnup,

MW day/Kg HM

Peak fuel temperature, °C

Cladding

Peak cladding temperature, °C

Fuel/coolant volume fractions

Core lifetime, years

Fuel pin diameter, cm

Fuel pin triangular pitch to diameter ratio

Active core dimensions; Height/Diameter, m

Core hydraulic diameter, cm

Pb to CO2 heat exchangers (HXs) type

Number of Pb to CO2 HXs

HX tube length, m

HX tube inner/outer diameters, cm

Number of tubes (all HXs)

HX tube pitch to diameter ratio

HX Pb hydraulic diameter, cm

HX-core thermal centres separation height, m

Reactor vessel dimensions; Height/Diameter, m

Reactor vessel thickness, cm

Gap between reactor vessel and guard vessel, cm

Gap filling material

Guard vessel thickness, cm

Air channel thickness, cm

Air ambient temperature, °C

Working fluid

CO2 turbine inlet temperature, °C Minimum CO2 temperature in cycle, °C Max./Min. CO2 pressure in cycle, MPa CO2 flow rate, kg/s Net generator output, MW(e)

Supercritical CO2 Brayton cycle efficiency, %

Net plant efficiency, %

19.7 (45)

Electricity for a town of ~ 25 400 Pb

Transuranic nitride (TRUN) enriched to N15 1.7/3.5/17.2/19.0/20.7 TRU/HM, 5 radial zones 30

420/564

2150

42

81 (131)

882

Si-enhanced ferritic/martensitic steel layer for corrosion protection co-extruded with a ferritic/martensitic substrate for structural strength and irradiation stability 650

0.45 / 0.35

30

2.50

1.185

0.976/1.22

1.371

Shell and tube 4

4.0

1.0 / 1.4 10 688 1.255 1.030 6.80

12.0 / 3.23

5.08

12.7 Air

5.8 15 36

Supercritical CO2

549

31.25

20/7.4

247

19.7

44.1

43.8

Table IX-2 presents reactivity feedback coefficients typical of SSTAR core configurations.

It is expected that the probability of unacceptable radioactivity release beyond the plant boundary would be less than 1 x 10-7/year.

VI-7. MEASURES PLANNED IN RESPONSE TO SEVERE ACCIDENTS

One of the important design objectives of the AHWR is to eliminate the need for any intervention in the public domain beyond plant boundaries as a consequence of any postulated accident condition within the plant [VI-1].

Tables VI-2 to VI-6 below provide the designer’s response to the questionnaires developed at the IAEA technical meeting “Review of passive safety design options for SMRs” held in Vienna on 13-17 June 2005. These questionnaires were developed to summarize passive safety design options for different SMRs according to a common format, based on the provisions of IAEA Safety Standards [VI-3] and other IAEA publications [VI-2, VI-4]. The information presented in Tables VI-2 to VI-6 provided a basis for the conclusions and recommendations of the main part of this report.

TABLE VI-2. QUESTIONNAIRE 1 — LIST OF SAFETY DESIGN FEATURES CONSIDERED FOR/ INCORPORATED INTO THE MARS DESIGN

# Safety design features What is targeted?

1. Heat removal by natural convection of the coolant

2. Slightly negative void coefficient of reactivity

3. Negative fuel temperature coefficient of reactivity

4. Low core power density

5. Low excess reactivity

6. Large coolant inventory in the main coolant system

7. Two fast acting shutdown systems (mechanical shut off rods and liquid poison injection system)

8. Passive emergency injection of cooling water (initially from the accumulators and later from the overhead gravity driven water pool — GDWP) directly into the fuel cluster through four independent trains

9. Passive decay heat removal by isolation condensers

10. Passive injection of poison into the moderator, by using high pressure steam

11. Large inventory of water in the GDWP inside the containment

12. Use of the moderator as a heat sink

13. Flooding of the reactor cavity following a LOCA

14. Double containment [52]

Elimination of postulated initiating events associated with pump failure

Reduction of the extent of an overpower transient

Thermal inertia securing a reduced rate of temperature rise under certain transients

Safe termination of abnormal operational conditions and accidental conditions

Core heat removal during loss of coolant accidents (LOCA); including a prolonged core cooling for 3 days via GDWP water injection. Direct injection reduces the time for ECCS water to reach fuel

Core decay heat removal under non-availability of the main condenser, by transferring heat to the GDWP water without any operator action or active signal

— Effective reactor shutdown in the case of a failure of the wired (sensors, signal carriers and actuators) mechanical shutdown system and the liquid poison injection system

— Elimination of the possibility of radioactive steam release through safety relief valves, by performing an effective reactor shutdown and bringing the system back to a condition with restored heat removal capability of the isolation condensers

— Provides a heat sink/working fluid for decay heat removal by passive systems, containment cooling and containment isolation during a LOCA, as well as passive concrete cooling

— Provides prolonged core cooling during LOCAs, meeting the requirement of a three day grace period

Impedes accident propagation in the case of a failure of the ECC injection during a LOCA

Facilitates eventual submerging of the core after a LOCA

Minimization of radioactivity release from the reactor building during accident conditions, such as a LOCA

Prevention of radioactivity release from the reactor building through the ventilation ducts following a large break LOCA

TABLE VI-2. QUESTIONNAIRE 1 — LIST OF SAFETY DESIGN FEATURES CONSIDERED FOR/ INCORPORATED INTO THE MARS DESIGN (cont.)

TABLE VI-3. QUESTIONNAIRE 2 — LIST OF INTERNAL HAZARDS

List of initiating events for Design features of AHWR used to prevent progression of the Initiating events # AOO/DBA/BDBA typical initiating events to AOO/DBA/BDBA, to control DBA, to mitigate specific to this for a reactor line (PHWRs) BDBA consequences, etc. particular SMR

1. Reactivity anomalies due Two independent fast acting shutdown systems to control rod malfunctions

Boron-free equilibrium core configuration. Boron is injected into the moderator, not into the primary coolant. During a prolonged shutdown, the boron removal ion exchange columns of the moderator purification circuit are isolated

— Slightly negative void coefficient of reactivity, which prevents large variations in reactor power

— Emergency core cooling water cannot enter the main heat transport (MHT) circuit, because there is a certain differential pressure requirement for the injection to start

Core heat is removed by natural convection of the coolant; there are no main circulation pumps in the AHWR

— Two independent fast acting reactor shutdown systems provided for shutting down the reactor upon a LOCA signal, such as high containment pressure or low primary pressure

— Core cooling by passive injection of ECC water using high pressure accumulators and low pressure injection from the GDWP

— Minimization of containment pressurization by vapour suppression in the GDWP and by condensation of the steam and cooling of the air by the passive containment coolers

— Prevention of radioactivity release by passive formation of a water seal in the ventilation duct, in addition to closure of the mechanical dampers

— Prevention of accident propagation, facilitated by a large inventory of the moderator surrounding the fuel channels, by the presence of water in the calandria vault, and by filling of the reactor cavity with GDWP water

Shutdown of the reactor in the case of non-availability of the secondary circuit and decay heat removal by the isolation condensers in a passive mode

Reactor shutdown on power supply failure and passive decay heat removal by the isolation condensers

— Large coolant inventory in the primary circuit provides thermal inertia to limit the rate of temperature rise

— Low excess reactivity, achieved through the types of fuel used

— Negative void coefficient of reactivity and low core power density reduce the extent of possible overpower transients

— Reliable reactor control and protection system

— Passive circulation of the coolant that transfers heat from the source to a sink

— Annulus gas monitoring system to detect leakage from a pressure tube or calandria tube

— Rupture discs installed before the safety relief valves, to prevent inadvertent coolant leakage

TABLE VI-5. QUESTIONNAIRE 4 — SAFETY DESIGN FEATURES ATTRIBUTED TO DEFENCE IN DEPTH LEVELS

TABLE VI-6. QUESTIONNAIRE 5 — POSITIVE/NEGATIVE EFFECTS OF PASSIVE SAFETY DESIGN FEATURES IN AREAS OTHER THAN SAFETY

REFERENCES TO ANNEX VI

[VI-1] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Innovative Small and Medium Sized Reactor Designs 2005: Reactors with Conventional Refuelling Schemes, IAEA-TECDOC-1485, IAEA, Vienna (2006).

[VI-2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).

[VI-3] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[VI-4] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

[VI-5] INTERNATIONAL ATOMIC ENERGY AGENCY, Advanced Nuclear Power Plant Design Options to Cope with External Events, IAEA-TECDOC-1487, IAEA, Vienna (2006).

Annex VII

The initiating events/combinations of events for beyond design basis accidents regarding the GT-MHR are

categorized in brief below.

(1) Beyond design basis accidents with loss of power supply sources:

1.1. Blackout;

1.2. Blackout with a complete RCCS failure;

1.3. Blackout with a failure of the actuation of the reactor emergency protection (shutdown) system (anticipated transient without scram — ATWS).

(2) Beyond design basis accidents with reactivity variation (taking into account additional failures):

2.1. Inadvertent withdrawal of several of the most effective control rods from the reactor core with an actuation failure of the reactor emergency protection system (ATWS).

(3) Beyond design basis accidents with a decrease of the coolant flow rate through the reactor core (taking

into account additional failures):

3.1. Failure of the turbomachine or failure of individual turbomachine components, requiring an emergency shutdown of the turbomachine, accompanied by an actuation failure of the reactor emergency protection system (ATWS).

(4) Beyond design basis accidents with primary circuit leakage (taking into account additional failures):

4.1. Primary circuit depressurization with a blackout and an ingress of a considerable amount of air into the primary circuit (guillotine break of a standpipe of the control and protection system);

4.2. Primary circuit depressurization with failure of the reactor protection system to actuate (ATWS), a blackout, and the ingress of a considerable amount of air into the primary circuit (guillotine break of a standpipe of the control and protection system);

4.3. Rupture of the transportation and storage system helium pipelines beyond the containment, followed by a failure of the system of activity localization within the primary circuit and by a blackout;

4.4. Inter-circuit depressurization between the primary circuit and the PCU or the SCS cooling water circuits, followed by a failure of the isolation systems and a blackout, and by ingress of a considerable amount of water into the primary circuit.

VII — 4.2. Acceptance criteria

The acceptance criteria used for NPP designs with modular high temperature gas cooled reactors (HTGR) are as follows:

— Radiation safety criteria, which specify allowable radiation doses for personnel and population during normal plant operation and in the case of accidents;

— Probabilistic safety criteria, which establish the allowable overall probability of severe beyond design basis accidents and the probability of maximum reactivity releases during such accidents.

The Secure Transportable Autonomous Reactor-Liquid Metal (STAR-LM, [IX-1]) is a scaled up version of SSTAR at a power level of 181 MW(e) (400 MW(th)) for high efficiency electric power production with optional production of desalinated water using a portion of the reject heat. The STAR-LM reactor vessel size is assumed to be limited in height by a rail shipment limitation of 18.9 m. The power level of 400 MW(th) approaches the maximum value at which heat transport can be accomplished through single phase natural circulation given the reactor vessel height limitation. The scaled up version can alternately be used for hydrogen and oxygen generation using a Ca-Br thermo chemical (‘water cracking’) cycle, if cladding and structural materials for operation with the Pb up to about 800°C can be developed; this high temperature version is named STAR-H2, see the corresponding concept description in [IX-1]. Conditions and dimensions for STAR-LM are provided in Table IX-3. The reactivity feedback coefficients are given in Table IX-4.

VIII — 3. PASSIVE SAFETY DESIGN FEATURES OF SSTAR

The SSTAR safety design approach is based upon the defence in depth principle of providing multiple levels of protection against the release of radioactive materials by the following:

(i) Design to achieve a high level of reliability such that specific traditional accident initiators are eliminated or accident initiators are prevented from occurring;

(ii) Provision of protection in the event of equipment failure or operating error;

(iii) Provision of additional protection of public health and safety in an extremely unlikely event, which is not expected to occur during the lifetime of the plant or which was not foreseen at the time the plant was designed and constructed.

Inherent safety features

The inherent safety features of SSTAR take advantage of the key inherent properties of Pb coolant, transuranic nitride fuel, and a fast neutron spectrum core, together with specific design options including a pool reactor vessel containing all major primary coolant system components and natural circulation heat transport.

The Pb primary coolant has a high boiling temperature of about 1740°C, which is well above temperatures at which the stainless steel structures lose their strength and melt. Pb is, therefore, a low pressure coolant and does not flash should a leak develop in the primary coolant system boundary. All major primary system

Characteristics Value

components including the core and Pb to CO2 heat exchangers are contained inside the reactor vessel, which is surrounded by a guard vessel. The coolant level inside the reactor vessel is such that, in the event of a reactor vessel leak, the faulted level of coolant contained by the guard vessel always exceeds the Pb entrances to the Pb to CO2 heat exchangers. The lack of coolant flashing or boiling due to the high Pb boiling temperature, combined with the pool system configuration and a guard vessel, preclude the loss of primary coolant. It also assures that heat removal from the core and heat transfer to the in-vessel heat exchangers or the vessel wall for heat removal by the RVACS continues by means of natural circulation of a single phase primary Pb coolant.

The lead coolant is calculated not to react chemically with the working fluid above about 250°C, which is well below the Pb melting temperature of 327° C. In particular, there is no formation of combustible gas or exothermic energy release. Lead does not react vigorously with either water or air. Compatibility of Pb and the working fluid makes it possible to eliminate the need for an intermediate cooling circuit, enhancing plant reliability.

Lead has low neutron absorption. This permits the core to be opened up by increasing the coolant volume fraction without a significant reactivity penalty. Increasing the coolant volume fraction increases the hydraulic diameter for coolant flow through the core, reducing the core frictional pressure drop. As a result, natural circulation is more effective and can transport a greater core power. It is possible to design LFRs in which natural circulation is effective at power levels exceeding 100% of the nominal, eliminating the need for main coolant pumps. Eliminating main coolant pumps eliminates loss of flow accident initiators. The open lattice core configuration with wide openings for coolant crossflow eliminates flow blockage accident initiators in which coolant flow entering at the bottom of the core is postulated to be locally blocked.

The high heavy liquid metal coolant density (pPb = 10 400 kg/m3) limits void growth and downward penetration following a postulated in-vessel heat exchanger tube rupture such that the void is not transported to the core, but instead rises benignly to the lead free surface through a deliberate escape channel between the in­vessel heat exchangers and the vessel wall.

The transuranic nitride fuel has a high thermal conductivity which, when combined with bonding of the fuel pellets to the cladding by means of liquid Pb between the pellets and cladding, reduces peak fuel temperatures during normal operation and accidents. This reduces the stored energy in the fuel and decreases the positive reactivity contribution resulting from cooldown of the fuel while fuel and coolant temperatures equilibrate during accidents as core power decreases.

Transuranic nitride fuel has a high decomposition temperature estimated to exceed 1350°C, such that the fuel maintains its integrity at temperatures above which stainless steel structural materials lose their strength or melt.

Nitride fuel is expected to be compatible with both the Pb bond and ferritic/martensitic steel cladding.

Nitride fuel has a high atom density, making it possible to reduce the volume which must be occupied by fuel and thus further enabling an increase of the coolant volume fraction without the loss of ability to achieve a core internal conversion ratio of unity and a low burnup reactivity swing, which in turn reduces the effects of rod withdrawal accident initiators.

Nitride fuel has a low fission gas release per unit volume. This reduces the thermal creep of cladding resulting from hoop stress loading due to internal pressurization of the fuel pin by a released fission gas.

The fast neutron spectrum core with Pb coolant and transuranic nitride fuel has strong reactivity feedbacks, which provide significant negative reactivity upon a heat-up or equilibration of system temperatures. The strong reactivity feedback reduces core power to match heat removal from the reactor system inherently, shutting down the reactor in the event two shutdown systems fail to scram it.

The strong reactivity feedback of the fast neutron spectrum core with Pb coolant and transuranic nitride fuel enables autonomous load following, whereby core power adjusts itself through inherent mechanisms to match heat removal from the reactor system without operation of control rods, thereby simplifying operation and eliminating potential operator errors.

The low burnup reactivity swing of the 30-year lifetime fast neutron spectrum core decreases excess reactivity requirements, reducing the amount of reactivity insertion accompanying unintended withdrawal of one or more of the control rods.

Passive safety systems

The SSTAR currently incorporates a single safety grade emergency heat removal system, which is the reactor vessel auxiliary cooling system (RVACS). The RVACS cools the exterior of the guard vessel by natural draught of air, which is always in effect. Because the RVACS represents only a single safety grade system, it would be required to have a high reliability with respect to seismic events or sabotage. For example, a seismic event could result in blockage of airflow channels. At particular sites, flooding or dust storms might be factors. It is planned to add safety grade passive direct reactor auxiliary cooling system (DRACS) heat exchangers, located inside of the reactor vessel, to provide for independent and redundant means of emergency heat removal.

Passive pressure relief from the primary coolant system is provided to enable CO2 to escape from the primary coolant system without over-pressurizing the primary coolant system boundary, in the event of a heat exchanger tube rupture.

Active safety systems

The SSTAR incorporates two independent and redundant safety grade active shutdown systems. The core layout in Fig. IX-2 shows primary and secondary control rod locations.

VIII — 4. ROLE OF PASSIVE SAFETY DESIGN FEATURES IN DEFENCE IN DEPTH

Some major highlights of passive safety design features in SSTAR, structured in accordance with various levels of defence in depth [IX-2, IX-3], are shown below.

Level 1: Prevention of abnormal operation and failure

The aim of the first level of defence in depth is to prevent deviations from normal operation and to prevent system failures. The inherent safety features of Pb coolant, nitride fuel, and a fast spectrum core, together with natural circulation heat transport and pool vessel configuration reduce the probability of failures through the elimination of reliance upon components, systems, or operator actions that would otherwise need to be considered possible sources of failure. Specific traditional postulated accidents such as loss of flow or local flow blockage are eliminated.

Cladding and structures are protected from significant corrosion by the Pb coolant through control of the dissolved oxygen potential in the coolant within a suitable regime that avoids the formation of lead oxide while allowing protective Fe3O4 solid oxide layers to be formed initially upon structures at lower temperatures. The systems for monitoring dissolved oxygen potential and maintaining oxygen levels in the desired regime shall be

Level 2: Control of abnormal operation and detection of failure

The aim of the second level of defence is to detect and intercept deviations from normal operational states in order to prevent anticipated operational occurrences from escalating to accident conditions. Due to the inherent safety features and passive safety design options of SSTAR, the expectation is that anticipated operational occurrences will not escalate into accidents. Therefore, it is expected that detection is not a necessity in order to avoid escalation into accident conditions.

Level 3: Control of accidents within the design basis

For the third level of defence, it is assumed that, although very unlikely, the escalation of certain anticipated operational occurrences or postulated initiating events (PIEs) may not be arrested by a preceding level and a more serious event may develop. Traditionally, escalation into a more serious event requires the occurrence of additional failures following the onset of the accident initiator. Although specific traditional postulated accidents such as loss of flow or local flow blockage are eliminated, other traditional postulated accidents such as reactivity insertion due to withdrawal of one or more control rods, loss of normal heat sink, heat exchanger tube rupture, loss of load, or station blackout remain. Due to the inherent safety features of SSTAR, core and heat exchangers remain covered by molten Pb coolant and natural circulation heat transport removes the core power, which leaves the reactor system either by normal heat removal paths or by the RVACS. System fuel and coolant temperatures remain within acceptable values well below temperatures at which the structures begin to lose their strength or at which a failure of the cladding could occur. There is no need for reliance upon active systems or operator actions to provide for cooling of the core or heat removal from the reactor system.

For liquid metal cooled fast reactors, an example of a failure in addition to the accident initiator is the assumption of a failure to scram the reactor through the primary and secondary shutdown systems. For SSTAR, it is not necessary for either of the two independent and redundant shutdown systems to operate as well as for operators to take action to insert control rods. The inherent feedbacks of the fast spectrum core with Pb coolant and nitride fuel cause the power level to decrease such that the core power matches the heat removal from the reactor system. The reactor core self-regulates the power level to match heat removal through either the normal heat removal path involving in-vessel Pb to CO2 heat exchangers or the emergency heat removal path through the RVACS.

If one or more in-vessel Pb to CO2 heat exchanger tubes were to fail, the passive pressure relief system would release CO2 from the reactor system, protecting the reactor vessel and upper closure head from over­pressurization.

If the reactor vessel were to fail in addition to the accident initiator, the guard vessel would retain the primary Pb coolant such that the core and in-vessel heat exchangers remain covered by a single phase Pb primary coolant.

If the normal heat removal path or a shutdown heat removal path were to fail, then the RVACS would remove the power generated in the core and transported to the reactor vessel through natural circulation of the Pb coolant. As discussed above, DRACS heat exchangers shall also be incorporated into the reactor vessel to enhance reliability of emergency heat removal beyond that provided by the RVACS. Therefore, it is not expected that a second failure would result in an escalation into a more serious event in terms of the release or transport of radioactivity from the fuel pins.

Level 4: Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents

The aim of the fourth level of defence is to address severe accidents in which the design basis could be exceeded and to ensure that radioactive releases are kept as low as practicable.

The SSTAR incorporates a guard vessel surrounding the reactor vessel and an upper closure head, which covers both the guard and the reactor vessels. A hermetic seal is established between the upper closure head and the guard vessel. Thus, the guard vessel and the upper closure head perform the function of a containment vessel surrounding the reactor vessel and retaining radioactivity as long as over-pressurization of the guard vessel and the upper closure head system does not occur. A containment structure is provided above the upper closure head. In the event of a rupture of one or more Pb to CO2 heat exchanger tubes, the CO2 would vent through the upper closure head into the volume of the containment structure.

Level 5: Mitigation of radiological consequences of significant release of radioactive materials

The fifth and final level of defence is aimed at mitigation of the radiological consequences of potential releases of radioactive materials that may result from accident conditions. It is envisioned that the exclusion zone surrounding a SSTAR reactor may at the least be reduced in size as a result of inherent safety features, as well as the expected low probability for radioactive material release relative to light water reactor designs with a similar power level.

Experimental Design Bureau of Machine Building (OKBM),
Russian Federation

VII — 1. DESCRIPTION OF THE GT-MHR CONCEPT

An international project for the GT-MHR was launched in 1995 by the Russian Ministry for Atomic Energy and the General Atomics Company of the USA. Later, the project was joined by the Framatome[53] (France) and Fuji Electric (Japan). At present, the preliminary design is completed, and the technology demonstration phase is underway. The goal of technology demonstration is experimental validation of key design solutions, mainly for fuel, for turbomachine, for structural materials, vessels, and for computer codes. A detailed description of the GT-MHR concept is presented in [VII-1].

The GT-MHR is a high temperature gas cooled reactor based on the following state of the art technologies:

— Technologies of modular helium cooled reactors using inherently safe micro fuel with several layers of

ceramic coating;

— Highly efficient gas turbines designed for aviation and power applications;

— Electromagnetic bearings;

— Effective compact plate heat exchangers.

The helium cooled modular GT-MHR, capable of generating high temperature heat, is coupled with a gas turbomachine consisting of a turbine, an electric generator, and compressors, and implements the direct Brayton gas-turbine cycle for electricity generation (see Fig. VII-1).

Figure VII-2 shows a flow diagram of the cooling system of the GT-MHR reactor plant. Main characteristics of the reactor plant are given in Table VII-1.

The reactor, the power conversion unit (PCU), and all associated primary circuit systems are located in an underground silo of the reactor building (see Fig. VII-3).

The reactor includes an annular core consisting of 1020 hexahedral fuel assemblies similar to those of the Fort Saint Vrain reactor. The core is surrounded by a graphite reflector. The lower part of the reactor vessel houses the shutdown cooling system (SCS).

The reactor vessel is surrounded by the surface cooler of the passive reactor cavity cooling system (RCCS). The RCCS removes heat from the reactor vessel in all accidents, including complete loss of coolant (LOCA).

The power conversion system is arranged in the PCU vessel and includes a turbomachine, a recuperator, and water cooled pre-cooler and intercooler. The single shaft turbomachine consists of a generator, a gas turbine, and two compressor sections with fully electromagnetic suspension systems.

Reactor design characteristics and the direct closed gas-turbine power conversion cycle are major advantages of the GT-MHR nuclear power plant (NPP) compared to other plants with steam cycles, because they allow for simplification and reduce the number of required equipment items and systems (including safety systems), by completely eliminating a steam turbine power circuit from the plant.

The GT-MHR can achieve a high safety standard through inherent safety features of the plant and via the use of passive safety systems that rule out the possibility of a reactor core meltdown in any accident, including LOCA.

1 — Generator; 2 — Recuperator; 3 — Turbocompressor; 4 — Intercooler;

5 — Precooler; 6 — Control and protection assembly; 7 — Reactor core; 8 — Vessel system;
9 — Reactor shutdown cooling system

FIG. VII-1. Reactor plant.

Radiation safety criteria are the radiation dose limits for NPP personnel and the population at the NPP site during normal operation and in the design basis and beyond design basis accidents.

The following dose limits are established for the population and for NPP personnel:

— The effective individual radiation dose for the population during normal operation should not exceed 20 qSv per year;

— The effective individual radiation dose for the population at the boundary of the buffer area during design basis and beyond design basis accidents should not exceed 5 mSv for the entire body during the first year after the accident. In this case, special protection measures for the population are not required;

— For NPP personnel working directly with radiation sources, the effective individual dose during normal operation should not exceed 20 mSv per year on average during any successive five years, with the absolute maximum being 50 mSv per year.

When designing the power unit — its structures and means of radiation protection and isolation (localization) — measures are taken to reduce radiation dose rates in NPP rooms, radionuclide releases to the environment, and radiation doses to personnel, and to keep these radiation parameters as low as possible in line with the ALARA concept.

Radiation safety criteria are met when the design limits for the following parameters are not exceeded:

— Level of primary coolant activity defined by fission products;

— Releases of radioactive substance into the atmosphere through the exhaust pipe;

— Radiation levels in NPP rooms.

Radiation safety criteria are fulfilled owing to consistent implementation of the defence in depth concept, which is based on application of several barriers to the release of ionizing and radioactive substances into the environment, and owing to application of technical and administrative measures to protect and maintain the effectiveness of these barriers.

• Negative void coefficient of reactivity;

• Negative fuel temperature coefficient of reactivity;

• Negative power coefficient of reactivity;

• Double containment system;

• Absence of main circulating pumps;

• High pressure and low pressure independent emergency core cooling system (ECCS) trains;

• Direct injection of ECCS water into the fuel cluster.

The important passive safety features and systems in AHWR are:

TABLE VI-1. MAJOR DESIGN CHARACTERISTICS OF AHWR [VI-1]

• Core heat removal by natural convection of the coolant during normal operation and in shutdown conditions;

• Decay heat removal by isolation condensers (ICs) immersed in a large pool of water in a gravity driven water pool (GDWP);

• Direct injection of ECCS water into the fuel cluster in a passive mode during postulated accident conditions, such as loss of coolant accidents (LOCAs), initially from the accumulators and later from the GDWP;

• Containment cooling by passive containment coolers during LOCA;

• Passive containment isolation via formation of a water seal in the ventilation ducts, following a large break LOCA;

• Passive shutdown through injection of poison to the moderator, using high pressure steam, in case of the low probability event of failure of the wired (sensors, signal carriers and actuators) mechanical shutdown system (SDS-1) and the liquid poison injection system (SDS-2);

• Passive concrete cooling system to protect the concrete structure in a high temperature zone.

The availability of a large inventory of water in the GDWP at higher elevation inside the containment facilitates sustainable core decay heat removal, ECCS injection, and containment cooling for at least 72 hours without invoking any active systems or operator actions.

Passive safety features/systems of the AHWR are described in brief below.

Tables IX-5 to IX-9 below provide the designer’s response to the questionnaires developed at the IAEA technical meeting “Review of passive safety design options for SMRs” held in Vienna on 13-17 June 2005. These questionnaires were developed to summarize passive safety design options for different SMRs according to a common format, based on the provisions of IAEA Safety Standards [IX-2] and other IAEA publications [IX-3, IX-6]. The information presented in Tables IX-5 to IX-9 provided a basis for the conclusions and recommendations made in the main part of this report.

# Safety design features What is targeted?

TABLE IX-6. QUESTIONNAIRE 2 — LIST OF INTERNAL HAZARDS

Design features of SSTAR used to prevent progression

Initiating events specific

of the initiating events to AOO/DBA/BDBA,

to this particular SMR

to control DBA, to mitigate BDBA consequences, etc.

1 Loss of flow due to pump coastdown Natural circulation heat transport at power levels Not an accident initiator

>100% of the nominal; elimination of main coolant

pumps

2 Sub-assembly flow blockage Open lattice core configuration and coolant chemistry Not an accident initiator

control reduce the possibility of a flow blockage

3 Loss of heat sink —Core and heat exchangers remain covered by ambient

pressure single phase Pb coolant, and single phase natural circulation removes core power under all operational transients and postulated accidents

—Vessel air cooling removes decay heat power levels from the reactor system

—In failure to scram accidents, passive shutdown reduces and maintains the reactor power to a low level representative of decay heat

4 In-vessel heat exchanger tube rupture —Transient bubble/void growth is retarded by high

inertia/density of Pb primary coolant

—Pb primary coolant and CO2working fluid do not react chemically eliminating combustible gas formation and exothermic energy release

—Absence of formation of small bubbles entrained into the coolant and provision of an escape path to pool free surface eliminates a potential for transport of bubbles/ void to the core

—Passive pressure relief from primary coolant system precludes over-pressurization by CO2

5 Transient overcooling To be defined Transient overcooling

due to initiating event on S-CO2 Brayton cycle secondary side

6 Transient overpower/ reactivity — Inherent negative reactivity feedback due to increase

insertion accident in fuel and coolant temperatures returns net reactivity

to zero, stabilizing the reactor power and system temperatures at higher than nominal values — Potential reactivity insertion due to rod withdrawal is reduced due to low burnup reactivity swing, reducing the need for reactivity investment in control rods to compensate for burnup effects

7 Loss of coolant Eliminated due to vessel pool configuration without Not an initiator

external piping at low elevations and ambient pressure Pb coolant

TABLE IX-8. QUESTIONNAIRE 4 — SAFETY DESIGN FEATURES ATTRIBUTED TO DEFENCE IN DEPTH LEVELS

REFERENCES TO ANNEX IX

[IX-1] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Small Reactor Designs Without On-site Refuelling, IAEA-TECDOC-1536, Vienna (2007).

[IX-2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[IX-3] INTERNATIONAL ATOMIC ENERGY AGENCY, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

[IX-4] UNITED STATES NUCLEAR REGULATORY COMMISSION, New Reactor Licensing — Licensing Process (2008), http://www. nrc. goV/reactors/new-licensing/licensing-process. html#inspections

[IX-5] UNITED STATES DEPARTMENT OF ENVIRONMENT NUCLEAR RESEARCH ADVISORY COMMITTEE, GENERATION-IV INTERNATIONAL FORUM, A technology roadmap for Generation-IV nuclear energy systems, USA (2002).

[IX-6] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for AdVanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).

Annex X

The top level safety objective is to provide protection for the personnel, public, and environment against radiation and radioactive contamination. This main objective must be fulfilled at every stage of the reactor plant lifecycle and in all operating conditions; more specifically it is defined by the radiation and technical safety objectives.

The radiation safety objective is aimed at restricting radiation doses to personnel and the public and at limiting radioactive releases to the environment. The radiation impact of the GT-MHR NPP on personnel, the public, and the environment in normal operation and in design basis and beyond design basis accidents should be lower than the limits specified in regulatory documents and, in fact, as low as possible, taking into account economic and social factors. No emergency response measures should be necessary for the public or the environment beyond the buffer area.

FIG. VII-2. Flow diagram of the reactor cooling system.

The technical safety objective is targeted at the prevention of accidents and at mitigation of accident consequences. This objective is met via a system of physical barriers and through a complex of measures aimed to protect these barriers and maintain their effectiveness. Effectiveness of physical barriers in accidents can be maintained through inherent reactor safety features (based on the negative feedback and natural processes), and passive safety systems.