Probabilistic safety criteria specify the basic safety indices of an NPP in probabilistic terms as the following:

(a) To avoid the need for population evacuation beyond plant boundaries established by the regulatory requirements regarding the location of NPPs, it is necessary to target a probable maximum release of no more than 10-7 per reactor per year; the value of this maximum release, established by the same regulatory documents, corresponds to radiation dose limits for the population in the case of beyond design basis accidents;

(b) The overall probability of severe beyond design basis accidents (evaluated on the basis of probabilistic safety analysis) should be targeted not to exceed 10-5 per reactor per year.

The GT-MHR NPP project establishes operation limits and conditions, safe operation limits and conditions, and design limits for abnormal operation conditions, including design basis accidents. Maximum fuel temperature, which shall not exceed 1600°C, is considered one of the most important design limits for pre­accidental situations and design basis accidents.

The operation limits for process parameters and characteristics of reactor plant equipment are specified based upon:

— Analytical results for reactor plant parameters and equipment operating conditions during normal operation, taking into account measurement errors;

— The evaluation of a control range of reactor plant process parameters during normal operation with evaluation of the accuracy of keeping these parameters within the control range, taking into account errors of the measurement and automation means.

Presently, the operation limits and the safe operation limits for fuel elements of the GT-MHR have not been established.

Safe operation limits for the basic process parameters are established to protect physical barriers against damages during abnormal operation. Barriers are protected by the safety systems, which have actuation set points assigned with some margin relative to safe operation limits or equal to them.

The range of safe operation limits corresponds to the list of plant process parameters according to which protection of the plant is provided. For the GT-MHR, this list includes:

— Reactor neutron (thermal) power;

— Helium pressure in the reactor;

— Containment pressure;

— PCU cooling water system pressure;

— Turbomachine rotor speed;

— Coolant temperature at the reactor outlet;

— Coolant temperature at the low pressure compressor inlet;

— Coolant temperature at the high pressure compressor inlet;

— Activity of the primary coolant.

The operation limits and safe operation limits for process parameters and reactor plant equipment characteristics, established as indicated above, are given in Tables VII-2 and VII-3. Design limits adopted for the analysis of design basis accidents are given in Table VII-4.

Acceptance criteria for operating modes

The operating modes (regimes) are rated as acceptable based on the following:

— Normal operation modes — non-excess of the operation limits;

— Modes with abnormal operation occurrences, including pre-accidental situations — non-excess of the safe operation limits;

— Design basis accidents — non-excess of the safe operation limits and the design limits for design basis accidents;

— Beyond design basis accidents — non-excess of the specified radiation criteria.

Summary of approaches to the provision of radiation safety

Radiation safety of personnel, the population and the environment is provided according to the following basic concepts:

• Radiation impact on personnel, the population and the environment during normal operation and accidents does not exceed limits established in the GT-MHR project, which are in full compliance with regulatory documents;

• The reactor plant structures and means of radiation protection and radioactive product localization (isolation) are designed taking into account technical and administrative measures aimed at a reduction of radiation levels and air radioactivity in the NPP rooms, at a reduction of emissions of radionuclides to the environment, and at a reduction of radiation doses to personnel and the population, as well as at maintaining these radiation parameters at a reasonably achievable low level.

(1) Physical barriers

Provision of radiation safety is based on the use of physical barriers intended to prevent releases of radioactive products into the environment.

(2) Biological shielding

Biological shielding is one of the barriers to the propagation of ionizing radiation from the reactor plant. According to regulatory requirements, biological shielding is designed with a margin factor of two for the radiation dose rate.

(3) Technical and administrative measures

Several administrative and technical measures are provided for in the project to maintain radiation doses to personnel and the population at a minimum possible level:

— Establishment of a buffer area and a restricted access area around the NPP;

— Execution of the radiation, dosimetric, and process control;

— Establishment of a restricted access area and a ‘free’ area at the NPP;

— Use of closed circuits with radioactive fluids;

— Filtering of radioactive substances emitted into the environment;

— Use of the containment to retain radioactive products.

Fuel handling operations are performed using protective containers to avoid fuel assembly damage and radioactive product release. Appropriately shielded containers are provided to protect personnel against radiation impacts during dismantling of reactor unit components.

The effective annual radiation dose for the population beyond the buffer area during normal operation of the GT-MHR is much lower than the quota of 20 pSv/year established in regulatory documents. Under abnormal operation conditions, the release of radioactive substances and/or ionizing irradiation does not exceed safe operation limits adopted in the design for normal operation.

In the AHWR, natural convection is the mode of coolant circulation to remove heat from the reactor core under both normal and shutdown conditions. Figure VI-3 shows the main heat transport (MHT) system and the passive decay heat removal system of the AHWR. A two phase steam water mixture generated in the core flows through the tail pipes to the steam drum, where steam gets separated from water. The separated water flows down through the downcomers to the reactor inlet header (RIH). From the header it flows back to the core through inlet feeders.

During a shutdown, core decay heat is removed by isolation condensers (ICs) submerged in a 6000 m3 capacity GDWP. Passive valves are provided downstream from the ICs. These valves operate on steam drum pressure and establish an interaction between steam drums and the ICs in hot shutdown conditions. The steam, brought to the ICs by natural convection, condenses inside the IC pipes immersed in the GDWP. The condensate is then returned to the core by gravity.

The ICs are designed to bring MHT temperature down from 558 K to 423 K. The water inventory in GDWP is adequate to cool the core for more than three days without any operator intervention and without boiling of the GDWP water.

During normal shutdown, when the main condenser is available, decay heat is removed by natural convection in the main heat transport circuit and heat is transferred to the ultimate heat sink through the main condenser. The IC system removes heat when the main condenser is not available. In the case of unavailability of both the IC and the main condenser, decay heat can be removed by an active system making use of MHT purification coolers.

Bhabha Atomic Research Centre (BARC),
India

X — 1. DESCRIPTION OF THE CHTR CONCEPT

The Compact High Temperature Reactor (CHTR) is a lead-bismuth cooled beryllium oxide moderated reactor, designed to operate mainly with 233U-Th fuel. The concept of this reactor, which is initially being developed to generate about 100 kW(th), has a core lifetime of 15 years and incorporates several advanced passive safety features to enable its operation as a compact power pack in remote areas not connected to the electrical grid. The reactor, being designed to operate at 1000°C, would also facilitate demonstration of technologies for high temperature process heat applications, such as hydrogen production by splitting of water. The CHTR concept is described in detail in [X-1].

The CHTR core consists of 19 prismatic beryllium oxide (BeO) moderator blocks. These moderator blocks have graphite fuel tubes located centrally. Each fuel tube carries fuel inside 12 equidistant longitudinal bores. The fuel tube also serves as a coolant channel. CHTR fuel is based on tri-isotropic (TRISO) coated particle fuel. Coated particles are mixed with graphite powder as a matrix material and shaped into cylindrical fuel compacts. Fuel bores of each of the 19 fuel tubes are packed with fuel compacts. Eighteen blocks of beryllium oxide reflector surround the moderator blocks. Centrally, these blocks accommodate the passive power regulation system. Graphite reflector blocks surround these beryllium oxide reflector blocks. Cross-sectional layout of the reactor core is shown in Fig. X-1 below.

The core and the reflector part of the reactor are contained in a metallic shell resistant to corrosion against Pb-Bi eutectic alloy coolant, and suitable for high temperature applications. Top and bottom closure plates made of similar material close this reactor shell. Above the top cover plate and below the bottom cover plate, coolant plenums are provided. These plenums have flow guiding blocks made of graphite and have passages for coolant flow to increase the velocity of coolant between fuel tubes and down-comer tubes. Two gas gaps surround the reactor shell and act as insulators during normal reactor operation, reducing heat loss in the radial direction. A finned outer steel shell is provided, which is surrounded by a heat sink. Nuclear heat from the reactor core is removed passively by Pb-Bi eutectic alloy coolant, which flows due to natural circulation between the bottom and the top plenums; upward through fuel tubes, and returning downward through down-comer tubes. Heat utilization vessels are located on top of the upper plenum, providing an interface to systems for high temperature heat applications. A set of sodium heat pipes is provided in the upper plenum of the reactor for passive transfer of heat from the upper plenum to the heat utilization vessels. Three passive systems are provided to remove heat in the case of postulated accident conditions. One of the systems has a set of heat pipes to transfer heat from the upper plenum to the atmosphere in the case of a postulated accident. Another passive system is intended to fill gas gaps with molten metal in the case of an abnormal rise in coolant outlet temperature, so as to facilitate conduction flow of reactor heat to the outside heat sink. To shut down the reactor, a set of seven shut off rods is included, which fall driven by gravity into the central seven coolant channels. Major design and operating parameters of the CHTR are shown in Table X-1.

CHTR component layout is shown in Fig. X-2.

CHTR fuel consists of 233UC2, ThC2, and small amounts of gadolinium as burnable poison (provided only in central fuel tube). Thorium and burnable poisons make the fuel temperature coefficient negative, thus making the reactor inherently safe. The fuel is in the form of fuel compacts made up of TRISO coated particle fuel embedded in graphite matrix. This type of fuel can withstand temperatures up to 1600°C [X-1, X-2]. A typical CHTR fuel bed consists of a prismatic BeO moderator block with a centrally located graphite fuel tube carrying the fuel compacts. Schematics of a fuel particle, a fuel compact, and a single fuel bed are shown in Fig. X-3.

Outer Steel Shell Gas Gaps High Conductivity shells Inner Shell

Graphite Reflector Downcomer Tubes

BeO Reflector Reactor Regulating System

BeO Moderator

Fuel Tube Fuel

FIG. X-1. Cross-sectional layout of CHTR core.

TABLE X-1. MAJOR DESIGN AND OPERATING PARAMETERS OF CHTR [X-1]

Shutdown System

HUSI Vessels Heat Pipes

Gas Gap Filling System

Upper Plenum

Downcomer Tubes

Fuel Tube Coolant

BeO Moderator

BeO Reflector

Graphite Reflector

Inner Shell

Gas Gaps

High Conductivity shells

Outer Steel Shell

Downcomer Tubes

Lower Plenum

Passive Power Regulation System

X — 2. PASSIVE SAFETY DESIGN FEATURES OF THE CHTR

The inherent and passive safety features falling under category A defined in IAEA-TECDOC-626 [X-3] are the following:

• A strong negative Doppler coefficient of the fuel for any operating condition, resulting in a reduction of reactor power in the case of fuel temperature rise during any postulated accident scenario;

• High thermal inertia of the all ceramic core and low core power density, resulting in very slow temperature rise of reactor core components as well as fuel during a condition when all heat sinks are lost;

• A large margin between normal operating temperature of the fuel (around 1100°C) and the allowable limit of TRISO coated particle fuels (1600°C), intended to retain fission products and gases and resulting in their negligible release during normal operating conditions. This also provides a ‘healthy’ margin of around 500°C to take care of any unwanted global or local power excursions;

FIG. X-3. Schematic of TRISO coated particle fuel, fuel compact and a single fuel bed.

• A negative moderator temperature coefficient results in lowering of reactor power in the case of an increase in moderator temperature due to any postulated accident condition;

• Due to the use of a lead-bismuth alloy based coolant having a very high boiling point (1670°C), there is a very large thermal margin to Pb-Bi boiling, the normal operating temperature being 1000°C. This eliminates the possibility of heat exchange crisis and increases the reliability of heat removal from the core. The coolant operates at low pressure, there is no over pressurization and no chance of reactor thermal explosion due to coolant overheating;

• The high temperature Pb-Bi coolant, which is maintained in an inert gas atmosphere, is itself chemically inert. Even in the eventuality of accidental contact with air or water, it does not react violently and does not cause any explosions or fires;

• Due to the above atmospheric melting point of 123°C, even in the case of a primary system leakage, coolant solidifies and prevents further leakage;

• There is small thermal energy stored in the coolant, which is available for release in the event of a leak or accident;

• Very low coolant pressure allows for the use of a graphite/carbon based coolant channel having a low neutron absorption cross-section, thus improving the neutronics of the reactor;

• Low induced long lived gamma activity of the coolant, such that in the case of leakage the coolant retains iodine and other radio-nuclides;

• For Pb-Bi coolant, the reactivity effects (void, power, temperature, etc.) are negative; thus reducing reactor power in the case of any inadvertent power or temperature increase.

The passive safety systems falling under Categories B, C, D defined in IAEA-TECDOC-626 [X-3] are described below.

Safety objectives for the GT-MHR are first achieved by relying on the inherent safety features incorporated into plant design, which are described below.

Thermal stability of the reactor core

Thermal stability of the reactor core is ensured by the use of:

— Fuel in the form of small particles with several coating layers, which can effectively retain fission products at high temperatures (up to 1600°C) and high fuel burnups (up to 70% of fissile materials for Pu fuel);

— Graphite as the structural material for the core. Graphite has a sublimation temperature of about 3000°C and, therefore, can withstand high temperatures. Graphite structures maintain their strength even at temperatures higher than those possible in accidents. This feature ensures stability of the reactor core configuration and prevents fuel redistribution over the core volume in accidents;

— Annular reactor core with a relatively low power density (6.5 MW/m3).

TABLE VII-1. MAIN DESIGN CHARACTERISTICS

FIG. VII-3. Reactor building.

Neutronic stability of the reactor core

Neutronic stability of the reactor core is ensured by:

— High degree of reactor power self-control and self-limitation owing to negative feedback on reactor core temperature and reactor power;

— Self-shutdown capability of the reactor core at temperatures below the minimum level allowable from the viewpoint of reliable operation of the fuel particles;

— The fact that the coolant has no impact on the neutron balance because of ‘zero’ neutron absorption and scattering cross-sections. The latter prevents an uncontrolled increase of reactor power during variations in coolant density as well as under coolant loss in accidents.

Chemical stability

Chemical stability of the plant is ensured by the helium coolant being:

— Chemically inert;

— Not prone to phase changes, which rules out sharp variations of heat removal conditions in the core. Structural stability

Structural stability of the plant is attributed to:

— No large diameter pipelines used in the primary circuit;

— No steam generator (with associated complexities related to operation using a two phase coolant); no large diameter steam lines, and no steam condensing circuit existing in the plant;

— By-design prevention of large scale depressurization of vessel system components.

Dynamic stability

Dynamic stability of the reactor core is secured by:

— Core cooling by natural processes; prevention of a core meltdown in all credible accidents including primary circuit depressurization without compensation for coolant loss;

— Plant capability to switch to a safe state without control actions if all power supply sources are lost;

— Plant capability to maintain such a safe state over a long time period (dozens of hours) in hypothetical critical situations without emergency protection (EP) actuation and with no organized heat removal from the reactor.

Activity localization

Passive localization or radioactivity is provided mainly by containment designed for the retention of helium-air fluid during accidents with primary circuit depressurization. The containment is also designed for external loads, which may apply to seismic impacts, aircraft crash, air shock waves, etc. Radioactivity release from the containment into the environment is determined by the containment leakage level, which is about 1% of the volume per day at an emergency pressure of 0.5 MPa. Results of safety analyses carried out at the preliminary design stage are being used to elaborate technical measures in an effort to reduce the requirements of containment characteristics.

Physical properties of the reactor core and engineering features of the GT-MHR reactor plant ensure that the temperature of the coated particle fuel is kept below 1600°C in any accidents with heat removal failure, including a complete failure of all active means of reactor emergency protection and shutdown. The effectiveness of fuel element claddings (coatings), which provide the main protective barrier for retention of fission products within fuel element boundaries, could, therefore, be maintained. With this measure, the radiation consequences of design basis and beyond design basis accidents do not exceed established limits. Altogether, this indicates that no protective measures would be required for the population beyond the buffer area.

This system provides for the injection of water directly into the reactor core in three stages. In the first stage, injection from the accumulator takes place, see Fig. VI-4. In the second stage, water flows from the GDWP under gravity, providing core cooling for three days. In the third stage, water accumulated in the reactor cavity is pumped back to the GDWP, from which it eventually enters the core. The first and the second stages of ECCS are passively actuated and do not depend on any active component. The important components of the ECCS are the GDWP, which has been discussed in Section VI-1, and an advanced accumulator equipped with a fluidic device as shown in the right part of Fig. VI-4.

The FFCD consists of a vortex chamber with one outlet, a tall vertical stand pipe and a small tangential side connection with two inlets. With the incorporation of a fluidic flow control device (FFCD) at the bottom of the accumulators, the large amount of water which is flowing directly into the core in the early stage of a LOCA is reduced to a relatively small amount and continues to flow for a longer time into the core, removing the decay heat. The FFCD is a simple passive device which reduces flow automatically after some time because of an increase in the pressure drop due to the formation of vortex. This passive feature provides many safety benefits suc as design simplicity and high reliability, and cools the core for a longer time.

CHTR incorporates a passive power regulation system (PPRS). This system operates on the principle of an increase in gas pressure with temperature, thereby pressurizing and forcing a column of molten metal with floating absorbing material into the core. This introduces negative reactivity in the core. Depending on the sensed temperature rise, the system would stabilize at a particular value of reactivity insertion. PPRS operation was analyzed using an in-house developed computer code. This passive system can be classified as a category-B passive system [X-3]. It is a safety grade system. A brief description of the system is provided below.

The passive power regulation system consists of 18 different passive power regulation units (PPRU), each of which is centrally housed in the 18 beryllia reflector blocks. Schematic view of a PPRU is shown in Fig. X-4.

The PPRU has a tube-in-tube design. The outer tube is a control tube and the inner tube is the driver tube. The driver tube also serves as a guide to the absorber. The boron carbide (B4C) based absorber is an annular structure; it is housed in the annular space between the control and driver tubes. There is liquid lead-bismuth in these tubes, and the two tubes are in fluidic communication via orifices at the bottom of the driver tube. Free liquid surfaces are maintained in both of the tubes. The volume above the liquid is filled with helium. The

© Gas Header © Guide Tube © Control Tube © Absorber Rod © Driving Liquid

—©

FIG. X-4. Schematic view of PPRS.

absorber floats on the lead-bismuth. A gas header is provided at the top of the driver tube; it is located in the upper plenum, submerged in the coolant. This system operates on the principle of a change in gas pressure with temperature and, therefore, is a category-B passive system [X-3].

When the reactor is critical, the PPRS absorber is located at particular insertion in the core. At this steady state, the gas in the header will be at equilibrium with the coolant temperature in the upper plenum. Any deviation from this equilibrium state will cause the gas to either pressurize or depressurize the driver tube, due to a respective increase or decrease in temperature. As the control and driver tubes are in fluidic communication, this pressure change will be communicated to the control tube. The net result will be a change in liquid lead-bismuth levels in both tubes. Since the absorber is riding on the free liquid surface in the annular space between the control and driver tubes, it will also be pushed in or pulled out with pressurization or depressurization, respectively, thereby changing the reactivity. This system is capable of shutting down the reactor.

In addition to the inherent (self-protection) features of the reactor, the GT-MHR plant incorporates safety systems based on the following principles:

(1) Simplicity of both system operation algorithm and design;

(2) Usage of natural processes for safety system operation under accident conditions;

(3) Redundancy, physical separation and independence of system channels;

(4) Stability in the case of internal and external impacts and malfunctions caused by accident conditions;

(5) Continuous or periodical diagnosis of system conditions;

(6) Conservative approach used in design, applied to the list of initiating events, to accident scenarios, and for the selection of definitive parameters and design margins.

All safety systems are designed with two channels. Regulatory safety requirements are met through compliance with both deterministic and probabilistic criteria, and are secured by exclusion of active elements in a channel or by applying the required redundancy of such active elements inside a channel, as well as via the use of the normal operation systems to prevent design basis accidents.

Passive safety systems

A summary of passive systems in the GT-MHR is given below, in line with the classification suggested by IAEA-TECDOC-626 [VII-2].

Category A systems

Category A passive systems [VII-2], which are certain static structures with no moveable mechanical parts, liquids or energy sources are as follows:

— Fuel particles with multilayer coatings;

— Annular graphite reactor core and reflector;

— Reactor vessel system and power conversion unit (PCU) vessel;

— Leaktight primary circuit;

— The containment.

Certain attributes of the Category A passive systems could also be classified as inherent or ‘by-design’ safety features. Their role in the overall safety design of the GT-MHR is highlighted at the beginning of this section.

Category B systems

Category B passive systems [VII-2], which incorporate natural convection driven liquids but no actuation devices and no moving mechanical parts or energy sources, are represented by the reactor cavity cooling system (RCCS), see Fig. VII-1.

If it is impossible to use systems that remove heat through the PCU and the shutdown cooling system (SCS), emergency heat removal is carried out by the RCCS. The RCCS includes two independent passive cooling channels of similar efficiency. Each RCCS channel consists of a water circuit with a surface cooler and a water tank, a heat tube circuit with evaporating sections arranged in the tank, an air circuit formed by special air ducts with condensation sections in heat tubes, and exhaust tubes. Heat from the reactor core is removed from the reactor vessel to the RCCS surface cooler, the heat tubes and then to atmospheric air due to natural processes of heat conduction, radiation and convection. Circulation of water and air in RCCS channels is driven by natural convection.

The RCCS functions continuously during normal operation and in accidents, i. e., it is continuously available, ruling out the need for operator or control system actions when switching over from normal operation mode to emergency heat removal. Passive RCCS removes residual heat released during a LOCA. In such a case, reactor core cooling does not require compensation of coolant loss.

The RCCS is a normal operation system, which also shoulders the functions of a safety system. It is a safety grade system.

Tables VII-5 to VII-9 below provide the designer’s response to questionnaires developed at an IAEA technical meeting Review of Passive Safety Design Options for SMRs, held in Vienna on 13-17 June 2005. These questionnaires were developed to summarize passive safety design options for different SMRs according to a common format, based on provisions of IAEA Safety Standards [VII-3] and other IAEA publications [VII-4, VII-2]. The information presented in Tables VII-5 to VII-9 provided a basis for the conclusions and recommendations of the main part of this report.

TABLE VII-5. QUESTIONNAIRE 1 — LIST OF SAFETY DESIGN FEATURES CONSIDERED FOR/ INCORPORATED INTO THE GT-MHR DESIGN

TABLE VII-6. QUESTIONNAIRE 2 — LIST OF INTERNAL HAZARDS

Specific hazards that are of concern

# for a reactor line Explain how these hazards are addressed in a SMR

(high temperature gas cooled reactors)

List of initiating events for AOO/DBA/BDBA
typical for a reactor line
(high temperature gas cooled reactors)

Design features of the GT-MHR used to
prevent progression of the initiating events
to AOO/DBA/BDBA, to control DBA,
to mitigate BDBA consequences, etc.

A. Events for abnormal operation and pre-accidental conditions

1. Events associated with changes of reactivity and power distribution

1.1 Inadvertent removal of one or several of the most effective control rods from the reactor core

1.2 Inadvertent insertion of one or several of the most effective control rods into the reactor core

1.3 Inadvertent insertion of absorbing elements from the RSS hoppers into the reactor core

1.4 Incorrect fuel assembly loading into the reactor core and then its operation

2. Events associated with failures of heat removal from the primary circuit

2.1 Complete stop of water circulation through the PCU heat exchangers

2.2 Ruptures of the PCU cooling water system pipelines within and beyond the containment

2.3 SCS failures in standby modes (stop of water circulation and ruptures of the SCS cooling water system pipelines within the containment)

3. Events associated with a decrease of coolant flow rate through the reactor core

3.1 Failures of the turbomachine or of individual turbomachine components, which require an emergency shutdown of the turbomachine

3.2 Inadvertent opening of the bypass shut-off and control valves of the turbomachine control and protection system

3.3 Increase of bypass flows in the primary coolant circulation path due to inadvertent opening of valves or due to depressurization of in-vessel components

3.5 Fuel assembly damage during refuelling

C. Events for beyond design basis accidents (taking into account additional failures)

1. Events associated with loss of power supply sources

1.1 Blackout

1.2 Blackout with a complete failure of the RCCS

-Effective reactor shutdown system (RSS)

1.3 Blackout with a failure of actuation of the reactor with spherical absorbing elements emergency protection system (ATWS)

2. Events associated with reactivity variation (taking into account additional failures)

2.1 Inadvertent withdrawal of several most effective — Passive localization of radioactivity in the

control rods from the reactor core with actuation containment

failure of the reactor emergency protection system (ATWS)

List of initiating events for AOO/DBA/BDBA
typical for a reactor line
(high temperature gas cooled reactors)

Design features of the GT-MHR used to
prevent progression of the initiating events
to AOO/DBA/BDBA, to control DBA,
to mitigate BDBA consequences, etc.

3. Events associated with a decrease of the coolant flow rate through the reactor core (taking into account additional failures)

3.1 Turbomachine failure or failure of individual turbomachine components, which require an emergency shutdown of the turbomachine, with actuation failure of the reactor emergency protection system (ATWS)

4. Events associated with primary circuit leakage (taking into account additional failures)

4.1 Primary circuit depressurization with a blackout and ingress of a considerable amount of air into the primary circuit (CPS standpipe guillotine break)

4.2 Primary circuit depressurization with actuation failure of the reactor emergency protection system (ATWS), a blackout and ingress of a considerable amount of air into the primary circuit (CPS standpipe guillotine break)

4.3 Rupture of the helium transportation pipelines and storage system beyond the containment, followed by a failure of the system for activity localization within the primary circuit, and a blackout

4.4 Inter-circuit depressurization of the primary circuit and of the PCU or SCS cooling water circuits, followed by a failure of the isolation systems, a blackout, and ingress of a considerable amount of water into the primary circuit

TABLE VII-8. QUESTIONNAIRE 4 — SAFETY DESIGN FEATURES ATTRIBUTED TO DEFENSE IN DEPTH LEVELS

REFERENCES TO ANNEX VII

[VII-1] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Innovative Small and Medium Sized Reactor Designs 2005: Reactors with Conventional Refuelling Schemes, IAEA-TECDOC-1485, IAEA, Vienna (2006). [VII-2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).

[VII-3] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[VII-4] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

Annex VIII

Passive containment coolers (PCCs) are used to provide post-accident primary containment cooling in a passive mode, as well as to limit post-accident primary containment pressure. The PCCs are located below the GDWP and are connected to the GDWP inventory, see Fig. VI-5. During a LOCA, condensation of steam and cooling of hot air are achieved via cooling provided by natural convection of GDWP water through the PCC tubes. This design feature ensures long term containment cooling after an accident.

Passive containment isolation system

The reactor has a double containment, i. e., incorporates primary and secondary containment. Between the two containments, a negative pressure in relation to the atmosphere is maintained to ensure that there is no release of radioactivity to the atmosphere. The primary containment envelops the high enthalpy and the low enthalpy zones designated as volume V1 and volume V2, respectively. Volume V2 is normally ventilated to the atmosphere through a ventilation duct, as shown in Fig. VI-6.

There is a very remote possibility of a release of radioactivity along with steam into the containment under accidental conditions. Under such accidental conditions, it is of paramount importance to isolate the containment from the atmosphere within a minimum possible time. The AHWR incorporates a scheme of containment isolation requiring no actuation by active means. This passive scheme is based on isolation of the containment atmosphere by establishing a liquid U-seal in the ventilation duct. A theoretical model is formulated to determine the time required for the formation of such a liquid seal.

TO ECC HEADER

ADVANCED ACCUMULATOR WITH FFCD

The scheme consists of an isolation water tank comprising the two compartments, one having a connection with volume V1 through a vent shaft, and the other having a connection with volume V2 via the normal ventilation duct, as shown in Fig. VI-6. A vertical baffle plate, running from the top of the tank, separates the two compartments. The baffle plate, however, does not run through the full height of the tank. The bottom portion of the tank allows the two compartments to communicate. It should be noted that volume V2 is normally ventilated to the atmosphere through a ‘U’ duct, which has a branched connection to the isolation water tank outlet. In the event of volume V1 reaching a certain preset pressure, the water level in another compartment of

CORE

-]—A—|—I—I—x— ►-Ч

Rd liquid

RD POISON

FIG. VI-7. Passive shutdown by MHT high pressure (RD is for rupture disc).

the tank rises to spill the water into the ‘U’ duct. Thus, the isolation of volumes V1 and V2 from the atmosphere is ensured by securing a water seal at the base of the U duct. The seal must form in a minimum possible time, typically in the order of a few seconds, to ensure that the isolation is effective. Tests are to be conducted to identify degrading factors which could adversely affect the performance of this system. A probable degrading factor could be incomplete venting of air from the U tube.