The CHTR incorporates a passive shutdown system. Under normal operation, this system has a set of seven shut off rods made of tungsten and held above the reactor core by individual electro-magnets, with their magnetic holding power energized by a set of low power batteries. These shut off rods are passively released under abnormal conditions when the temperature of the coolant or core goes up. These shut off rods fall into the central bore of the fuel tubes provided for coolant flow. This is a fail safe system; in case of a loss of battery power, the shut off rods would fall and shut down the reactor. This passive system can be classified as a Category-D passive system [X-3]. It is a safety grade system.

Passive core heat removal under normal operation

During normal operation of the reactor, core heat is removed by natural circulation of lead-bismuth eutectic alloy coolant. This passive system can be classified as a Category-B passive system. It is a safety grade system. A brief description of it is given below.

The reactor operates at 100 kW(th) and the lead-bismuth eutectic alloy coolant flowing in the main heat transport system by natural circulation removes heat generated in the fuel. Lead-bismuth eutectic alloy has a high boiling point (1670°C) at atmospheric pressure. This facilitates a low pressure primary system, which is a safety feature of liquid metal cooled reactors. The main coolant circulating loop comprises fuel tubes, down­comers and top and bottom plenums. A simplified view of the system discussed is shown in Fig. X-5. The fuel transfers energy to the coolant flowing upward inside the fuel tubes due to natural circulation. At 900°C, the

coolant enters the fuel tube in the lower plenum and takes the reactor heat; at 1000°C it is delivered to the upper plenum. The active heat generation length in the reactor is 700 mm. The buoyancy head developed in the coolant loop is adequate to maintain the required flow rate for normal power levels. A computer code, based on the law of conservation of momentum, was developed for this analysis.

Passive transfer of heat to the secondary system

A set of 12 high temperature sodium heat pipes passively transfer heat from upper plenum of the reactor to a set of heat utilization vessels, which are kept directly above the upper plenum. This system can be classified as a Category-B passive system [X-3]. It is a safety grade system.

Category C passive systems [VII-2], which incorporate direct action actuation devices requiring no energy sources, are represented by the primary circuit overpressure protection system.

The primary circuit overpressure protection system protects the reactor unit, including the PCU, and other primary circuit equipment items, from pressure increase above allowable limits. The primary circuit overpressure protection system includes:

— Two overpressure protection trains;

— Pipelines;

— Primary measuring transducers.

Each overpressure protection train is a passive device because they are actuated upon direct action of the working fluid on a sensitive element. The system working fluid is a primary circuit coolant; highly pure helium. Overpressure protection trains are arranged in the PCU cavity.

The primary circuit overpressure protection system is a safety grade system.

Category D systems

Category D passive systems [VII-2], which incorporate ‘passive execution/active initiation’ type features, include:

— Bypass valve system of the turbomachine control and protection system (TM CPS);

— Emergency reactor shutdown system;

— Control systems;

— Localizing valves.

The bypass valve system of the TM CPS fulfils the following functions:

— Prevention of turbomachine over speed during loss of external load;

— Turbomachine emergency shutdown during failure of the turbomachine or the PCU equipment, and in

blackouts;

— Rapid decrease of electric power in reactor plant normal operation mode.

When the bypass valves open, a portion of primary coolant flow bypasses the reactor core and the turbine, thus decreasing electric power generated by the reactor plant, triggered by a decrease in the helium flow rate and expansion ratio in the turbine, or an increase of the flow rate and power in the compressors, or an increase in the power removed in the precooler and intercooler.

The TM CPS bypass valve system incorporates:

— Four bypass shut-off and control valves DN300;

— Electrically driven shut-off valves;

— Pipelines.

The adopted redundancy scheme of bypass shut-off and control valves is based on a single failure principle and allows the reactor plant power operation until shutdown and maintenance; all based on one failed valve.

The bypass valve system is a normal operation system, which shoulders the functions of a safety system. It is a safety grade system.

Two independent reactivity control systems based on different operation principles are used to execute reactor emergency shutdown and maintenance in a sub-critical state; these systems are:

(1) Electromechanical reactivity control system based on control rods moved into reactor core channels and

the inner and outer reflectors;

(2) Reserve shutdown system (RSS) based on spherical absorbing elements that fill in channels in the fuel

assembly stack over the whole height of a fuel assembly.

The electromechanical reactivity control system consists of 54 control rods with individual drives and provides for reactor emergency shutdown and maintenance in a subcritical state, taking into account cooling and unpoisoning, under a one (most effective) rod stuck condition. Control rods are inserted into the core driven by gravity, from any position and without the use of external power sources, in the case of de-energization actuated by control system signals. The electromechanical reactivity control system is a normal operation system, which shoulders the functions of a safety system. It is a safety grade system.

Reactor emergency shutdown signals are generated automatically according to parameters of different physical nature or via pressing corresponding buttons in the main and standby control rooms.

The RSS includes 18 RSS drives with individual hoppers containing absorbing elements, and 18 channels in the reactor core stack into which boric absorbing spheres are inserted. Each RSS channel may be filled individually. The RSS is intended to shut down the reactor and keep it in an unpoisoned cold subcritical state in case of a failure of the control rod based system, taking into account a postulated single failure in the system.

The RSS is started through a power supply to the RSS drive motors and through opening of the gates of hoppers containing absorbing elements. The RSS drives are powered by the emergency power supply system, which uses two emergency diesel generators. The absorbing boric spheres are inserted by gravity.

The design and materials of absorbing elements exclude primary coolant contamination by the absorber. RSS fulfils the functions of a protective safety system.

The RSS is a safety grade system.

GT-MHR NPP control and support safety systems (CSS) are intended to actuate equipment, mechanisms and valves, localizing and support safety systems in preaccidental conditions and in accidents; to monitor their operation; and generate control commands for the equipment of normal operation systems used in safety provision algorithms.

The CSS are based on the principles of redundancy, physical and functional separation, and safe failure.

The CSS include two independent three channel sets of equipment with emergency signal processing logic ‘2 out of 3’, implemented in each set. Each set is capable of carrying out the safety functions in full. CSS sets are physically separated so that internal (fire, etc.) or external (aircraft crash, etc.) impacts do not lead to a control system failure, and inability to perform the required functions.

The CSS provide automated and remote control of equipment of safety systems from the independent main and standby control rooms. Principal technical features are selected using the concept of a safe failure — blackouts, short circuits, or phase breaks start emergency signals in the channels or initiate safety actions directly. The CSS are safety grade.

Redundant localizing valves are used to prevent loss of coolant at depressurization of auxiliary systems of the primary circuit and to localize inter-circuit leaks of coolant from the primary to the adjacent circuits.

Air-driven normally closed bellows shut-off valves are used for localization. During normal operation of the plant the shut-off valves are open. Air to the pneumatic drives of the shut-off valves is supplied by electromagnetic control air distributors. Shut-off valves are actuated by the energy of a compressed spring when there is a loss of power supply to air distributor electromagnets or air release from the pneumatic drives of the valves. The valves and air distributors can be controlled automatically (actuated upon control system signals), remotely, or manually (by a manual drive amending the pneumatic drive).

Localizing valves fulfil the function of a localizing safety system. The localizing valves are safety grade.

Active safety systems

The GT-MHR design has no dedicated active safety systems. Active systems of normal operation, such as the power control unit (PCU) and the shutdown cooling system (SCS), are used for safety purposes. These systems remove heat under abnormal operation conditions, during design basis accidents (DBA) and in beyond design basis accidents (BDBA).

Central Research Institute of Electric Power Industry and Toshiba Corporation,

Japan

VIII — 1. DESCRIPTION OF THE 4S-LMR CONCEPT

The Super-Safe Small and Simple Liquid Metal cooled Reactor (4S-LMR) is a small sodium cooled fast reactor concept under development in Japan by the Central Research Institute of Electric Power Industry (CRIEPI) and Toshiba Corporation features of which include long operation without on-site refuelling. This concept is described in detail in Annex XV of [VIII-1].

The 4S-LMR is being developed to meet the needs of certain segments of the diverse global energy market [VIII-1]. An economic disadvantage is pointed out as the principal obstacle to realizing small reactors. Higher safety levels are also needed, because the number of nuclear power plants would increase in case small reactors are deployed around the world. Improved economic performance tends to be incompatible with enhanced safety levels, as shown by the experience of nuclear power reactors of previous generations. Stronger reliance on passive safety design options is expected to establish a certain synergy between economic performance and safety. To facilitate such a synergy, the 4S-LMR is being designed to ensure simple operation, simplified maintenance, including refuelling, a high safety level, and improved economic performance. A specific design policy for the 4S-LMR could be summarized in the following nine design objectives:

(1) No refuelling over 10 — 30 years;

(2) Simple core burnup control without control rods and without control rod driving mechanisms;

(3) Reactor control and regulation executed by systems and components not belonging to the reactor system;

(4) Quality assurance and short construction period based on factory fabrication of the reactor unit;

(5) Minimum maintenance and inspection of reactor components;

(6) Negative reactivity coefficients on temperature; negative sodium void reactivity;

(7) No core damage in any conceivable initiating events without the reactor scram;

(8) Safety system independent of emergency power systems and not incorporating active decay heat removal systems;

(9) Complete confinement of radioactivity under any operational conditions and in decommissioning.

Items 1 through 5 are related to simplification of the systems and maintenance. Items 6 through 9 are related to safety design.

Based on the abovementioned design objectives, the 4S-LMR concept supplies multiple passive safety design features. Such an approach could help realize a high safety level and simultaneously reduce the number of auxiliary systems otherwise required to support safety functions of the safety system. The resulting reduction in the number of systems and system simplification may, in turn, reduce the required scope of maintenance work.

Small reactors are meant to be installed closer to end users. In order to allay public fears, a ‘sense of security’ is essential, which means that a transparent safety concept, a proven or easily demonstrable technology, and a small number of systems are cumulatively preferable. A fully passive heat removal system is employed in the 4S-LMR so that auxiliary support systems can be eliminated. 4S-LMR safety can easily be demonstrated in full scale tests, because of its small size. Design status and passive safety features of the 4S-LMR are described in reference [VIII-1]. This reference also presents safety performance of the reactor in anticipated transients without scram and combinations thereof, based on completed safety analyses.

The 4S-LMR incorporates a load following capability provided by a simple control of the feed water rate in the power circuit. Analyses have shown that the reactivity of core thermal expansion, which is one of the passive reactivity feedbacks, is important to realize this option. Core thermal expansion feedback also helps to secure reactor safety. Specifically, analytical results predict that the presently selected cladding material, HT-9, is compatible with the mechanism of core expansion reactivity feedback. It is also shown that flow rate control of the secondary pump would enhance the power range of reliable reactor operation due to improved stability of the steam generator at the steam-water site. As the irregular load following operation affects schedule pre­programming, the plant control systems of the 4S-LMR would be reconsidered in case the reactor is assumed to operate at partial power.

The 4S-LMR is a pool type sodium cooled fast reactor with a steam-water power circuit. The power output is 50 MW(e), which corresponds to 135 MW(th). The refuelling interval for the variant considered in this description is 10 years. Major specifications of the 4S-LMR are listed in Tables VIII-1 and VIII-2.

Figure VIII-1 shows the vertical layout of the reactor, including the primary heat transport system (PHTS). The PHTS consists of the containment vessel (guard vessel), the reactor vessel, the intermediate heat exchanger (IHX), the electromagnetic (EM) pumps, the reflectors, the internal structures, the core, and the shielding.

The reactor vessel is 3 m in diameter and 18 m in height and is divided into the inner part of a coolant riser plenum and the outer part of a coolant down-comer by an inner cylinder of 1.8 m diameter. The inner cylinder accommodates the core and the reflector. It also accommodates the reflector drivelines and the ultimate shutdown driveline. In the outer part, there are the direct heat exchanger (DHX) of the primary reactor auxiliary cooling system (PRACS), the intermediate heat exchanger (IHX), the electromagnetic (EM) pumps, and the radial shield assemblies, from top to bottom. As a design option, PRACS can be replaced by intermediate reactor auxiliary cooling systems (IRACS), which removes shutdown heat via secondary sodium in active normal operation) or the passive (postulated initiating events) mode. The primary coolant travels from the riser into the down-comer and then returns into the coolant plenum underneath the core. There are no moving parts inside of the reactor vessel except for the reflector, which moves very slowly at 1~2 mm per week.

The guard vessel covers the reactor vessel to prevent a loss of the primary coolant. The guard vessel also forms the containment boundary, together with the top dome. A natural draught air cooling system between the guard vessel and the cavity wall, the so-called reactor vessel auxiliary cooling system (RVACS), is designed as a passive decay heat removal system. The PRACS (or IRACS) mentioned above is then the second passive decay heat removal system. These two systems are redundant and diverse.

The primary pump system consists of two EM pumps arranged in series. Each EM pump is a sodium immersed self-cooled type pump with an annular single stator coil. The total rated flow is 50 m3/min, and each pump has a 0.08 MPa head. Such a system of pumps arranged in series provides a favourable inherent response in the case of single pump seizure, when it is necessary to mitigate a decrease of core flow through a pump that is still working, ‘using’ its Q-H (flow-head) curve. At the same time, reverse flow may occur at a failed pump in a parallel arranged pump system.

The annular reflector, divided into six segments, controls reactivity in the reactor core and compensates the burnup reactivity swing. Any stuck event or malfunction of the reflector driving systems will eventually result in a reactor subcritical state, when negative reactivity due to fuel burnup will not be compensated by a slow upward movement of the reflector. Dropping the reflector down will make the reactor subcritical from any operational state, due to the resulting increase in neutron leakage from the core.

The intermediate heat transport system (IHTS) consists of one EM pump, one steam generator (SG), the piping, and a dump tank. The EM pump is integrated in the SG.

The 4S-LMR core is designed for lifetime operation without on-site refuelling and provides for negative reactivity coefficients and a reduced pressure drop at a relatively large core height. The requirement of a 10-year core lifetime could reduce maintenance work and contribute to non-proliferation [VIII-1]. Negative reactivity coefficients and a reduced pressure drop could enhance safety by providing intrinsic protection against loss of

flow (LOF) events. The selection of core height was also limited by the available choices for performing full-core irradiation tests, in view of the existing facilities.

Fig. VIII-2 shows the 4S-LMR core configuration. There are 6 inner sub-assemblies and 12 outer sub­assemblies. The ultimate shutdown rod is arranged at the centre of the core. It is a backup shutdown system; the primary shutdown system provides for dropping down the reflector. The active height of the inner core is shorter than that of the outer core. This 0.5 m sodium region above the inner core helps to decrease the coolant density reactivity coefficient over the entire core. Coolant void reactivity is kept below zero during the core lifetime and is nearly zero at the end of core life.

The average core outlet temperature was selected based on the condition of not exceeding the minimum liquefaction temperature of 650°C, at which a (metallic) fuel-steel eutectic starts to be formed. The hottest interface temperature between the outer fuel surface and the inner cladding surface was evaluated using the hot channel factor of ~1.9 (including the engineering safety factor), which is a conservative assumption. Safety design criteria for the cladding were also evaluated taking into consideration cladding thinning due to this metallurgical effect.

Reactivity feedback coefficients on temperature integrated over the core region are summarized in Table VIII-3. Reactivity feedback coefficients on fuel density, the coolant and the structures (cladding and duct) were derived from a diffusion calculation in R-Z geometry based on the perturbation theory. Density coefficients multiplied by thermal expansion rates of the fuel and structures make up the temperature coefficients. The thermal expansion rate of the cladding was used to describe fuel axial expansion. Because the

О

+■>

О

о

№

о

і.

с з

о

FIG. VIII-2. Core configuration of the 4S-LMR (Annex XV [VIII-1]).

TABLE VIII-3. REACTIVITY FEEDBACK COEFFICIENTS ON TEMPERATURE INTEGRATED OVER THE CORE VOLUME

Doppler T— I -2.80 x 10-3

Ё dT)

Fuel ^Dkkk — j -7.29 x 10-6

Coolant ^Akkk’ j -3.23 x 10-6

Structure |^Ak/kk’ j -0.50 x 10-6

expansion rate of the cladding is smaller than that of the fuel, such an approach produced conservative results. The safety analyses performed considered spatial distributions of reactivity coefficients and expansion effects.

This shutdown system passively injects poison into the moderator by using the increased system steam pressure in the case of a low probability event of failure of the wired (sensors, signal carriers and actuators) shutdown systems. The AHWR has two independent shutdown systems, one comprising mechanical shut off rods (SDS-1) and the other employing the injection of a liquid poison into the low pressure moderator (SDS-2). Both these shutdown systems require the actuation of active signals for a reactor shutdown to occur. The proposed scheme of a passive shutdown is actuated by high steam pressure due to the unavailability of a heat sink, following a failure of the SDS-1 and the SDS-2. The schematics of a passive shutdown by MHT high pressure are shown in Fig. VI-7.

In the event of a pressure rise, high steam pressure opens a rupture disc and steam pressure is transmitted to open a passive valve connected to the pressurized poison tank; the reactor is shutdown by passive poison injection into the moderator. Following a reactor shutdown, the system reaches a hot shutdown condition due to effective passive decay heat removal by the ICs. Inadvertent poison injection is avoided by keeping the margin on a rupture disc with burst pressure above the expected pressure gradient after a reactor shutdown by the SDS — 1 or the SDS-2.

The CHTR has three independent and redundant passive heat removal systems to cater to different postulated accident conditions. These heat removal systems, which are individually capable of removing a neutronically-limited power of 200 kW(th) (200% of normal reactor power), may operate together or independently to prevent the temperature of the core and coolant from increasing beyond a set point. For a loss of load condition, when coolant circuit is intact, a system of six variable conducting sodium heat pipes dissipates heat to the atmosphere. A system of 12 carbon-carbon composite variable conducting heat pipes provided in the reactor core fills the need when coolant is lost. Another passive heat removal system involves the filling of two gas gaps, provided outside the reactor vessel, by a siphon action with molten metal to provide a conduction heat path from the reactor core to a heat sink outside the outer steel shell. Each of these three systems can be

classified as Category-B passive systems [X-3]. These are safety grade systems. A brief description of the gas gap filling system is provided below; its schematic view is shown in Fig. X-6.

The system consists of a reservoir located above the upper plenum and subdivided into compartments. Liquid metal is stored in the reservoir, which is fitted with siphon tubes and bulbs. One end of the siphon is dipped into the liquid metal and the other opens into the inner gas gap; multiple siphon tubes are employed. The bulb is located immediately downstream of the heat pipes and normally senses a temperature of 900°C. In a case of non-availability of the heat pipes, the coolant immediately senses a temperature of 1000°C. This would increase the pressure of the gas inside the bulb, cause the liquid metal to rise inside the siphon tube and ultimately, start the siphon. The liquid metal would then exit into the inner gas gap and also fill the outer air gap through holes in the inner gas gap wall. The gas inside the gas gap would be pushed into a gas tank. A connector between the liquid metal and the gas tank would handle the decrease in pressure caused by the fall in level of liquid metal in the reservoir, such that after some time, pressure in the reservoir and the gas gaps would be equalised.

The CHTR incorporates the following active systems, which are all non-safety-grade.

Passive shutdown — reset system:

In order to move the shut off rods to their position of suspension in electromagnets, CHTR employs a motorized and wire rope based active system. This is a backup system.

Passive gas gap heat removal — reset system:

In order to drain and move molten metal from the gas gaps to a reservoir, CHTR employs an electromagnetic pump based reset system. This is a backup system.

Defuelling and refuelling system:

After the operation of fuel up to a desired burnup, fuel tubes containing fuel compacts will be replaced by new fuel tubes carrying fresh fuel compacts. This replacement operation will be done using an active system. This is a backup system.

Safety of plant personnel and the population living near a NPP site is ensured by consecutive implementation of the defence in depth concept in plant design. This concept stipulates the application of several barriers to the release of ionizing and radioactive substances into the environment, as well as application of technical features and administrative measures to protect and maintain the effectiveness of barriers and to protect personnel, the population and the environment.

Effectiveness of the protective barriers under accident conditions is maintained mainly through inherent reactor (self-protection) features based on negative feedback and natural processes, and due to the use of passive safety systems.

Physical barriers for the GT-MHR are:

— Coated fuel particles;

— Fuel compacts;

— Fuel assemblies;

— Leaktight primary pressure boundary (vessel system);

— The containment.

The reliable retention of fission products within fuel assemblies is ensured by:

(1) The design of coated particle fuel and fuel assemblies based on available experience in fuel element design, testing and operation. The GT-MHR utilizes ceramic fuel in the form of 200 pm spherical particles with multilayer pyrocarbon and silicon carbide coatings (coated fuel particles), which are dispersed in the graphite matrix (fuel compact). Silicon carbide is the main barrier preventing a release of gaseous and volatile fission products. Fuel compacts and fuel assemblies are made of graphite, which provides the effective retention of solid fission products;

(2) Design features to prevent fuel overheating under abnormal operation conditions;

(3) Design features to provide a large temperature margin between the operation limit and the safe operation limit; crisis free heat removal from the fuel elements during normal and abnormal operation, including design basis accidents;

(4) Design features ensuring that fuel temperature does not exceed 1600°C in any accident involving failure of heat removal from the reactor, including the failure of all ‘active’ means of reactor shutdown and cooling. In this way, the effectiveness of the main protective barrier (protective coating on fuel kernels limiting fission product release beyond the boundaries of coated fuel particles) is maintained.

The design philosophy of the 4S-LMR is to emphasize simple, passive and inherent safety features as a major part of the defence in depth strategy. The ultimate objective in the 4S-LMR safety design is to eliminate the requirement of population evacuation as an emergency response measure.

The inherent safety features of the 4S-LMR are:

• Low power density in the core;

• Good thermal characteristics of the metallic fuel bonded by sodium;

• Negative reactivity coefficients of temperature;

• Negative sodium void reactivity coefficients;

• Large coolant inventory;

• Elimination of active or feedback control systems operating inside the reactor vessel;

• Elimination of components consisting of rotating parts (application of static devices such as EM pumps);

• Limitation of the radioactivity confinement area (no on-site refuelling and no systems for fuel loading/ unloading and shuffling, no fuel storage facilities in the reactor or on-site);

• Multiple barriers against fission product release, including:

—The fuel cladding;

—The reactor vessel, the upper plug and the IHX tubes;

—The top dome and the guard vessel as containment;

• Relatively small radioactive inventory of a small power reactor;

• Prevention of a sodium leakage and mitigation of its impact or influence if it occurs through double boundaries for sodium with a detection system for small leakage occurring in the event of one boundary failure:

—The reactor vessel and guard vessel for primary sodium;

— Double piping, tubes and vessels for secondary sodium, including heat transfer tubes of the SG.

The passive safety systems of the 4S-LMR are the following:

• An automatic sodium drain system from the SG to the dump tank — if a sodium-water reaction occurs, an increase in cover gas pressure in the SG causes secondary sodium to drain rapidly to the dump tank located beneath the SG (without rupture disks);

• Two diverse and redundant passive shutdown (residual) heat removal systems operating on natural convection of the coolant and natural air draft (PRACS or IRACS and RVACS).

For shutdown (residual) heat removal, two independent passive systems are provided; RVACS and IRACS (or PRACS, see Section VIII-1). The reactor vessel auxiliary cooling system (RVACS) is completely passive and removes shutdown heat from the surface of the guard vessel using natural draught of air. There are no valves, vanes or dampers in the flow path of the air; thus RVACS is always working, even in normal (rated) operation. Two stacks are provided to obtain sufficient draft.

The IRACS removes shutdown heat via the secondary sodium. In normal shutdown, heat is removed by forced circulation of air with a blower driven by normal electric power; IRACS can also remove the required amount of heat solely through natural circulation of both air and sodium in the case of postulated initiating events.

The 4S-LMR incorporates no active safety systems. However, there are several active systems providing normal operation of the reactor at rated (or derated) power. In normal operation heat is removed from the core by forced convection of sodium driven by EM pumps. The compensation of burnup reactivity swing is performed by very slow upward movement of the reflector. An advanced driving mechanism for such movement is being considered [VIII-1].

No information was provided on whether certain systems of the 4S-LMR are safety grade.

A passive concrete cooling system is designed to protect the concrete structure of the reactor in a high temperature zone (volume V1). A schematic of the passive concrete cooling system is shown in Fig. VI-8. Cooling is achieved by the circulation of a coolant from the GDWP in natural convection mode through cooling pipes located between the concrete structure and the insulation panel surrounding the MHT system hot piping. Heat loss from the high temperature MHT piping is reduced by the insulation panel. Heat transferred through the insulation panel is removed in a natural convection mode by GDWP water through pipes fixed on a corrugated plate on the outer surface of the insulation panel. This passive design maintains the concrete temperature at below 55°C. It also eliminates the need for high capacity blowers and prevents consequences that otherwise may result from equipment or power supply failures which might lead to a temperature increase in the concrete structure.

The AHWR incorporates two independent fast acting wired (sensors, signal carriers and actuators) shutdown systems, which could be categorized as category D passive systems [VI-2]; they are:

• Shutdown system-1 (SDS-1), based on mechanical shut-off rods with boron carbide absorbers in 40 lattice positions. In case of a signal requiring rector trip, shut-off rods fall under gravity into the core in less than two seconds to achieve required reactivity worth;

• Shutdown system-2 (SDS-2), based on liquid poison injection into the moderator. On a trip signal, a quick opening valve located between the helium gas tank and the poison tank opens, letting high pressure helium gas communicate with the poison tank. As a result, the liquid poison is driven out from the poison tank into the moderator by helium gas pressure.

The AHWR incorporates no dedicated active safety systems. As was already mentioned above, when both the IC and the main condenser are unavailable, decay heat can be removed in an active mode, using MHT purification coolers.

The passive systems are safety grade.

Some major highlights of passive safety design features in the MARS, structured in accordance with the

various levels of defence in depth [VI-3, VI-4], are described below.

Level 1: Prevention of abnormal operation and failure

(a) Elimination of the hazard of loss of coolant flow:

• Heat removal from the core under both normal full power operating conditions and shutdown conditions is performed by natural convection of the coolant; this eliminates the hazard of a loss of coolant flow;

(b) Reduction of the extent of overpower transient:

• Slightly negative void coefficient of reactivity;

• Low core power density;

• Negative fuel temperature coefficient of reactivity;

• Low excess reactivity.

Level 2: Control of abnormal operation and detection of failure

• An increased reliability of the control system achieved with the use of high reliability digital control using advanced information technology;

• Increased operator reliability achieved with the use of advanced displays and diagnostics using artificial intelligence and expert systems;

• Large coolant inventory in the main coolant system.

Level 3: Control of accidents within the design basis

• Increased reliability of the emergency core cooling system, achieved through passive injection of cooling water (initially from an accumulator and later from the overhead GDWP) directly into a fuel cluster through four independent parallel trains;

• Increased reliability of a shutdown, achieved by providing two independent shutdown systems, one comprising the mechanical shut off rods and the other employing injection of a liquid poison into the low pressure moderator. Each of the systems is capable of shutting down the reactor independently. Further enhanced reliability of the shutdown is achieved by providing an additional passive shutdown device operated by steam pressure for the injection of a poison in the case of a extremely low probability failure of both the mechanical shut-off rods and the liquid poison shutdown system;

• Increased reliability of decay heat removal, achieved through a passive decay heat removal system, which transfers decay heat to the GDWP by natural convection;

• Large inventory of water inside the containment (about 6000 m3 of water in the GDWP) provides prolonged core cooling, meeting the requirement of an increased grace period.

Level 4: Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents [51]

• Double containment;

• Passive containment isolation;

• Vapour suppression in GDWP;

• Passive containment cooling.

The probability of unacceptable radioactivity release beyond the plant boundary is targeted to be less than 1 x 10-7/year.

X-7. MEASURES PLANNED IN RESPONSE TO SEVERE ACCIDENTS

Due to the above mentioned features provided in the reactor, no adverse effects in the public domain are anticipated.

X-8. SUMMARY OF PASSIVE SAFETY DESIGN FEATURES FOR CHTR

Tables X-2 to X-6 below provide the designer’s response to questionnaires developed at an IAEA technical meeting, “Review of passive safety design options for SMRs”, held in Vienna on 13-17 June 2005. These questionnaires were developed to summarize passive safety design options for different SMRs according to a common format, based on the provisions of IAEA Safety Standards [X-4] and other IAEA publications [X — 5, X-3]. The information presented in Tables X-2 to X-6 provided a basis for the conclusions and recommendations of the main part of this report.

TABLE X-4. QUESTIONNAIRE 3 — LIST OF INITIATING EVENTS FOR ABNORMAL OPERATION OCCURRENCES (AOO)/DESIGN BASIS ACCIDENTS (DBA)/BEYOND DESIGN BASIS ACCIDENTS (BDBA)

TABLE X-6. QUESTIONNAIRE 5 — POSITIVE/NEGATIVE EFFECTS OF PASSIVE SAFETY DESIGN FEATURES IN AREAS OTHER THAN SAFETY

Natural circulation of heavy metal Saving in pump costs and associated coolant components; saving due to simplified

design and maintenance

Passive heat removal based on gas Simplified design and maintenance with gap filling with molten metal in an associated reduction in cost accident conditions

REFERENCES TO ANNEX X

[X-1] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Small Reactor Designs Without On-site Refuelling, IAEA-TECDOC-1536, IAEA, Vienna (2007).

[X-2] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Innovative Small and Medium Sized Reactor Designs 2005: Reactors with Conventional Refuelling Schemes, IAEA-TECDOC-1485, IAEA, Vienna (2006).

[X-3] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA — TECDOC-626, IAEA, Vienna (1991).

[X-4] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[X-5] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

[X-6] INTERNATIONAL ATOMIC ENERGY AGENCY, Advanced Nuclear Power Plant Design Options to Cope with External Events, IAEA-TECDOC-1487, IAEA, Vienna (2006).

CONTRIBUTORS TO DRAFTING AND REVIEW

Structure of the IAEA Nuclear Energy Series

Nuclear General (NG), Guide, Nuclear Infrastructure and Planning (topic 3), #1 Nuclear Power (NP), Report (T), Research Reactors (topic 5), #4 Nuclear Fuel (NF), Report (T), Spent Fuel Management and Reprocessing, #6 Radioactive Waste Management and Decommissioning (NW), Guide, Radioactive Waste (topic 1), #1

[1] IAEA-TECDOC-936 [5] defines an innovative design as a design “that incorporates radical conceptual changes in design approaches or system configuration in comparison with existing practice” and would, therefore, “require substantial R&D, feasibility tests and a prototype or demonstration plant to be implemented”.

[2] Throughout this report, ‘passive shutdown’ denotes bringing the reactor to a safe, low-power state with balanced heat production and passive heat removal, with no failure to barriers preventing radioactivity releases to the environment; all relying on inherent and passive safety features only, with no operator intervention, no active safety systems involved, and no requirement for external power and water supplies, as well as with the grace period infinite for practical purpose.

[3] Some PWRs use primary circuit with internal steam generators but have external control rod drives, such as the Republic of Korea’s SMART [2].

[4] A relatively large coolant inventory in the primary circuit, resulting in large thermal inertia

[5] Inherent safety features provided by design and contributing to larger thermal margins, lower parameter variation, better reactor self-control, slower pace of transients, and damping of perturbations in design basis events. These features are highlighted in numbers 1-13 of Table 3;

(2) All designs incorporate at least two redundant and diverse shutdown systems; see numbers 14-24 of Table 3. These systems may be passive, such as those using mechanical control rods inserted into the core driven by gravity or by the force of springs, or active, such as those using standard mechanical control rods. Some passive systems are passively actuated, e. g., by system de-energization, by core temperature sensor, or other means. The role of safety injection systems with borated water is essentially reduced in some cases, e. g., in the IRIS and SCOR, or the function of a safety injection is coupled with core uncovery prevention, e. g., in the CAREM-25. Safety injection may be passive (IRIS) or active (SCOR); it may also be actuated passively, by disk rupture due to an overpressure situation (CAREM-25). For some designs (KLT-40S), safety injection of borated water is not indicated at all;

(3) All pressurized water SMRs incorporate passive residual heat removal systems of various design, often redundant, based on natural convection of the coolant; see numbers 25-32 of Table 3. Features of PWR type SMRs such as reduced core power density, relatively large coolant inventory in the primary circuit, or a taller reactor vessel, discussed in more details above, in conjunction with levels 1 and 2 of defence in depth, contribute to passive residual heat removal that is effective under a total power station blackout, with an increased or practically infinite grace period. It can be emphasized that all decay heat removal systems in all PWR type SMRs are passive, and most of them require no operator action to become actuated;

(4) Finally, numbers 33-36 of Table 3 indicate design features or systems dedicated to prevention of core uncovery in design basis accidents. These may include automatic depressurization systems, safety relief valves, long term gravity make-up systems and emergency boron injection systems also acting as make-up systems. All of the indicated systems are passive and passively actuated.

[6] KLT-40S — Exclusion of staff presence in compartments adjacent to the containment and in other compartments

with high radiation levels.

-To limit radiation dose to the population living within a 1 km radius of the floating NPP it may be required (depending on the actual radiation situation) that some protective measures, such as iodine prophylaxis or sheltering, are implemented.

-As a protective measure, temporary limits could be established on the consumption of separate agricultural products grown in an radius of up to 5 km from the floating NPP contaminated by radioactive products.

-Evacuation of the population is not required at any distance from the floating NPP.

2 IRIS — Measures essentially not needed. An option to license IRIS with reduced or eliminated off-site

emergency planning is under consideration; otherwise, the plant could be licensed using measures typical of a conventional PWR.

3 CAREM-25 — Measures essentially not needed. An option to license CAREM with simplified or abandoned off-site

emergency planning requirements is considered, with a link to the risk-informed regulatory criteria for BDBA (see Fig. 6 and Annex III).

4 SCOR — No information was provided except for that on passive safety design features eliminating or preventing

radioactivity releases beyond the plant boundary.

5 MARS — Deterministic and probabilistic safety analyses performed conclude that licensing of MARS may not

require any off-site emergency planning.

[7] Long term passive decay heat removal may cause degradation of core structures, e. g., via graphite oxidation, etc., therefore, early restart of normal operation systems is targeted in management of design basis accidents to facilitate continuation of normal operation of the plant after the accident.

[8] It should be noted that features of liquid metal cooled reactors such as passive load following and ‘passive shutdown’ have been more analyzed in the past for smaller reactors, such as EBR-II with 65 MW(th) or PRISM with 850 MW(th). However, for sodium and lead cooled fast reactors, there is no reason such features can’t be realized in larger reactors with nitride or metallic fuel. Certain analytical studies carried out in the past provide preliminary proof of this [26, 27, 28].

a It is noted that the operation of these systems may actually be unnecessary because the inherent and passive features are in any case capable of ensuring a ‘passive shutdown’, i. e., bringing the reactor to a safe low power state with balanced heat production and passive heat removal, with no failure of the barriers preventing radioactivity release to the environment, and with a practically indefinite grace period.

independent and redundant active or passive shutdown systems are available for cases in which all other measures of control and prevention turn out to be ineffective.

For Level 3 of defence in depth, “Control of accidents within design basis”, the contribution comes from the following main groups of design features:

[10] Inherent safety features, highlighted in numbers 1-8 of Table 30. In addition to the features already discussed in conjunction with defence in depth Levels 1 and 2, it is important to note negative whole core void worth provided by design in the 4S-LMR and inherent features of the lead cooled SSTAR and STAR — LM, practically eliminating the option of coolant boiling or gas bubbles arriving at the core (preventing the propagation of a design basis accident into a severe accident with transient overpower);

[11] By-design provisions for certain passive mechanisms such as radial expansion or enhanced levels of natural convection in the primary coolant system, highlighted in numbers 9-12 of Table 30;

[12] Two independent systems of reactor shutdown, provided in each design; see numbers 13-14 of Table 30. These operate based on gravity in the 4S-LMR, while in the SSTAR and the STAR-LM both systems are active and safety grade. For the SSTAR and STAR-LM, it is mentioned that the operation of these systems may actually be unnecessary because inherent and passive features are in any case capable of ensuring a ‘passive shutdown’ of the reactor;

[13] Not less than two redundant and diverse passive decay heat removal systems in each design, with some of them, possibly, providing several passive decay heat removal paths, and all using natural draught of air as an ultimate heat sink; see numbers 15-16 of Table 30;

[14] Special design features provided to prevent or mitigate the effects of pressurized medium from the power circuit getting into the primary circuit; see numbers 17-18 of Table 30.

[15] Inherent and passive safety features ensure lower probability of radioactivity material release to the environment (compared to present day light water reactors)

[16] Use of an all-ceramic core with high heat capacity and high

temperature margins

[18] High density of Pb-Bi coolant, comparable to the density of the fuel

[19] It should be noted that all known designs and concepts of lead cooled reactors foresee no intermediate heat transport system, even if a steam turbine cycle is used for power conversion, which is most common [18].

[20] Supercritical carbon dioxide Brayton cycle energy conversion with CO2 working fluid that does not react chemically with Pb primary coolant

[21] The ‘soft’ pressurizer system is characterized by small changes in primary pressure under a primary coolant temperature increase.

[22] ‘Passive shutdown’ is used by designers to denote bringing the reactor to a safe low power state with balanced heat production and passive heat removal, with no failure to the barriers preventing radioactivity release to the environment; all relying on inherent and passive safety features only, with no operator intervention or active safety systems being involved, and no external power and water supplies being necessary, and with an infinite grace period for practical purpose.

[23] National regulations in some Member States are already technology neutral; examples are the United Kingdom or the Russian Federation.

[24] Risk informed regulations for beyond design basis accidents are already in place in some Member States, e. g., Argentina.

[25] Annex IV gives an example of how operation complexity of a plant could be quantified and used in comparative assessments of different design solutions.

[26] Failure surface [23] is an experiment backed predicted boundary of reliable operation of a passive safety system defined against all variables that may affect performance of such a system; it is used to support subsequent root cause analysis (actually, the failure surface defined in [23] is of iterative nature, also supporting identification of those tests that are still missing).

[27] In this context, an ‘item’ is a structure, system or component [2].

[28] A ‘soft’ pressurizer system is characterized by small changes of the primary pressure under a primary coolant temperature increase. This quality, due to a large volume of gas in the pressurizing system, results in an increased period of pressure increase up to the limit value under the total loss of heat removal from the primary circuit. For KLT-40S, the corresponding time is not less than 1.5 hours after the accident starts.

[29] The control area boundary coincides with the FPU boards, to the bow and stern directions it coincides with the monitored area boundaries, see Fig. I-2.

* Additional criteria for beyond design basis accidents not resulting in core damage

Background and experience

As already mentioned, broad incorporation of inherent and passive safety design features has become a ‘trademark’ of many advanced reactor designs, including several evolutionary designs and the majority of innovative SMR designs [1, 2, 3, 4, 5]. In addition to various possible combinations of inherent and passive safety features (sometimes referred to as by design safety approaches [2]), all SMRs addressed in this report incorporate passive safety systems. Passive safety systems may include moving liquids or expanding solid structures, direct action devices, or stored energy sources. As suggested in IAEA-TECDOC-626 [6], those may be classified as passive systems of categories B, C, and D, accordingly, see Appendix 1. Passive safety systems require validation and testing to demonstrate and prove their reliable operation and quantify their reliability and, if necessary, adjust their design accordingly.

While individual processes may be well understood, combinations of these processes, which determine the actual performance of passive safety systems, may vary depending on changes in conditions of state, boundary conditions, and failure or malfunctioning of other components within the system, the circuit or the plant. Passive safety systems of category A, or inherent safety features, incorporate no moving liquids or moving solid structures, direct action devices, or stored energy sources. There is a consensus that such systems have a strong advantage [2, 3, 6]. Therefore, the issue of process performance reliability is most important for passive safety systems of categories B, C, and D [6].

There are certain accomplishments regarding the testing, construction, licensing or validation of passive systems of categories B, C, or D [6], such as the more recent WWER-1000 reactors and the KLT-40S of the Russian Federation, or the AP600, the AP1000, and the ESBWR of the USA [4, 7]. Experiment based deterministic approaches to the validation of passive systems including separate-effect tests and integral tests of reactor models with subsequent qualification of analysis models and computer codes have been established and accepted by regulators in some countries, in line with the conventional safety requirements also applied to active safety systems. The indicated deterministic approaches are generally successful with regulators when the basic technology involved is evolutionary, e. g., that of water cooled reactors, and backed by years of validation and testing, as well as reactor operation experience, and when passive systems are reasonably conventional in their design. When the technology is innovative or a passive safety system has a distinctly non-conventional set of features, the application of established deterministic approaches may require a multi-year resource consuming effort to accomplish validation, testing and demonstration of the reliable operation of such a system, prior to licensing approval of the corresponding advanced NPP.

The regulations in Argentina, China, Japan, Germany, India, France, the Russian Federation, and the USA already incorporate provisions for accepting the results of probabilistic safety assessments (PSA) on a complementary basis. In order to ensure that the PSA used in the risk informed decision making (RIDM) process is of acceptable technical quality, efforts are being made in different countries to provide PSA standards that define inherent technical features of a PSA acceptable for a regulatory body. An example is the ASME probabilistic risk assessment (PRA) standard [8], recently endorsed by the United States Nuclear Regulatory Commission (US NRC). In line with worldwide trends, the IAEA is developing a series of publications for the safety standards series on PSA and RIDM. One of the latter, named the Safety Guide on Development and Application of Level-1 PSA for NPPs [9], planned to be published in 2008, would provide recommendations on the technical content of PSA studies to reliably support various PSA applications.

The general trend towards a more risk informed approach (e. g., see Refs [10, 11]) is pursued with a focus on what is really important from the safety perspective, in order to achieve a design that is more favourable from the cost-benefit perspective. A methodology for reliability assessment of passive safety systems would enable quantification of the reliability to treat both active and passive safety systems within a common PSA approach. Several such methodologies are under development in Europe, India, and the USA [12-14]. What is important from the perspective of overall risk assessment is that these methodologies take into account uncertainties associated with unforeseen physical phenomena that may affect the operation of passive safety systems, worsening their reliability. All of the methodologies are at a preliminary stage of development and no consensus on a common approach had been established among their proponents at the time this report was being prepared. Two of these methodologies are described in brief below.