This system prevents core uncovery in the case of a LOCA. The system consists of two redundant accumulators with borated water connected to the RPV. The tanks are pressurized, so that during a LOCA, when pressure in the reactor vessel becomes relatively low, rupture disks break and flooding of the RPV starts, preventing core uncovery over a long period. The RHRS is also triggered to help depressurize the primary system when the area of a break is small.

Safety relief valves

Three safety relief valves protect the reactor pressure vessel against over-pressurization in the case of strong differences between core power and the power removed from the RPV. Each valve is capable of 100% of the necessary relief. Blow-down pipes are routed from the safety valves to the suppression pool.

Active safety systems

All safety systems of the CAREM are passive systems. All safety systems are safety grade.

For long term water inventory control and to maintain the reactor in a hot shutdown state, auxiliary active systems are used. These are class III safety grade systems [Ш-4].

There is a continued interest among Member States in the development and application of small and medium sized reactors (SMRs). In the very near term, most new nuclear power plants (NPPs) are likely to be evolutionary water cooled reactor designs building on proven systems while incorporating technological advances and often economies of scale, resulting in outputs of up to 1600 MW(e) from the reactor. For the longer term, the focus is on innovative designs to provide increased benefits in the areas of safety and security, non­proliferation, waste management, resource utilization and economics, as well as to offer a variety of energy products and flexibility in design, siting and fuel cycle options. Many innovative designs are implemented in reactors within the small to medium size range having equivalent electric power of less than 700 MW(e) or even less than 300 MW(e).

Incorporation of inherent and passive safety design features has become a ‘trademark’ of many advanced reactor concepts, including several evolutionary designs and nearly all innovative SMR design concepts. Ensuring adequate defence in depth is important for reactors with smaller output because many of them are being designed to allow greater proximity to the user, specifically when non-electrical energy products are targeted.

The IAEA provides a forum for the exchange of information by experts and policy makers from industrialized and developing countries on the technical, economic, environmental, and social aspects of SMR development and implementation. It makes this information available to all interested Member States by producing status reports and other publications focusing on advances in SMR design and technology development.

The objective of this report is to assist developers of SMRs in Member States in defining consistent defence in depth approaches regarding the elimination of accident initiators/prevention of accident consequences through design and incorporation of inherent and passive safety features and passive systems into safety design concepts of such reactors. Another objective is to assist potential users in Member States in their evaluation of the overall technical potential of SMRs with inherent and passive safety design features, including possible implications in areas other than safety.

This report is intended for different categories of stakeholders, including designers and potential users of innovative SMRs, as well as officers in ministries or atomic energy commissions in Member States responsible for implementing nuclear power development programmes or evaluating nuclear power deployment options in the near, medium, and longer term.

The main sections of this report present state of the art advances in defence in depth approaches based on the incorporation of inherent and passive safety features into the design concepts of pressurized water reactors, pressurized light water cooled heavy water moderated reactors, high temperature gas cooled reactors, liquid metal cooled fast reactors, and non-conventional designs within the SMR range. They also highlight benefits and negative impacts in areas other than safety arising from the incorporation of such features.

The annexes provide descriptions of the design features of 11 representative SMR concepts used to achieve defence in depth and patterned along a common format reflecting the definitions and recommendations of the IAEA safety standards. The annexes were prepared by designers of the corresponding SMRs.

The IAEA officer responsible for this publication was V. Kuznetsov of the Division of Nuclear Power.

EDITORIAL NOTE

This report has been edited by the editorial staff of the IAEA to the extent necessary for the reader’s assistance.

This report does not address questions of responsibility, legal or otherwise, for acts or omissions on the part of any person.

Although great care has been taken to maintain the accuracy of information contained in this publication, neither the IAEA nor its Member States assume any responsibility for consequences which may arise from its use.

The use of particular designations of countries or territories does not imply any judgement by the publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and institutions or of the delimitation of their boundaries.

The mention of names of specific companies or products (whether or not indicated as registered) does not imply any intention to infringe proprietary rights, nor should it be construed as an endorsement or recommendation on the part of the IAEA.

Russian Federation

I — 1. DESCRIPTION OF A NUCLEAR INSTALLATION WITH THE KLT-40S REACTOR

The KLT-40S is a modular reactor unit developed for a pilot floating nuclear cogeneration plant (PATES, in Russian), currently under construction in Severodvinsk, the Russian Federation. The KLT-40S nuclear installation belongs to a class of pressurized water reactors. The KLT-40S reactor unit is shown in Fig. I-1. Major specifications of the KLT-40S nuclear installation are given in Table I-1. A detailed design description of a floating NPP with KLT-40S reactor installations is provided in [I-1].

The main design features of the KLT-40S are the following:

— Modular design of reactor unit: the reactor, the steam generators (SGs) and the main coolant pumps

(MCPs) are connected with short nozzles, without using long pipelines;

— Four-loop reactor cooling system with forced and natural convection of the coolant in the primary circuit;

— Leaktight primary circuit with canned motor pumps and leaktight bellows type valves;

— Once-through coil type SGs;

— Gas based pressurizer system in the primary circuit;

— Use of passive safety systems;

— Use of proven techniques for equipment assembly, repair and replacement; incorporation of proven

diagnostics equipment and proven monitoring systems.

The KLT-40S core is based on marine reactor technologies and incorporates materials that are exempted from the IAEA definition of direct use material.

To increase uranium fraction, a closely packed assembly structure of the core is adopted, which provides maximum possible fuel volume in a given core volume. The core contains fuel rods with cylindrical claddings made of corrosion resistant zirconium alloy. The fuel rods are similar to those of the ice-breaker reactors but incorporate fuel with higher uranium fraction; such fuel is based on uranium dioxide granules in the inert matrix.

Each reactor unit of the floating nuclear power plant (NPP) is located in a containment that is a leaktight physical barrier designed to limit the propagation of radioactivity and to localize fission products in case of a loss of coolant accident (LOCA), using emergency containment cooling systems.

The containment is designed for internal pressure typical of design basis accidents and beyond design basis accidents, taking into account the emergency temperature conditions. The design value of the containment leakage rate ensures maximum possible limitation of the emergency planning area.

The containment, along with the barge structures, is designed for design basis external impacts including a floating NPP sink.

Protection of the systems important for safety from external impacts is provided by a protective enclosure. The protective enclosure is a waterproof and gas proof structure included in a ship hull; it covers the containment and the liquid and solid radioactive waste storage, and provides additional limitation of a leakage of radioactive products to other parts of the floating power plant and to the environment, in case of a severe accident.

The containment and the radioactive waste storage are placed in a power compartment located in the middle part of the floating power unit.

A general view of the floating power module is shown in Fig. I-2.

The floating power unit (FPU) is a flat deck non-self-propelled ship with a developed multilevel superstructure. An all-welded vessel of the floating power unit has ice reinforcements and special means for hauling and shoring. Nine waterproof bulkheads rising up to the top deck divide the FPU vessel into 10 impermeable compartments.

1- REACTOR

2- STEAM GENERATOR

3- MAIN CIRCULATION PUMP

4- CPS DRIVES

5- ECCS ACCUMULATOR

6- PRESSURIZER (1st vessel)

7- PRESSURIZER (2nd vessel)

8- STEAM LINES

9- LOCALIZING VALVES

10- HX of PURIFICATION AND COOLDOWN SYSTEM

FIG. I-1. General view of the KLT-40S nuclear installation.

The floatability of the FPU is provided in case of flooding of any two adjacent compartments for all specification load cases satisfying the requirements of the Russian Marine Register.

I-2. PASSIVE SAFETY DESIGN FEATURES OF KLT-40S

Passive safety design features of the KTL-40S nuclear installation include both inherent safety features and dedicated passive (safety) systems.

The so-called self-protection of a nuclear installation is expressed in its capability to prevent the occurrence and to limit the propagation and consequences of initiating events which could lead to accidents. Self-protection is, inter alia, achieved by reliance on natural feedbacks and processes that require no operator intervention, no external power, and no assistance from emergency teams for a certain period of time which could be used by personnel to evaluate the situation and to undertake necessary corrective actions.

The self-protection of the KLT-40S is provided by the following features:

(a) Negative reactivity coefficients on fuel and coolant temperature and on specific volume of the coolant; negative reactivity coefficients on steam density and integral power;

(b) High thermal conductivity of the fuel composition defining its relatively low temperature and, correspondingly, low stored non-nuclear energy;

(c) Adequate level of natural circulation flow in the primary system;

(d) High heat capacity of the nuclear installation as a whole, resulting from high heat capacity of the primary coolant and metal structures, from the use of a ‘soft’ pressurizer system[28], and from a safety margin

provided for by the design for the depressurization pressure of the primary system under emergency pressure increase;

Compact design of the steam generating unit, with short nozzles between the main equipment items and with no large diameter primary pipelines;

The use of restriction devices in nozzles connecting the primary circuit systems to the reactor, which limits the outflow rate in case of a break; the location of the connection nozzles is selected so that they provide a fast transition to the steam outflow of the primary coolant in case of a break in the corresponding pipeline;

Favourable conditions for the realization of a ‘leak before break’ concept in application to structures of the primary circuit, provided by design;

The use of once-through steam generators, which limits the rate of heat removal via the secondary circuit in case of a steam line break accident.

The active and passive safety systems (see Fig. I-3) are incorporated in the design of the KLT-40S to carry out the following safety functions:

—Emergency shutdown of the reactor;

—Emergency heat removal from the primary circuit;

—Emergency core cooling;

—Localization of released radioactive products.

The qualitative and quantitative objectives of radiological protection of the population and the environment developed for generation III reactors, e. g., for the EPR [IV-2], are already very strict and guarantee a very high level of protection [IV-7]. They apply to a set of situations with which the plant has to cope. Such situations are defined taking into account the specific features of the plant and the design of its systems, similar to how it was done in the past. Different from past systems, the factor of system simplification is taken into account more accurately. Situations of which the consequences are potentially intolerable should be practically eliminated; if they cannot be made physically impossible, design provisions must be adopted to rule out either initiating events or potential consequences [IV-7].

The abovementioned objectives could be effectively applied to the SCOR design and, more generally, to future generation IV systems.

No further details regarding the acceptance criteria have been provided.

For high temperature gas cooled reactors (HTGRs) with pebble bed or pin-in-block tristructural-isotropic (TRISO) fuel and helium coolant, smaller reactor capacity facilitates:

— Long term passive decay heat removal from the core to the outside of the reactor vessel based on natural processes of conduction, radiation and convection, with natural convection based heat removal from the outside of the reactor vessel to an ultimate heat sink;

— Achievement of a large temperature margin between the operation limit and the safe operation limit, owing to inherent fission product confinement properties of TRISO fuel at high temperatures and fuel burnups;

— De-rating of accident scenarios rated as potentially severe in reactors of other types, including loss of coolant (LOCA), loss of flow (LOFA), and reactivity initiated accidents; for example, helium release from the core in the GT-MHR can be a safety action and not the initiating event for a potentially severe accident;

— Achievement of increased reactor self-control in anticipated transients without scram, without exceeding safe operation limits for fuel;

— Relatively high heat capacity of the reactor core and reactor internals and low core power density, resulting in slow progression of the transients.

It should be noted that, in view of currently known reactor vessel materials, an HTGR unit capacity below ~600MW(th) is a necessary condition to ensure long-term passive decay heat removal from the core as described in the first item of this listing. Therefore, all currently known concepts of HTGR with TRISO based fuel and gas coolant belong to the SMR range [2].

IRIS employs simplified passive safety systems to mitigate the effects of all postulated design basis events. Shown schematically in Fig. II-3, these systems include the following innovative features:

• Pressure suppression system (PSS): located within the containment vessel, acts to condense steam released into the small spherical steel containment due to any postulated design basis LOCA or steam/feed line break. The IRIS PSS is designed to limit containment pressure to ~1.0 MPa, or only 65% of the containment vessel design pressure. The PSS also provides an elevated source of water that is available for gravity injection into the reactor vessel through the direct vessel injection (DVI) lines in the event of a LOCA;

• Emergency heat removal system: consists of four independent subsystems, each of which has a horizontal, U-tube heat exchanger connected to one of the four IRIS SG steam lines. These heat exchangers are immersed in the refuelling water storage tank (RWST) located outside the containment structure and act
as the heat sink for emergency heat removal system (EHRS) heat exchangers. The EHRS operates on natural circulation, removing heat from the primary system via the steam generators’ heat transfer surface, transferring the heat to the RWST water and condensing the steam, and returning the condensate back to the SG via the feedwater line. Following a LOCA, the EHRS heat removal function acts to depressurize the RCS by cooling the SGs, thus condensing the steam produced by the core directly inside the reactor vessel. The EHRS is designed so that only one of the four independent subsystems is needed to remove the decay heat, thus providing a very high degree of redundancy, important for both safety and security concerns;

• Long term gravity make-up system: combined with a small RCS depressurization system and containment layout, provides gravity driven make-up water to the reactor vessel to assure that the core remains covered indefinitely following a LOCA;

• Emergency boration system (EBT): Two full emergency boration systems provide a diverse means of reactor shutdown by delivering borated water to the reactor vessel (RV) through the DVI lines. By their operation, these tanks also provide limited gravity feed make-up water to the primary system;

• Automatic depressurization system (ADS): A small ADS from the pressurizer steam space assists the EHRS in depressurizing the reactor vessel if reactor vessel coolant inventory drops below a specified level. The ADS consists of two parallel lines, each with two normally closed valves. The ADS discharges into a quench tank through a sparger. This ADS function ensures that the reactor vessel and containment pressure are equalized in a timely manner, thus limiting the loss of coolant and preventing core uncovery following a postulated LOCA even at low reactor vessel elevation;

• Specially constructed lower containment volume: collects the liquid break flow, as well as any condensate from the containment, in a cavity where the reactor vessel is located. Following a LOCA, the cavity is flooded above core level, creating a gravity head of water sufficient to provide coolant make-up to the reactor vessel through the DVI lines. This cavity also assures that the lower outside portion of the reactor vessel surface is or can be wetted following postulated core damage events;

• Safety strategy of IRIS: provides a diverse means of core shutdown through make-up of borated water from the EBT in addition to the control rods; also, the EHRS provides a means of core cooling and heat removal to the environment in the event that normally available active systems are not available. In the event of a significant loss of primary-side water inventory, the primary line of defence for IRIS is represented by the large coolant inventory in the reactor vessel and the fact that EHRS operation limits the loss of mass, thus maintaining a sufficient inventory in the primary system and guaranteeing that the core will remain covered for all postulated events. The EBT is actually capable of providing some primary system injection at high pressure, but this is not necessary, since the IRIS strategy relies on ‘maintaining’ coolant inventory, rather than ‘injecting’ make-up water. This strategy is sufficient to ensure that the core remains covered with water for an extended period of time (days and possibly weeks). Thus, IRIS does not require and does not have the high capacity, safety grade, high pressure safety injection system characteristic of typical loop reactors.

RMPS methodology

In the late 1990s, a methodology known as REPAS was developed cooperatively by ENEA, the University of Pisa, the Polytechnic of Milan, and the University of Rome in Italy which was later incorporated into the European Commission’s reliability methodology for passive systems (RMPS) project within the European Commission’s 5th framework programme [12]. The RMPS methodology is based on evaluation of the failure probability of a system to carry out its desired function for a given set of scenarios, taking into account uncertainties of physical (epistemic) and geometric (aleatoric) parameters, deviations of which can lead to a failure of the system. The RMPS approach considers a probability distribution of failure to treat variations of the comparative parameters considered in the predictions of codes.

Schematics of the RMPS are shown in Fig. 1.

The RMPS methodology has been developed to evaluate reliability of passive systems incorporating a moving fluid and using natural convection as an operation mechanism. The reliability evaluation for such systems is based, in particular, on the results of thermal-hydraulic calculations. The RMPS methodology could be structured as follows:

— Identification and quantification of the sources of uncertainties;

— Reliability evaluation of a passive system;

— Integration of passive system reliability in PSA.

The methodology is applied to a specific accident scenario in which operation of a certain passive safety system is foreseen. When the scenario to be examined is specified, the first step — identification of the system — requires full characterization of the system under investigation be carried out. This step includes specifying the goals of the system, the modes via which it may fail, and providing the definition of a system failure, or more specifically the definition of success/failure criteria. Modelling of the system is also required, which is accomplished using best-estimate computer codes. Numerous sources of uncertainties present in the modelling process have to be identified. Such sources are related to approximations in modelling of physical processes and system geometry, and uncertainties in input variables, such as initial and boundary conditions. Identifying the most important thermal-hydraulic phenomena and parameters which have to be investigated for the system is an important part of the methodology. Such identification can be accomplished via a brainstorming session of experts with a good understanding of the system functions and best estimate code calculations, and through use of a method of the relative ranking of phenomena. The ranking technique implemented in the RMPS project is the analytical hierarchy process (AHP). After identifying important thermal-hydraulic parameters, the next step is to quantify their uncertainties. When experimental data are not available, expert judgement would be required to identify the range of uncertainties and select appropriate probability density functions for a given set of variables. The methodology incorporates a sensitivity analysis, which is to determine, among all uncertain parameters, the main contributors to the risk of a system failure.

The second part of the methodology requires evaluating uncertainty in the expected performance of the passive system as predicted by the thermal-hydraulic code and according to the studied scenario. Such uncertainty evaluation could be performed using confidence intervals or probability density functions. Within RMPS studies, it has been found that methods providing an uncertainty range of system performance are not very efficient for reliability estimation. Therefore, use of a probability density function was selected as an approach to be implemented. The probability density function of system performance can be directly used for reliability estimation once a failure criterion is given. The existing methods for such quantitative reliability evaluation are generally based on Monte Carlo simulations. Monte Carlo simulations consist of drawing samples of the basic variables according to their probabilistic density functions and then feeding them into the performance function evaluated by a thermal-hydraulic code. An estimate of the probability of failure can then

be determined by dividing the number of simulations leading to a failure of the system by the total number of simulation cycles. Monte-Carlo simulations require a large number of calculations; as a consequence, the technique can be prohibitively time consuming. To avoid this problem, two approaches are possible: (i) application of variance reduction techniques used in Monte-Carlo methods, or (ii) the use of response surfaces. It is also possible to use approximate methods, such as first and second order reliability methods (FORM/ SORM).

The final part of the methodology focuses on the development of a consistent approach for quantitative reliability evaluations of passive systems, which would allow introducing such evaluations in the accident sequence of PSA. In the PSA of innovative reactor projects carried out until recently, only the failures of passive system components (valves, pipes, etc.) was taken into account and not failures of combinations of physical phenomena on which system performance is based. It is a difficult and challenging task to examine this aspect of passive system failure within PSA models, because there are no commonly accepted practices available.

Different options have been discussed within the framework of the RMPS project, but no real consensus between partners has been found. In line with the standards in place for Level 1 PSA models, the approach currently followed by the CEA and Technicatome of France is based on accident scenarios being presented in the form of static event trees. The event tree technique makes it possible to identify the whole variety of chains of accident sequences, deriving from initiating events and describing different basic events corresponding to a failure or a success of the safety systems. This method has been applied to a fictitious PWR type reactor equipped with two types of passive safety systems. The analyses of failures carried out for this reactor made it possible to characterize both technical failures (those of valves, heat exchanger pipes, etc.), and ranges of variation of uncertain parameters affecting the physical process. A simplified PSA has been performed starting from a single initiating event. The majority of sequences addressed by this event tree were analysed by deterministic evaluations, using enveloping values of the uncertain parameters. For some sequences, where definition of the enveloping cases was impossible, basic events corresponding to the failure of physical processes were added to the event tree, and quantitative reliability evaluations, based on Monte Carlo simulations and on thermal-hydraulic code analyses, were carried out to evaluate corresponding failure probability. Failure probabilities obtained by these reliability analyses were fed into the corresponding sequences. Such an approach allows for evaluation of the impact of a passive safety system on the accident scenario. In particular, for the example studied, a new design basis for the system has been proposed in order to meet in full the global safety objective assigned to the reactor.

The RMPS methodology has been applied to three types of passive safety systems, including the isolation condenser system of a boiling water (BWR) reactor, the residual heat removal system on the primary circuit of a PWR reactor, and the hydro-accumulator (HA) systems of PWR and WWER type reactors.

In RMPS applications performed by the CEA and Technicatome of France, the thermal-hydraulic passive system acts as an ultimate system in the management of an accident scenario. Under this assumption, characteristics of the current Level 1 PSA models remain adequate.

A test case using the RMPS methodology is currently underway for a CAREM like passive residual heat removal system within the ongoing IAEA coordinated research project “Natural circulation phenomena, modelling and reliability of passive systems that utilize natural convection”.

In the CAREM modules using natural convection in the primary coolant system (CAREM designs with a unit power of less than 150 MW(e)), there are no primary pumps, thus this initiating event is excluded. In higher power modules with forced circulation, natural convection is enhanced intrinsically by the integral type layout of the primary circuit.

Loss of coolant

The diameter of RPV penetrations is limited by design (there are no large diameter penetrations). Therefore, no large LOCA is possible and there is no need for a high pressure injection system. In case of a LOCA, the FSS, SSS, and RHRS are actuated and, when the pressure is decreased, the emergency injection system discharges water to keep the core covered for several days. As the CAREM design obviates active systems, in safety evaluations the secondary coolant system is not assumed to cool and depressurize the primary system. However, once it is available and when needed, it could be used as part of the accident management strategy.

The inherent response of the reactor to LOCA has been analyzed considering a FSS success and the failure of all safety systems related to core cooling. Due to a large water inventory over the core and small diameters of RPV penetrations, the core is uncovered only after several hours.

1.1. BACKGROUND

1.1.1. Rationale and developments in Member States

According to classifications adopted by the IAEA, small reactors are reactors with an equivalent electric output of less than 300 MW; medium sized reactors are reactors with an equivalent electric power of between 300 and 700 MW [1].

Small and medium sized reactors (SMRs) are not intended to benefit from economics of scale. In most cases, deployment potential of SMRs is supported by their ability to fill niches in which they address markets or market situations different from those of currently operated large-capacity nuclear power plants, e. g., situations demanding better distributed electrical supplies or a better match between capacity increments and investment capability or demand growth, or more flexible siting and greater product variety [2, 3].

It is important to note that the term small or medium sized reactor does not necessarily mean small or medium sized nuclear power plant. Like any nuclear power plants, those with SMRs can be built many at a site, or as twin units. In addition to this, innovative SMR concepts provide for power plant configurations with two, four, or more reactor modules. Units or modules can be added incrementally over time, reaping the benefits of experience, timing, and construction schedules (see Fig. 1), and creating an attractive investment profile with minimum capital at risk.

Sometimes it is perceived that SMRs are meant to address users in countries which currently either do not have a nuclear infrastructure, or which have it on a small scale, and which are contemplating either introduction or significant expansion of nuclear power for the first time. However, this is not the case — most innovative SMR designs are intended to fulfil a broad variety of applications in developed and developing countries alike, irregardless of whether they have already embarked on a nuclear power programme or are only planning to do so [1-3].

Finally, it should be emphasized that SMRs are not the only prospective nuclear option; it must be recognized that a diverse portfolio of reactors of different capacities and applications are required if nuclear power is to make a meaningful contribution to global sustainable development. The anticipated role of SMRs

within the global nuclear energy system could be to increase the availability of clean energy in usable form in all regions of the world, to broaden access to clean, affordable and diverse energy products and, in this way, to contribute to the eradication of poverty and support of a peaceful and stable world.

In 2008, more than 45 innovative[1] SMR concepts and designs were developed within national or international research and development (R&D) programmes involving Argentina, Brazil, China, Croatia, France, India, Indonesia, Italy, Japan, the Republic of Korea, Lithuania, Morocco, the Russian Federation, South Africa, Turkey, the USA, and Vietnam [2, 3].

Innovative SMRs are being developed for all principal reactor lines and some non-conventional combinations thereof. The target dates of readiness for deployment range from 2010 to 2030.

Strong reliance on inherent and passive safety design features has become a trademark of many advanced reactor designs, including several evolutionary designs [4] and nearly all innovative SMR designs [2, 3]. Reactors with smaller unit output require adequate defence in depth to benefit from more units being clustered on a site or to allow more proximity to the user, specifically when non-electrical energy products are targeted and the user is a process heat application facility such as a chemical plant.

This report is intended to present state of the art design approaches with the aim to achieve defence in depth in SMRs. Preparation of this report is supported by IAEA General Conference resolution GC(51)/14/B2(k) of September 2007.

The KLT-40S nuclear installation incorporates the following active safety systems:

—System of reactor shutdown with shim control rod insertion in the electromotive mode;

—System of emergency reactor cooldown through the steam generator with steam dumping to a process condenser;

—System of emergency reactor cooldown through the heat exchanger of the purification and cooldown system;

—System of emergency water supply from the emergency core cooling system (ECCS) pumps and the recirculation pumps;

—Filtration system for releases from the protective enclosure.