Tables IV-4 to IV-8 below provide the designer’s response to questionnaires developed at the IAEA technical meeting “Review of passive safety design options for SMRs” held in Vienna on 13-17 June 2005. These questionnaires were developed to summarize passive safety design options for different SMRs according to a common format, based on the provisions of IAEA Safety Standards [IV-5] and other IAEA publications [IV-6, IV-8]. The information presented in Tables IV-4 to IV-8 provided a basis for the conclusions and recommendations of the main part of this report.

TABLE IV-4. QUESTIONNAIRE 1 — LIST OF SAFETY DESIGN FEATURES CONSIDERED FOR/ INCORPORATED INTO THE SCOR DESIGN

TABLE IV-6. QUESTIONNAIRE 3 — LIST OF INITIATING EVENTS FOR ABNORMAL OPERATION OCCURRENCES (AOO)/DESIGN BASIS ACCIDENTS (DBA)/BEYOND DESIGN BASIS ACCIDENTS (BDBA)

TABLE IV-7. QUESTIONNAIRE 4 — SAFETY DESIGN FEATURES ATTRIBUTED TO DEFENCE IN DEPTH LEVELS

Category: A-D
(for passive systems only),
according to

IAEA-TECDOC-626 [IV-8]

Relevant DID level,
according to NS-R-1 [IV-5]
and INSAG-10 [IV-6]

Hydrogen combustion — A

TABLE IV-8. QUESTIONNAIRE 5 — POSITIVE/NEGATIVE EFFECTS OF PASSIVE SAFETY DESIGN FEATURES IN AREAS OTHER THAN SAFETY

REFERENCES TO ANNEX IV

[IV-1] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Innovative Small and Medium Sized Reactor Designs 2005: Reactors with Conventional Refuelling Schemes, IAEA-TECDOC-1485, IAEA, Vienna (2006).

[IV-2] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Advanced Light Water Reactor Designs 2004, IAEA-TECDOC-1391, IAEA, Vienna (2004).

[IV-3] EMIN, M. MP98, New passive control rod system for a full and extended reactivity control on LWR, paper 3163, ICAPP’03, Cordoba (2003).

[IV-4] PAPIN, B., QUELLIEN P., The operational complexity index: A new method for the global assessment of the human factor impact on the safety of advanced reactors concepts, Nucl. Eng. Des. 236 (2006) 1113-1121.

[IV-5] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[IV-6] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

[IV-7] Technical Guidelines for the Design and Construction of the Next Generation of Nuclear Power Plants with Pressurized Water Reactors, GPR/German experts, (19th and 26th October, 2000), Germany (2000).

[IV-8] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).

Annex V

For both sodium cooled and lead cooled fast reactors, smaller unit capacity could facilitate:

— Effective use of auxiliary passive decay heat removal systems with environmental air in natural draught acting as an ultimate heat sink;

— Achievement of a relatively high heat capacity of the primary (or primary and adjacent intermediate) coolant system at its reasonable size, resulting in a slower progression of transients.

Specifically for sodium cooled fast reactors, smaller reactor capacity could facilitate achieving a negative whole core void coefficient of reactivity to prevent the progression of design basis accidents into severe incidents, otherwise possible at a start of sodium boiling.

Specifically for lead cooled fast reactors, smaller reactor capacity could facilitate simplified seismic protection and improved seismic response [2].

The IRIS containment is inerted with nitrogen gas during operation so that the control of hydrogen concentration following postulated events and severe accident scenarios cannot cause containment pressurization due to hydrogen burn.

The IRIS is designed to provide in-vessel retention of core debris following severe accidents by assuring that the vessel is depressurized, and by cooling the outside vessel surface. The reactor vessel is cooled by containing the lower part of the vessel within a cavity that always will be flooded following any event that jeopardizes core cooling. Also, like in AP1000 [II-1], the vessel is covered with stand-off insulation, which forms an annular flow path between the insulation and the vessel outer surface. Following an accident, water from the flooded cavity fills the annular space and submerges and cools the bottom head and lower sidewalls of the vessel. A natural circulation flow path is established, with heated water and steam flowing upwards along the vessel surface, and single phase water returning downward along the outside of the vessel insulation, to the bottom of the flood-up cavity. AP1000 testing has demonstrated that this natural circulation flow is sufficient to prevent corium melt-through. Application of AP1000 conditions to the IRIS is conservative, due to the IRIS having a

much lower core power to vessel surface ratio. The design features of the containment ensure flooding of the vessel cavity region during accidents and submerging of the reactor vessel lower head in water, since the liquid effluent released through the break during a LOCA event is directed to the reactor cavity. The IRIS design also includes a provision for draining part of the water present in the PSS water tanks directly into the reactor cavity.

A diverse, passive containment cooling system is employed as part of the severe accidents management strategy, to significantly reduce the chance of containment failure.

A different approach is the ‘APSRA’ methodology, developed at the Bhabha Atomic Research Centre (BARC) of India [13]. In this approach, the failure surface[26] is generated by considering the deviation of all those comparative parameters which influence system performance.

Schematics of the APSRA methodology are shown in Fig. 2.3.

Like the RMPS methodology described above, the APSRA methodology developed in BARC, India, is primarily intended to analyse reliability of passive systems employing natural convection. The smallness of the driving head means a natural convection based system is susceptible to deviation from the performance of an intended function by a small change in key parameters. Because of this, there has been growing concern about the reliability of natural convection based systems.

The methodology named assessment of passive system reliability (APSRA) starts with selection of the system, followed by the understanding of its operational mechanism. Using simple computer codes, key parameters causing functional failure of the system are identified. Failure criteria are determined. Best estimate codes, such as RELAP5, etc., are then used to determine key parameter ranges, a deviation from which may cause system failure. These ranges of parameters are then fine tuned based on data generated in test facilities. This is done by performing uncertainty analysis for predictions of a best estimate code using in-house experimental data obtained in integral and separate effect test facilities.

190 180 170 160 150 140 130 120 110 100

0

40

55

FIG.2. Flowchart of the APSRA methodology (left) and typical failure surface for natural circulation (right).

In the next step, the possible causes of deviation of these parameters are revealed through root diagnosis. It is assumed that the deviation of such physical parameters occurs only due to a failure of mechanical components, such as valves, control systems, etc. The probability of system failure is evaluated based on the failure probability of these mechanical components, through a classical PSA treatment.

To demonstrate the methodology in a test case, it has been applied to the main heat transport system of the AHWR reactor, described in Annex VI of this report. This system employs a boiling (two-phase) light water coolant in natural circulation. To find code uncertainties, code predictions were compared with data generated from experimental natural circulation facilities, and uncertainties were evaluated from the error distribution between code predictions and test data. The facilities mentioned for generation of the required experimental data were the integral test facility ITL, the high pressure natural circulation loop HPNCL, and the flow pattern transition instability loop FPTIL [13].

The effects of variation of key parameters on system performance were evaluated, and a multi-dimensional failure surface was generated. The probability of the system to reach the failure surface was elaborated using generic data for the failure of components.

The APSRA methodology is being applied to other passive systems of the AHWR, such as the decay heat removal system using isolation condensers, a passive containment cooling system, a passive containment isolation system, etc.

This accident is mitigated by isolating the group of steam generators affected via closing their steam and feedwater lines. The secondary side of the steam generators then reaches thermal equilibrium with the primary circuit, with the pressure also being equalized. Eventually, the reactor could continue its operation at reduced power.

Steam line break

Sudden depressurization of the secondary side of the steam generators increases heat removal from the primary system, resulting in a consequent core overpower. Reactor shutdown (FSS and SSS) and the residual heat removal system are actuated, and the reactor then reaches a safe state. In the case of a hypothetical failure of both shutdown systems, reactor overpower does not compromise critical safety values (DNBR and CPR) because the total primary heat removal by the steam generators is intrinsically limited by the reduced tube-side water inventory.

NPP blackout

This is an event with a major contribution to core meltdown probability in a conventional light water reactor. In CAREM, extinction and cooling of the core and decay heat removal are secured without external electric power, by the passive safety systems. Loss of electric power causes the interruption of feedwater supply to the hydraulically driven CRDs and results in the insertion of absorbing elements into the core. Nevertheless,

Effective Dose (Sv)

FIG. III-4. Acceptance criterion for BDBA.

in the case of a failure of the first and the second shutdown systems (both passive), feedback coefficients cause a self-shutdown of the fission chain reaction without compromising safety related variables. The decay heat is then removed by the RHRS with an autonomy of several days.

Direct predecessors of this report are: IAEA-TECDOC-1485, entitled Status of Innovative Small and Medium Sized Reactor Designs 2005: Reactors with Conventional Refuelling Schemes [2], published in March 2006, and IAEA-TECDOC-1536, Status of Innovative Small Reactor Designs Without On-Site Refuelling [3], published in January 2007. These reports presented the design and technology development status and design descriptions for concepts of innovative SMRs developed worldwide. Design descriptions of SMRs in these reports incorporated descriptions of safety concepts prepared according to a common outline. However, these descriptions were rather limited in detail because of limited space in the reports, which were also dedicated to the presentation of other aspects of innovative SMRs, including descriptions of design, economics, proliferation resistance and security, fuel cycle options, and innovative infrastructure provisions. More importantly, descriptions of SMR safety design concepts in these reports were not always structured according IAEA safety standard recommendations, specifically regarding defence in depth strategies

Another predecessor of this report is IAEA-TECDOC-1487, Advanced Nuclear Plant Design Options to Cope with External Events [5, 6], published in February 2006, which provided structured descriptions and explanations of the design features of 14 advanced nuclear power plants incorporating protection against the impacts of natural and human induced external events. The designs considered in that report included several SMRs.

The present report, therefore, provides an in-depth description of safety design features used to achieve defence in depth in 11 innovative SMR concepts selected to represent all major reactor lines with near to medium and longer term deployment potential. These descriptions are structured to follow the definitions and recommendations of IAEA safety standard NS-R-1, Safety of the Nuclear Power Plants: Design Requirements [7] and include some references to other IAEA safety guides and documents, including NS-G-3.3, Evaluation of Seismic Hazard for Nuclear Power Plants [8], and NS-G-1.5, External Events Excluding Earthquakes in the Design of Nuclear Power Plants [9], as well as recommendations by the International Nuclear Safety Advisory Group [10 11], and non-consensus definitions suggested in IAEA publications [5, 12]. The basic definitions recommended or suggested in the above mentioned IAEA publications are reproduced in Appendix 2 of this report.

In September 2007, the IAEA published IAEA-TECDOC-1570, Proposal for a Technology-Neutral Safety Approach for New Reactor Designs [13]. Based on a critical review of IAEA safety standard NS-R-1,

Safety of the Nuclear Power Plants: Design Requirements [7], IAEA-TECDOC-1570 outlines a methodology/ process to develop a new framework for the safety approach based on quantitative safety goals (a probability — consequences curve correlated with each level of defence in depth), fundamental safety functions, and generalized defence in depth, which includes probabilistic considerations. Further elaboration of IAEA safety standards suggested in reference [13] could facilitate expansion of design development and safety qualifications of several medium and longer term SMRs addressed in the present report, thus recommendations in this publication are referenced in Section 3, which highlights design features of selected SMRs. Limited information provided by Member States for this report made it impossible to consider in full the recommendations of IAEA safety standards and guides. Where possible, references to other recently published IAEA reports are included, when such recommendations may be considered in more detail; see Ref. [6].

The KLT-40S nuclear installation incorporates the following passive safety systems:

—System of reactor shutdown with insertion of control rods into the core under the force of springs (scram rods) or gravity (shim control rods), when holdup electromagnets from the control rod drives are de­energized;

—Passive system of emergency reactor cooldown through the steam generator;

—System of emergency water supply from the ECCS hydro-accumulators;

—Containment and stop valves, normally in a closed position, located at the auxiliary systems of the primary circuit and adjacent systems;

—Passive system of external cooldown of the reactor vessel;

—Self-actuated devices for startup of the safety systems;

—Emergency containment cooling system;

—Protective enclosure.

Passive safety systems operate with natural circulation of the coolant or use the energy of a compressed gas.

9-

ACTIVE EHRS;

10- PASSIVE EHRS;

11- CONTAINMENT BUBBLING SYSTEM;

12- REACTOR

ECCS — emergency core cooling system RVCS — reactor vessel cooling system
EHRS — emergency heat removal system

FIG. I-3. Safety systems of KLT-40S.

The emergency heat removal system (EHRS) is intended to remove residual heat from the reactor in beyond design basis accidents involving NPP blackout and failure of active channels. The system includes two channels, consisting of two heat exchange loops each. The capacity of a single EHRS loop (~1% of nominal reactor power) is sufficient to ensure reliable reactor cooldown and to maintain reactor pressure within design limits.

Residual heat is removed by natural convection of coolant in the primary and intermediate circuits and by the evaporation of water from the tank where heat exchanger-condensers (HXC) are located. Water reserve in EHRS tanks ensures heat removal from the reactor over 24 hours.

The prototypes of a passive EHRS are cooling systems used in propulsion reactors. The effectiveness of such systems has been confirmed both by experiments at test facilities and by tests at operating plants.

The majority of KLT-40S safety systems employ a two channel scheme with internal reservation of active elements such as valves and pumps. Using a two channel scheme for safety systems within the specific conditions of a floating structure (where it is necessary to save on space and equipment weight compared to land based NPPs) allows for a reduction in the amount of bulky equipment required, such as tanks and heat exchangers.

Elements of both active and passive safety systems belong to the second safety class, according to the top level Russian regulation OPB-88/97.

The requirements for manufacturing technologies of devices and equipment for active and passive safety systems correspond to regulatory requirements in the nuclear energy area.

For floating NPPs, specific regulations have been developed and adopted in the Russian Federation, in particular, “The rules of arrangement and safe operation of the equipment and items for light water reactors of the floating nuclear power plants (NP-062-05)”.

The University of Rome ‘La Sapienza’
Italy

V — 1. DESCRIPTION OF THE MARS DESIGN

The Multipurpose Advanced Reactor, inherently Safe (MARS) is a 600 MW(th), single loop, pressurized light water reactor (PWR); its design was developed at the Department of Nuclear Engineering and Energy Conversion of the University of Rome “La Sapienza”. The design was conceived in 1984 as a nuclear power plant able to conciliate well proven PWR nuclear technology with special safety features intended to facilitate plant location in the immediate proximity of highly populated areas in fast growing countries, to meet their energy and potable water needs. The plant has to guarantee a high and easily understandable safety level, has to be inexpensive and easy to build, operate, maintain and, eventually, repair; and has to ensure low production of radioactive wastes. The objective of the design effort was to find those (suitably supported by tests) plant solutions that could keep the features of a ‘traditional’ PWR in an essentially simplified design. A detailed description of the MARS design is presented in [V-1].

The core cooling system includes only one loop with a recirculation type steam generator. During normal operation, forced circulation of the primary coolant is applied, based on the use of a pump while, in emergency conditions, the necessary coolant flow rate in the core is maintained by an independent cooling system, which transfers heat to the external atmosphere through natural convection and relies only on static components and on one non-static, direct action component (a check valve, 400% redundant).

The MARS reactor module is enclosed in a pressurized containment filled with cold water; the complete nuclear power plant (NPP) also incorporates a containment building needed to cope with external events (such as aircraft crash) in accordance with Italian and European regulations. The containment building is able to withstand any internal pressurization, also in the hypothetical event of complete destruction of the core coolant boundary.

Loss of coolant accidents (LOCAs), loss of flow accidents (LOFAs), and anticipated transients without scram (ATWSs) are eliminated in the MARS concept by design, which is intended to make the plant reliable, safe, and easy to operate. With major accidents being eliminated, the plant incorporates a substantially reduced number of safety related structures, systems, and components, and provides for maximum possible pre­fabrication and easy assembly/disassembly, particularly by allowing easy component substitution in the case of a failure or consumption, instead of requiring a local repair.

Major design specifications of the MARS are shown in Table V-1. The reactor cooling system and some of its components are shown in Fig. V-1, V-2 and V-3.

Some features of the MARS concept are similar to well known features of standard PWRs (loop type primary circuit design, similar core geometry and materials, similar means of reactor control, etc.) [V-1, V-2]. For example, the core is cooled and moderated by pressurized light water containing a boron solution. Boron and burnable poisons compensate for excess reactivity during the irradiation cycle[49].

Different from many other PWR designs, the MARS primary coolant system includes only one loop with 25 inch internal diameter pipes, one vertical axis U-tube type steam generator, and one canned rotor pump connected to the steam generator outlet nozzle (see Fig. V-1).

The safety core cooling system (SCCS) is connected to the reactor vessel. A vapour-bubble type pressurizer controls the pressure inside the primary coolant system.

On/off valves in the primary loop main isolation system (MIS) are installed in the primary cooling loop to isolate, if necessary, the steam generator and the primary pump (i. e., in the event of a steam generator tube rupture).

TABLE V-1. MAJOR SPECIFICATIONS OF MARS NPP [V-1]

Characteristic Value

Power rating

Reactor rated thermal power, MW 600

Rated electric power (one module), MW 150

Rated electric power (suggested cluster of 3 modules), MW 450

Suggested rated electric power in cogeneration configuration 300

(electricity + desalinated water/district heating)

Core average volumetric power density (kW/litre) 56.5

Thermal-hydraulic characteristics

Primary coolant flow rate (forced flow) (kg/s) 3327

Operating pressure, bar 75

Total RCS internal volume (m3) 130

Pressurizer heaters power (kW) 800

Steam flow rate (kg/s) 277

SG steam pressure (bar) 18.8

Temperatures (°C)

Reactor vessel outlet 254

Reactor vessel inlet 214

Steam generator steam outlet 209

Steam generator feedwater inlet 150

Reactor vessel data

Internal diameter of the shell, mm 3000

Internal design pressure, bar 83

Length of the cylindrical shell, mm 8056

Upper head thickness, mm 80

Bottom head thickness, mm 80

Overall length of the assembled vessel, mm 11 091

Shell thickness, mm 120

Total weight (approximate; dry), kg 88 000

FIG. V-1. Reactor cooling system (RCS) and main auxiliaries [V-1].

When any of the four check valves is opened, after a short transient phase, flow in the PSC is assured by a difference in level of about 7 m between the vessel outlet nozzle and the primary heat exchanger and by the difference between vessel inlet and outlet temperatures. A horizontal axis, U-tube type heat exchanger transfers heat from the PSC to the ISC.

Pressure in the ISC loop is slightly higher than 75 bar (thanks to a dedicated pressurizer); this value guarantees sub-cooled water conditions of the fluid during any accidental situation or transient; the difference in level for natural circulation in the ISC loop is about 10 m. The second heat exchanger transfers heat from the ISC circuit to the water of a reservoir; see Fig. V-3.

Steam produced in the reservoir is mixed with air initially present in the dome over the pool; pressure in the dome rises and this causes a flow of the air-steam mixture towards a small connection path with the atmosphere. An inclined tube heat exchanger is placed between the pool dome and the connection path to the atmosphere, where steam is partially condensed due to passive draught of external air, drawn by a chimney.

The above listed design features introduced some constraints to plant design. In particular, with the selected safety core cooling system (SCCS) and its functional requirements, reactor thermal power cannot exceed approximately 1000 MW(th). The MARS design version described in this paper has a thermal output of about 600 MW(th). Another characterizing parameter is primary system pressure. It was selected to equal 75 bar, which is different from the pressure values typical of standard PWRs (150-170 bar) [V-2]. Such selection leads to a loss in the thermodynamic efficiency of the plant because of the resulting limitation of a higher isotherm in the steam cycle. At the same time, it allows for adoption of a pressurized primary containment for protection of the primary loop (CPP, the pressurized boundary that envelopes the primary coolant system and

emergency core cooling system, see Fig. V-2), substantially eliminating the possibility of LOCA of any type and of a control rod ejection.

Inclusion of the primary coolant system (with an average operating temperature of 234°C) inside the low enthalpy water filled pressurized containment (CPP, at a temperature of 70°C) requires thermal insulation to reduce heat losses from the primary coolant system. An insulating system has been designed on the external side of the primary coolant boundary, with only the lower head of the reactor vessel being thermally insulated in the internal part through the use of matrices of stainless steel wiring that cause the presence of semi-stagnant water which resists high pressure and fast pressure gradients with acceptable flow shape modifications. This system limits heat losses to about 0.3% of the reactor’s thermal power.

It should be noted that the special design of the passive emergency decay heat removal system (SCCS) avoids thermal stratifications of any type, contributing to increased reliability of this system.

The only non-conventional reactor concept considered in this report, the Compact High Temperature Reactor (CHTR) of BARC (India), is based on a synthesis of the technology of 233U-Th HTGR type pin-in­block fuel and that of a lead-bismuth coolant; see Annex X. The CHTR is a very high temperature reactor concept. Smaller reactor capacity facilitates:

— Passive heat removal from the core in normal operation, with no main circulation pumps being employed; as well as passive and passively actuated heat removal from the core during and after accidents, including those based on the use of heat pipe systems;

— Relatively high heat capacity of the ceramic core, resulting in slow temperature transients, at a reasonable reactor size;

— Prevention of the consequences of transient overpower events;

— Passive power regulation and increased reactor self-control in transients without scram.

Some major highlights of the passive safety design features in the IRIS design, structured in accordance with the various levels of defence in depth [II-6, II-7], are shown below.

Level 1: Prevention of abnormal operation and failure

The IRIS safety-by-design™ systematic approach is the basis for effective Level 1 prevention of many initiating events; correspondence between design features and initiating events prevented is the following:

(A) Integral design of primary circuit with no large diameter piping:

• Elimination of large break LOCAs;

• Elimination of loss of seal (head, pump) LOCAs;

• Elimination of control rod ejection accidents;

• Elimination of concerns related to high pressure safety injection (HPSI) systems;

(B) Increased natural circulation due to large, tall vessel:

• Reduced severity of loss of flow (LOFA) accidents;

(C) Large thermal inertia due to increased water inventory:

• Prevention of core uncovery in small and medium break LOCAs;

• Reduced requirements for heat removal systems;

• Reduced concerns related to loss of feedwater;

(D) Other specific design solutions:

• Elimination of the possibility of a reactor coolant pump shaft break.

Level 2: Control of abnormal operation and detection of failure

IRIS will use state of the art plant control and protection systems to monitor and control plant operations; it will also incorporate advanced diagnostics/prognostics systems. The contribution of passive systems at this level would be as follows:

• Slower progression of a loss of heat sink accident (LOHS) due to large thermal inertia.

Level 3: Control of accidents within the design basis

Level 3 safety functions are contributed to by the following passive safety features/systems:

(A) Passive emergency heat removal system (EHRS):

• Control of LOHS;

(B) Increased natural circulation due to large, tall vessel:

• Control of loss of flow accidents (LOFA);

(C) Steam generator system designed for full primary pressure:

• Significantly reduced severity and simple mitigation of steam generator tube rupture (SGTR) accident.

Level 4: Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents

The following passive safety features/systems of IRIS contribute to achieving the objective at this DID

level: [40]

Level 5: Mitigation of radiological consequences of significant release of radioactive materials

Level 5 safety functions are contributed to by the following passive safety features/systems:

(A) Small fuel inventory:

• Reduced radioactivity release;

(B) High design pressure containment plus pressure suppression system plus reduced core power density plus increased thermal inertia:

• Slower progression of accidents and increased retention of fission products;

• Low leakage rate containment;

• Deposition of radionuclides in auxiliary building.