The approaches presented in short in the previous section were discussed by their proponents and other experts at a dedicated IAEA technical meeting, convened on 12-16 June 2006 in Vienna (Austria) with experts from interested Member States and international organizations — Argentina, Brazil, China, France, India, Italy,

Japan, the Russian Federation, the USA, and the European Commission as an observer. In the conclusions to this meeting, it was noted that the APSRA and the RMPS methodologies are complementary in the following:

• APSRA incorporates an important effort to qualify the model and use available experimental data. These aspects have not been studied in the RMPS, given the context of the RMPS project;

• APSRA includes, within the PSA model, failure of those components which cause a deviation of key parameters resulting in a system failure, but does not take into account the fact that the probability of success of a physical process could be different from unity;

• RMPS proposes to take into account, within the PSA model, failure of a physical process. It is possible to treat such data, e. g., the best estimate code plus the uncertainty approach is suitable for this purpose;

• In fact, two different philosophies or approaches have been used in the RMPS and in the APSRA and the two developed methodologies are, therefore, different. At the same time, proponents of the RMPS conclude that certain parts of the APSRA and the RMPS could be merged in order to obtain a more complete methodology.

During the IAEA technical meeting mentioned above — and after it — several other distinct approaches for reliability assessment of passive safety system performance were noted [14, 15], and the consensus was that a common analysis and test based approach would be helpful to the design and qualification of future advanced nuclear reactors. The inclusion of tests appears to be a must for new designs of passive systems and, especially, when non-water-cooled reactors are considered, for which validated codes and sufficient data for validation of the codes might be a priori not available. The approach itself is expected to streamline and speed up the process, and improve the quality of validation and testing of passive safety system performance.

Reflecting on these developments in Member States, the IAEA is implementing a CRP on Development of Methodologies for the Assessment of Passive Safety System Performance in Advanced Reactors in 2008­2012. The objective is to determine a common method for reliability assessment of passive safety system performance. Such a method would facilitate application of risk informed approaches in design optimization and safety qualification of future advanced reactors, contributing to their enhanced safety levels and improved economics.

In addition to the above discussed topics, it will likely be necessary to confirm that over a plant’s lifetime passive safety systems retain the capability to perform safety functions as designed. As it has already been mentioned, such confirmation would be facilitated if possible ageing effects on passive safety systems are considered in plant design and if passive safety systems are designed with a provision for easy in-service inspection, testing, and maintenance. In addition to this, new approaches might be needed to perform this confirmation, different from those used with active safety systems. One possible approach to deal with this issue is outlined in a short paper contributed by D. C. Wade of the Argonne National Laboratory (USA), enclosed as Appendix II.

REFERENCES TO APPENDIX I

[1] INTERNATIONAL ATOMIC ENERGY AGENCY, Innovative Small and Medium Sized Reactors: Design Features, Safety Approaches and R&D Trends, IAEA-TECDOC-1451, IAEA, Vienna (2005).

[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Innovative Small and Medium Sized Reactor Designs 2005: Reactors with Conventional Refuelling Schemes, IAEA-TECDOC-1485, IAEA, Vienna, (2006).

[3] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Small Reactor Designs Without On-site Refuelling, IAEA-TECDOC-1536, IAEA, Vienna, (2007).

[4] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Advanced Light Water Reactor Designs, IAEA-TECDOC-1391, IAEA, Vienna (2004).

[5] INTERNATIONAL ATOMIC ENERGY AGENCY, Advanced Nuclear Power Plant Design Options to Cope with External Events, IAEA-TECDOC-1487, IAEA, Vienna (2006).

[6] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).

[7] INTERNATIONAL ATOMIC ENERGY AGENCY, Natural Circulation in Water Cooled Nuclear Power Plants. Phenomena, Models and Methodology for System Reliability Assessments, IAEA-TECDOC-1474, IAEA, Vienna (2005).

[8] AMERICAN SOCIETY OF MECHANICAL ENGINEERS, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME RA-S-2002, ASME, New York (2002).

[9] INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of Level-1 PSA for Nuclear Power Plants, IAEA, Vienna (2007).

[10] INTERNATIONAL ATOMIC ENERGY AGENCY, Proposal for a Technology-Neutral Safety Approach for New Reactor Designs, IAEA-TECDOC-1570, IAEA, Vienna (2007).

[11] GENERATION-IV INTERNATIONAL FORUM, A technology roadmap for Generation-IV Nuclear Energy Systems, US Department of Energy, Nuclear Energy Research Advisory Committee, Washington, DC (2002).

[12] MARQUES, M. et al., Methodology for the reliability evaluation of a passive system and its integration into a Probabilistic Safety Assessment, Nucl. Eng. Des. 235 (2005) 2612-2631.

[13] NAYAK, A. K., et al., “Reliability analysis of a boiling two-phase natural circulation system using the APSRA methodology”, paper 7074. Proc. ICAPP’07, Nice, France, 13-18.

[14] DELANEY, M. J., APOSTOLAKIS, G. E., DRISCOLL, M. J., Risk Informed Design Guidance for Future Reactor Systems, Nucl. Eng. Des. 235 (2005) 1537-1556.

[15] BURGAZZI, L., State of the Art in Reliability of Thermal-Hydraulic Passive Systems, Reliab. Eng. Sys. Saf. 92 (2007) 671-675.

To fulfil Argentina’s regulations, a set of accidental sequences associated with potential exposure of the personnel and population has been identified. The annual probability of occurrence of each identified sequence is calculated using event trees and fault trees. Failure analysis systematically covers all failures and accidental sequences that can be foreseen, including combinations of failures. In these analyses, an assumption is being made that safety functions are not operable.

The dose to the critical group that would result from the release and dispersion of radioactive nuclides is calculated using accepted methods. Meteorological conditions and their probabilities are being considered. No credit is taken for any countermeasure, such as evacuation.

According to Argentina’s regulations, no accidental sequence with radiological consequences for the public shall have an annual probability of occurrence that, when plotted against the calculated effective dose, results in a point located in the unacceptable region shown in Fig. III-4 [III-7].

If the number N of accidental sequences is greater than 10, the allowed annual probability shall be divided by N/10, in order to keep the overall risk below 10-6 per reactor per year.

III-5. PROVISIONS FOR SAFETY UNDER EXTERNAL EVENTS

The safety design features of CAREM intended to cope with external events and external/internal event combinations are described in detail in [III-8].

Seismic considerations for the CAREM have been developed at the basic engineering level, with the objective of achieving an enveloping design that could qualify for a variety of possible siting conditions.

The philosophy and terminology of the Argentine regulations have been adopted for seismic design. The applicable regulation is AR 3.10.1 “Protection contra terremotos en reactores nucleares de potencia” [III-9]. This norm defines two seismic levels for design purposes:

(1) ‘Severe earthquake’, similar to the safe shutdown earthquake defined by the US NRC and to the L-S2 earthquake level of the IAEA guides [III-10];

(2) ‘Probable earthquake’, similar to the operating basis earthquake defined by the US NRC and to the L-S1 earthquake level of the IAEA guides.

As the targeted sites are located in a moderate seismic zone, the effective peak ground acceleration (PGA) of a severe earthquake was defined as 0.4g.

The IAEA Safety Standards and Guides regarding seismic design have been adopted [III-10]. Combinations with internal events are also considered. For example, a combination of DBA (LOCA with the break of a primary pipe of maximum diameter) with NPP blackout and probable earthquake is considered in the CAREM design.

This report is intended for different categories of stakeholders, including designers and potential users of innovative SMRs, as well as officers in ministries of atomic energy commissions in Member States responsible for implementing nuclear power development programmes or evaluating nuclear power deployment options in the near, medium, and longer term.

The overall objectives of this report are:

(1) To assist developers of innovative SMRs in defining consistent defence in depth approaches regarding the elimination of accident initiators/ prevention of accident consequences through design and the incorporation of inherent and passive safety features and passive systems in safety design concepts of such reactors;

(2) To assist potential users of innovative SMRs in their evaluation of the overall technical potential of SMRs with inherent and passive safety design features, including their possible implications in areas other than safety.

The specific objectives of this report are:

— To present the state of the art in design approaches used to achieve defence in depth in pressurized water reactors, pressurized light water cooled heavy water moderated reactors, high temperature gas cooled reactors, sodium cooled and lead cooled fast reactors, and non-conventional designs within the SMR range;

— To highlight benefits and negative impacts in areas other than safety arising from the implementation of inherent and passive safety design features;

— To identify issues of performance reliability assessment for passive safety systems in advanced reactors, and to highlight further research and development needs arising therefrom.

Designers of SMRs not considered in the present report (currently a minimum of 45 innovative SMR concepts and designs are being analysed or developed worldwide [2, 3]) could benefit from the information published here, which is structured to follow the definitions and recommendations established in IAEA safety standards or suggested in other IAEA publications. It should be noted that IAEA safety standards are used as the base for national nuclear regulations in many developing countries, and that this trend will likely continue into the future.

The information presented in this report could be used in assessment studies for innovative nuclear energy systems (INSs) involving SMRs, as conducted by the IAEA’s International Project on Innovative Reactors and Nuclear Fuel Cycles (INPRO) [14].

Part of this report is elaborated upon through participation of research teams in Member States involved in the development of methodologies for reliability assessments of passive safety systems in advanced reactors. This part (see Appendix I) provides justification for the coordinated research project on Development of Methodologies for the Assessment of Passive Safety System Performance in Advanced Reactors, which is being implemented by the IAEA in its programme during the 2008-2009 budget cycle.

Safety of small sized heat and power plants with KLT-40S reactors is ensured by the incorporated defence in depth strategy. It includes a plan for accident prevention and mitigation, and envisages the use of a system of physical barriers on the possible pathways of propagation of the ionizing radiation and radioactive materials to the environment. The incorporated defence in depth strategy also provides for the use of a system of technical and organizational arrangements to protect the barriers and retain their effectiveness, and includes measures for protection of the personnel, population and environment.

The structure of the defence in depth system is based on the recommendations of IAEA [I-2, I-3], providing for the following levels:

Level 1 — Prevention of abnormal operation and failure;

Level 2 — Control of abnormal operation and detection of failure.;

Level 3 — Control of accidents within the design basis;

Level 4 — Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents;

Level 5 — Mitigation of radiological consequences of significant release of radioactive materials.

The role of inherent and passive safety features and of active and passive safety systems of the KLT-40S nuclear installation at certain levels of defence in depth is highlighted in brief below.

Level 1: Prevention of abnormal operation and failure

Inherent safety features contributing to this level are the following:

—Negative reactivity coefficients on fuel and coolant temperature and on specific volume of the coolant; negative reactivity coefficients on steam density and integral power in the whole range of reactor operation parameters;

—High thermal conductivity of fuel composition defining its relatively low temperature and, correspondingly, low stored non-nuclear energy;

—The use of compact modular design of the steam generating unit with short nozzles between the main equipment, and with no long or large diameter primary pipelines;

—The use of flow restriction devices to exclude large and medium break loss of coolant accidents (LOCAs), by design;

—Ultimately leaktight design of the primary circuit based on welded joints, packless canned pumps, and leaktight bellows sealed valves;

—Favourable conditions for the realization of a ‘leak before break’ concept in application to structures of the primary circuit, provided by design;

— The use of a gas pressurizer system that excludes failures of the electric pressurizer heaters;

—The use of a steam generator with lower pressure inside the tubes in normal operation mode, which reduces the probability of a steam generator tube rupture (SGTR) accident.

Level 2: Control of abnormal operation and detection of failure

The Level 2 contribution comes from active systems for the control, mitigation, protection and diagnostics used in the KLT-40S nuclear installation.

Level 3: Control of accidents within the design basis

The Level 3 contribution comes from the following inherent and passive safety features, provided by design:

—Limitation of an uncontrolled movement of the control rods (e. g., due to external impact loads or a break of the control and protection system (CPS) drive casing) by an overrunning clutch, or by movement limiters for an accident with the CPS drive bar break;

—The use of once-through steam generators, which limit the rate of heat removal via the secondary circuit in case of a steam line break accident.

—High heat capacity of the nuclear installation as a whole, resulting from high heat capacity of the primary coolant and metal structures, from the use of a ‘soft’ pressurizer system, and from a safety margin provided by design for the depressurization of the primary system under emergency pressure increase;

—Installation of restriction devices in the pipelines of the primary circuit systems and connection of these pipelines to the ‘hot’ part of the reactor.

Also for Level 3, the following passive safety systems of the KLT-40S provide a contribution:

—Insertion of scram control rods into the core by the force of accelerating springs;

—Insertion of shim control rods into the core by the force of gravity;

—The use of a passive emergency heat removal system (EHRS), using natural convection of coolant in all circuits and evaporation of water in the storage tanks;

—The level of natural convection flow in the primary circuit is adequate for core cooling in the case of all MCPs being switched off;

—The use of self-actuating devices in emergency reactor shutdown system and in the EHRS.

Level 4: Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents

The contribution for Level 4 comes from the following inherent and passive safety features, provided by design:

—The protective enclosure;

Also for Level 4, the following passive safety systems of the KLT-40S provide a contribution:

—The ESSC hydro-accumulators, which ensure a time margin for accident management in case of a failure of the active ECCS systems;

—Passive system of reactor vessel bottom cooling, which ensures in-vessel retention of core melt;

—Passive containment cooling system, provided to reduce containment pressure and limit radioactive release.

Level 5: Mitigation of radiological consequences of significant release of radioactive materials

The mitigation of radiological consequences in the case of a significant release of radioactive materials is assumed to be provided for mainly through administrative measures.

Inherent safety features of the MARS design are the following:

• The same set of inherent safety features that are typical of conventional PWRs (negative reactivity coefficients in all power and coolant temperature ranges; all nuclear components of the reactor core are safety grade; etc.) [V-1, V-2];

• The primary coolant system and all components of the emergency core cooling system (SCCS) are located inside a pressurized primary containment which is filled with water at the same pressure as the primary coolant, but at a lower temperature (70°C). This pressurised containment, called CPP (pressurized containment for primary loop protection, see Fig. V-2), allows for a substantial reduction (up to total elimination) of primary stresses on the primary coolant boundary and provides for an intrinsic protection from coolant loss; the CPP does not need to be safety grade;

• Complete hydraulic isolation of the primary coolant within the primary coolant pressure boundary during most of the operation time (coolant outflow and inflow for purification purposes operate only periodically, over short periods); hydraulic connections to the primary coolant boundary are safety grade;

• Low maximum fuel temperature, which is due to coolant temperature being lower than 250°C, relatively low core power density, and elimination of fast fuel enthalpy increase accidents (due to the elimination of control rod ejection accidents). Altogether, this provides for substantially increased margin to fuel melting and, additionally, limits the potential release of radioactive isotopes into the coolant during any plant condition;

• Low fuel temperature gradients, due to relatively low core power density; slow thermal transients in fuel (no accident resulting in rapid fuel enthalpy increase is possible because the core is always adequately cooled); which limits possible fuel failure;

• Relatively low coolant temperature, below threshold values for a steam generator tube rupture; the steam generator tubes are safety grade;

• Very high values of minimum departure from the nucleate boiling ratio (DNBR), both in normal operation and as anticipated in the most severe design basis accidents;

• A substantial reduction in the number of physical connections between the primary coolant loop and auxiliary circuits (in total two small diameter lines, generally intercepted, for the chemical and volumetric control system (CVCS), and two small diameter lines, normally intercepted, connected to the safety/relief valve discharge tank, enclosed within the containment for primary loop protection (CPP)); the interconnection lines are safety grade up to the fourth interception valve on each line;

• The containment building, designed to withstand external events such as aircraft impact, provides additional protection against a potential release of radioactive products to the environment during postulated accidents (it may resist up to several bars of internal pressurization; even in the incredible event of a severe accident, the maximum internal overpressure is of the order of fractions of a bar); the containment building is safety grade;

• By design, human factors cannot affect the safety systems;

• All of the few MARS safety systems can be easily and rapidly tested for full operation at any time during plant operation.

The passive safety systems incorporated in the MARS design are the following:

• A passive emergency core cooling system (SCCS), based only on natural convection of cooling fluids and using external air as the ultimate heat sink, Fig. V-3. The SCCS is designed to transfer core decay heat directly from the reactor pressure vessel to the external air, without the intervention of any energized system or component. The system operating principle relies on fluid density differences, due to temperature differences between vertical fluid columns, for fluid circulation. The SCCS includes two trains; each train can remove 100% of the core decay heat power. In an accident causing a reduction of core coolant flow (such as a station blackout or primary pump trip), system activation is automatic, requiring no intervention either by the operator or by the control and monitoring system, because the primary coolant system interception valves are kept in a closed position by the force of primary coolant flow and start opening when this flow decreases below a set point value. The SCCS includes only one non­static mechanical component — check valves of an innovative design [V-1] — which is 400% redundant; the SCCS is safety grade;

• An additional (optional) passive scram system actuated by a bimetallic core temperature sensor and operated by gravity (ATSS — additional, temperature-actuated scram system). This system provides for the insertion of additional control rods to the core when the core coolant temperature reaches a preset value. The operation of this system (Fig. V-4) is based on the differential thermal expansion of the bimetallic sensor located inside the fuel assembly; the differential displacement, due to coolant temperature increase, causes the release of a conventional type control rod cluster. This system is safety grade;

• Special connections of components in the primary coolant system, including bolted flanges for load transmission and welded gaskets for leakage prevention; they may be safety grade.

The main scram system in the MARS plant is an active type scram system based on control rods, similar to that used in conventional PWRs. The control rods in this system are divided into four different banks. This system is safety grade.

1.3. GENERAL APPROACH

In SMR designs, as in larger reactor designs, the defence in depth strategy is used to protect the public and environment from accidental releases of radiation. Nearly all SMR designs seek to strengthen the first and subsequent levels of defence by incorporating inherent and passive safety features. Certain common characteristics of smaller reactors lend themselves to inherent and passive safety features, such as relatively smaller core sizes enabling integral coolant system layouts and larger reactor surface-to-volume ratios or lower core power densities which facilitate passive decay heat removal. Using the benefits of such features, the main goal is to eliminate or prevent, through design, as many accident initiators and accident consequences as possible. Remaining plausible accident initiators and consequences are then addressed by appropriate combinations of active and passive safety systems. The intended outcome is greater plant simplicity with high safety levels that, in turn, may allow reduced emergency requirements off-site.

It should be noted that an approach to maximize the use of inherent safety features in order to minimize the number of accident initiators in a reactor concept, and then to deal with the remaining accidents using reasonable combinations of active and passive safety systems is being pursued by the Generation IV International Forum, in line with Generation IV Technology Goals [15]. To a limited extent, such an approach is also realized in several near term designs of large capacity water cooled reactors, such as the AP1000, the ESBWR, and the VVER1000, the goal being to achieve a high level of safety in a cost effective way [4].

II — 4.1. List of design basis and beyond design basis accidents

Table II-2 summarizes the main inherent safety features of IRIS, stemming from its safety-by-design™ approach [II-3], together with their implication on design basis events (listed in the fourth column) typically considered by the US NRC for PWRs.

Preliminary list of initiating events for beyond design basis accidents:

• Hypothetical reactor pressure vessel break;

• A transient with failure of all safety systems.

II — 4.2. Acceptance criteria

The deterministic acceptance criteria for design basis accidents (DBAs) are assumed to be the same as for conventional PWRs with a note, that de facto most of the DBAs in IRIS would be either eliminated or downgraded via a safety-by-design™ approach [II-3], see Table II-2.

The deterministic acceptance criteria for beyond design basis accidents (BDBA) in IRIS, defined on a preliminary basis, include in-vessel retention by passive means.

The probabilistic acceptance criteria for BDBA in the IRIS are summarized in Table II-3.

D. Wade

Argonne National Laboratory,
United States of America

Technical specifications that govern plant operations require that active safety systems be periodically validated and/or recalibrated as a means to assure that they continue to perform their required safety function. Passive safety features are subject to ageing phenomena over the multidecade life of the plant, and so a means is needed to periodically reconfirm that they also remain always capable of performing their required safety function.

The means to accomplish this reconfirmation is specific to the safety function being performed and to plant design, but the philosophy of periodic checking of passive safety features under technical specification requirements can be illustrated for the specific case of liquid metal cooled fast reactors that rely on a reactor vessel auxiliary cooling system (RVACS) for passive decay heat removal and thermo-structural reactivity feedbacks to self-regulate power output to match externally imposed heat removal rates.

First, in the case of the RVACS, performance degradation might occur due to partial clogging of ambient air circulation channels with dust, rodent nests, flooding of the lower regions of the ducting, etc.; additionally, changes of emittance properties of radiation surfaces due to oxidation or dust layers, etc., might increase heat transport impedance. Continuous heat balances on the always operating RVACS heat rejection rate can be performed in a completely straightforward manner by monitoring air flow rate and temperature rise versus reactor power level. The heat balance instrumentation will, of course, require periodic recalibration in its own right.

The thermo-structural reactivity feedbacks that govern power self-regulation are integral feedbacks which depend on temperature profiles in the reactor; they affect reactivity directly through Doppler and density coefficients of reactivity and indirectly through structural displacements which affect neutron leakage rates. Their components change versus burnup and age due to changing fuel composition and due to structural relaxations of core support structure, core clamping mechanisms, and creep of the fuel wrapper. Periodic reconfirmation to show that thermo-structural feedbacks remain in the range necessary to assure passive matching of power to external heat removal rate rests on the fact that such feedbacks are composite feedbacks with respect to externally controllable variables. These externally controllable variables are the inlet coolant temperature, the forced circulation flow rate, and the reactivity vested in control rods. Specifically, asymptotically — after transients die away — normalized power, P, depends on these external variables via a quasi reactivity balance as:

AP s 0 = (- 1)A + ^P-ljВ + 8TinC + Apext

where F is the normalized primary flow rate, and STin is change in coolant inlet temperature from its operating value.

Integral reactivity coefficients A, B, and C have the following physical interpretations:

— C is the reactivity vested in the deviation of core inlet temperature from its nominal value;

— B is the reactivity vested in the coolant average temperature rise above the coolant inlet temperature;

— A is the reactivity vested in the fuel average temperature rise above the coolant average temperature.

They are measurable in-situ on the operating power plant in a non-intrusive way by introducing step changes in flow rate, coolant inlet temperature and external (rod) reactivity and then measuring the asymptotic

• If Dpext is changed while inlet temperature and flow remain fixed, the power will asymptotically self-adjust to:

= 1 + — AP ext / B

1 + A / B

• If flow rate is changed while inlet temperature and Apext remain fixed, the power will asymptotically self­adjust to:

P

P = 0 B’

A +

ё FU

• If inlet temperature is changed, ST, while Dpext and flow rate remain fixed, the power will asymptotically self-adjust to:

This procedure would yield three equations for the three unknowns, A, B and C, which would determine their current values on the operating reactor itself. The efficacy of such measurements in determining the values of A, B, and C on an operating reactor connected to the grid was demonstrated [2] at EBR-II.

Some small and medium sized reactors rely on natural circulation in which case flow, F, is not externally controllable, but instead is a function of power F= f(P). Assuming f(P), it could be represented as a quadratic:

F = a + bP + cP2

Several additional step changes in Dpext and/or dTinlet would be sufficient to determine the values of A, B, and C.

More elegant methods have been developed based on continuous monitoring and noise analysis techniques — taking advantage of spontaneous fluctuations or small purposeful power spectral density inputs to the externally controlled state variables.

These examples for liquid metal cooled fast reactors illustrate the approach that can be taken for periodic reconfirmation of the ability of passive safety features to perform their safety function. Other reactor types with different passive features may employ alternative approaches.

CEA,

France

III — 1. DESCRIPTION OF THE SCOR DESIGN

The Simple Compact Reactor (SCOR) is a 2000 MW(th) integral design pressurized light water reactor (PWR). The design for the reactor was developed at the Nuclear Energy Division of the Commissariat a l’Energie Atomique in Cadarache, France. A detailed description of SCOR design and features is provided in [IV-1].

The SCOR is mainly being developed for electricity generation, providing competitive costs, when compared to large sized reactors, through system simplification and compactness in plant layout. However, the SCOR could be used in cogeneration schemes, such as seawater desalination using low temperature processes, as well as thermo-compression or multi-effect distillation.

The SCOR is an integral design reactor having new features with respect to the designs of typical integral type reactors, which usually contain several modular steam generators inside the vessel. Such architecture has led to the design of a large vessel, limiting the output of the reactor to a maximum of 1000 MW(th). In the SCOR concept, the steam generator is located above the vessel and acts as the vessel head. This layout component provides space inside the vessel to increase core size and therefore, has the same safety advantages (elimination of a large break loss of coolant accident); the SCOR unit power is twice as high as the maximum power of a typical integral design reactor [IV-1, IV-2].

Passive safety features allow the SCOR to respond safely to all initiating events within the design basis, with few operator actions required. Except for loss of coolant accidents (LOCA), where low electric power is needed in the mid term (a low pressure safety injection with a power of about a few tens of kW is required for less than one day), no alternative current (AC) power is needed for accident management. Most of the design extension[43] conditions are eliminated or passively managed as accidents within the design basis. This simplifies the scope of operator training, equipment qualification and surveillance to meet safety requirements.

The main characteristics of a nuclear power plant (NPP) with a SCOR reactor are given in Table IV-1. A schematic view of the SCOR plant is shown in Fig. IV-1.

The plant control scheme will be specifically designed for operation with a single steam generator and will be based on a ‘reactor follows the plant load’ strategy.

The SCOR is an integral type PWR with a compact primary circuit. The reactor pressure vessel houses the main primary system components including the core, the pressurizer, the reactor coolant pumps, the control rod drive mechanism (CRDM), and the heat exchangers of the decay heat removal system. Such design configuration eliminates large penetrations through the reactor vessel, excluding the possibility of large break loss of coolant accidents. A single steam generator acts as the reactor vessel head; see Fig. IV-2 (this figure also illustrates the flow path of the coolant).

From the lower plenum, water flows upward through the core and the riser and through the centre of the pressurizer. At the top of the vessel, fluid flows upward and downward through the U shaped tubes of the steam generator. Then, the fluid is collected in an annular plenum and passes to the inlet of the reactor coolant pumps. From the pump outlet, the coolant flows through a venturi and then across the tubes of the decay heat exchangers to the lower plenum.

A design with integrated pumps eliminates large diameter loops typical of a standard PWR and substantially eliminates large break LOCA events. The number of smaller diameter pipes is also reduced, limiting the probability of occurrence of small breaks and small break loss of coolant events.

The SCOR concept is based on well-proven nuclear reactor technologies; its major innovations are related to safety design and the design of auxiliary systems. The innovative features of SCOR are as follows:

• Elimination of large diameter penetrations through the reactor pressure vessel;

• Integrated passive emergency core cooling systems based only on natural convection and using external air as the ultimate heat sink;

• A soluble boron free core with control rod drive mechanisms located inside the reactor pressure vessel;

• Relatively low core power density, enabling a large margin (i. e., departure from the nucleate boiling ratio (DNBR)) within the whole range of operating parameters;

• Reduction of reactor building maximum pressurization;

• Reduction of human factors affecting safety systems;

• Easy testing and maintenance of all safety systems.

Reactivity control is achieved through the use of control rods with in-vessel drives; no soluble boron system is foreseen. To reduce reactivity at the beginning of the cycle, the loaded portion of fuel contains burnable poison. As in standard pressurized water reactors (PWRs), the clusters of control rods are moved in guide thimbles but, as the steam generator acts as a vessel head, there is no possibility of using an external mechanism to move the control rod clusters. The control rod drive mechanism (CRDM) appears as an integrated hydraulic system. There is around one control rod cluster per two fuel assemblies; such selection is sufficient to control reactivity from a full power to a cold shut down state. In accident conditions, redundancy is achieved by another device, called the MP98 system [IV-3]; this system enables the movement of a liquid neutron absorber in dedicated tubes in the guide thimbles of the assemblies without control rod clusters. Main characteristics of the reactivity control system are summarized in Table IV-2.

The SCOR design philosophy is based on finding an optimum between economic and safety approach issues:

• SCOR is a larger size integral design PWR, compatible with the option of industrial manufacturing in series and also offering a compact plant layout;

• The safety approach is based on architecture with which as many as possible accident initiators are eliminated or reduced, or the possible consequences of accidents are limited, by relying upon both inherent safety features and active and passive systems.

The design options of SCOR were selected to facilitate safety demonstration:

• The integral design eliminates large primary penetrations of the reactor vessel; therefore, large break loss of coolant accidents (LOCAs) are practically eliminated;

• The integrated control rod drive mechanisms eliminate the risk of rapid reactivity insertion through control rod ejection;

• The residual heat removal system on the primary circuit (RRP) with heat exchangers located in the vessel, very close to the core, eliminates an additional loop with the primary water typical of a standard residual heat removal system.

The design philosophy of SCOR results from reactor studies conducted in the 1990s, based on such PWR designs as the AP600, SIR, PIUS, low pressure PWRs, and the EPR, and incorporates the results of CEA (France) studies of safety systems and several PWR core types [IV-1, IV-2].

The SCOR design concept provides for a simplification of the main systems. Such selection contributes to simplified plant operability and reduced plant costs and also improves safety and reduces machine-human interactions.

Low primary operating pressure enables a reduction of the wall thicknesses of pressure bearing components and reduces the required pressurizer volume.

The elimination of alternate current (AC) powered safety systems2 contributes to a reduced complexity of the active systems, which otherwise would need sensors, actuators, etc. that must be qualified for reliable operation over the full range of conditions which might be encountered (e. g., fire, seismic events, etc.).

Another important implication of the design simplification targeted for SCOR may be related to improved human reliability [IV-4], as discussed in more detail below.

Most human reliability assessment (HRA) models acknowledge the fact that human performance in operating a system (especially in performing cognitive, demanding tasks) is largely influenced by complexity characteristics of the system. Although this notion of complexity may appear somewhat subjective at a certain level (the perceived complexity of a system is highly dependent on the knowledge and skills that the operators have developed), it still exhibits an objective component directly correlated to the intrinsic complexity of the features of a system. For example, minimizing the intrinsic complexity of a system, particularly in the early

Except for the safety injection system, which operates at low pressure and with a low flow rate.

FIG. IV-3. Characterization of the complexity features (illustration) [IV-1].

phases of its design, appears to be an attractive way of improving the system operation taking into account human factors.

The abovementioned considerations form a basis for the approach proposed by the CEA (France) to assess the relevance of human factors in advanced nuclear reactor concepts, particularly during the very early phases of the design, that is, when it is still possible to propose alternative solutions at a limited cost. Such an approach was followed in the SCOR design.

The method consists of characterizing design features, especially within safety system architecture, that are likely to pose problems in operation, notably during degraded situations in which plant safety strongly depends on human reliability. The characterization of the intrinsic physical behaviour of plant processes (safety functions), of the operating constraints of the safety systems, and, finally, of the interrelations between these entities[44] (most of the complexity theories consider these interrelations to be the main contributors to the complexity of a system), lead to the definition of an operational complexity index and to the identification of sources of operational constraints bearing on operation crews. Figure IV-3 illustrates such complexity features, as defined by the relationships between safety functions and safety systems.

Figure IV-4 illustrates the principles applied for quantification of complexity (operational complexity index (OC)), on the basis of functional architecture shown in Fig. IV-3.

Each parameter used in the expression of Fig. IV-4 is evaluated on the basis of a discrete scale, considering the potential human factor impact of a certain feature. For example, in the case of the reversibility (REVJ) of an engineered safety system, a 3-level scale has been defined:

REV = 1 — for a system in which the effects are totally reversible (easily achieved by making a reverse action);

REV = 2 — for a system in which the reverse action requires more effort than a normal action;

REV = 3 — for a system in which the consequences of an action are irreversible (the worst case).

FIG. IV-4. Quantification of complexity — Operational complexity index (OC).

The basic idea behind this quantification is the notion that it is possible to undo the effects of a (potentially erroneous) action, which is a definitive factor in human decision making. If such a possibility is not understood, operators may be reluctant to take an action, even though it might be vital for plant safety. This characteristic has a strong link to what is called the ‘forgiving features’ of a design. On its basis, comparative studies among various designs are possible, outlining a new approach to design optimization which considers human factors at a very early phase in the conceptual design, whereas customary approaches only consider these aspects during instrumentation and control (I&C) and man-machine interface (MMI) design phases.

Even though the SCOR design is still at an early conceptual phase, the present knowledge of its safety design options is sufficient for a preliminary assessment of the operational complexity. Figure IV-5 presents the first results of such an assessment, performed in comparison with a standard loop-type PWR.

The presented results point to a potential decrease in the operational complexity of the SCOR as compared to a standard loop-type PWR. The reasons behind this expected simplification are twofold [IV-1]: [45]

elimination of soluble boron in the SCOR, and for the coolant inventory control (INV) systems — simplification of the configuration of a low pressure safety injection in the SCOR.

Even though the assessment of human factors for the SCOR concept is preliminary (it focuses on degraded operation, but similar analysis is required for normal operation, maintenance and testing), results confirm that the design options for SCOR may lead to a considerable simplification of operation and to a possible improvement of human reliability in operation. This conclusion appears particularly valuable as probabilistic safety assessments (PSA) indicate that human failures make a major contribution to the global risk in existing nuclear power plants.

This report addresses 11 representative SMR concepts/designs originating from seven IAEA Member States, including Argentina, France, India, Italy, Japan, the Russian Federation, and the USA. The concepts have been selected to include:

— As many concepts as possible for which noticeable progress toward advanced design stages or deployment is observed;

— Concepts representing different reactor lines;

— Those concepts that could be deployed in the near term.

Presentation of certain SMR concepts in this report was also conditioned by the agreement of their developers to cooperate. In some cases, the designers considered the subject of this report too sensitive and withdrew from the cooperation.