The lists of initiating events, design basis and beyond design basis accidents for a floating NPP with KLT — 40S nuclear installations have been developed on the basis of analysis of possible disturbances of normal operation caused by equipment failures, personnel errors, and internal and external impacts, also taking into account possible additional failures in the safety systems.

The basis for these lists was provided by corresponding lists of initiating events and accident scenarios for a prototype ice breaker reactor installation KLT-40; the KLT-40 lists were then modified, taking into account changes in structures and systems made during the transition to KLT-40S reactor installation, as well as experience in design and operation of relevant propulsion and land based NPPs.

The lists of initiating events and accidents adopted for the KLT-40S take into account typical lists given in the safety requirements of IAEA Safety Standards Series No. NS-R-1 [I-2].

Classification of the initiating events is adopted in accordance with the OPB-88/97 terminology, taking into account that initiating events associated with an independent single failure of a safety system element may lead to a pre-accident situation (abnormal plant state with disturbance of safe operation conditions that does not propagate into an accident) or to a design basis accident (abnormal plant operation with a release of radioactive materials beyond design barriers).

In safety substantiation of the nuclear installation, all operating conditions of the reactor unit and the floating NPP were taken into account, including startup, heatup, power operation, refuelling, repair and maintenance, hauling, etc.

The list of initiating events of pre-accident situations and design basis accidents is given in Table I-2. The list of beyond design basis accidents is presented in Table I-3.

TABLE I-2. CLASSIFICATION LIST OF INITIATING EVENTS OF PRE-ACCIDENT SITUATIONS AND DESIGN BASIS ACCIDENTS

1. Faults in operation of reactor unit systems
1.1. Disruptions of reactivity and core power distribution	1.1.1. Uncontrolled change of shim control rod group position 1.1.2. Main coolant pump (MCP) switching on with deviation from instruction 1.1.3. Drop of one scram or shim control rod group 1.1.5. Faulty reactor shutdown 1.1.6. Faulty switching on of the standby cooldown pump 1.1.7. Disturbance of the design configuration of control rods of the control and protection system (CPS) at power operation
1.2. Increase of heat removal from the primary circuit	1.2.1. Decrease of feedwater temperature 1.2.2. Increase of feedwater flow 1.2.3. Increase of steam flow (opening of a dump valve and its failure to close, actuation of a safety valve on the steam line and its failure to close) 1.2.4. Guillotine break of the main steam line 1.2.5. Small break of the main steam line 1.2.6. Faulty switching on of the emergency heat removal system (EHRS) channels

Class of initiating events

Initiating event

Class of initiating events	Initiating event
1.3. Decrease of heat removal from the primary circuit	1.3.1. Decrease of steam flow (one or two of the SGs switching off; malfunctions in control system; turbo-generator failure; failure of the main condenser) 1.3.3.Decrease of feedwater flow (closure of a feedwater valve; stop of the feedwater pumps) 1.3.4. Termination of a feedwater flow 1.3.5.Guillotine break of the feedwater pipeline 1.3.6. Small break of the feedwater pipeline 1.3.7. Malfunction of equipment cooling by the third circuit 1.3.8. Disruption of heat removal to the outboard water (stop of the fourth circuit pump, break of the fourth circuit pipeline) 1.3.9. Disconnection of high pressure gas reservoirs (balloons) from the pressurizer in normal operation mode 1.3.10. Drop of compressed air pressure in the valve driving system 1.3.11. Faulty disconnection of the purification and cooldown system 1.3.12. Faulty disconnection of the cogeneration bleed-off
1.4. Loss of electric power sources	1.4.1. Partial loss of auxiliary power 1.4.2. Total loss of auxiliary power (blackout of the two switchboards)
1.5. Decrease of the reactor coolant system flow rate	1.5.1. Transition of one or two of the MCPs from high speed to low speed (high speed ‘blackout’) 1.5.2. Stopping of one or two of the MCPs running at low speed 1.5.3. Stopping of one or two of the MCPs running at high speed 1.5.4. Transition of four MCPs from high speed to low speed 1.5.5. Stopping of four MCPs 1.5.6. Seizure of one MCP
1.6. Increase of the reactor primary coolant system inventory	1.6.1. Inadvertent operation of the make-up system
1.7. Loss of coolant accidents (LOCAs)	1.7.1.Guillotine break of the pressurizer surge line 1.7.2.Guillotine break of the purification and cooldown system pipeline 1.7.3. Guillotine break of the emergency core cooling system (ECCS) pipeline in a section which cannot be cut off 1.7.4. Break of the CPS drive support (bar) 1.7.5. Steam generator tube rupture 1.7.6. Tube rupture in the heat exchanger of purification and cooldown system 1.7.7. Tube rupture of the MCP cooler 1.7.8. Leak of a cooler for the supports of the CPS drives 1.7.9.Small primary circuit LOCA 1.7.10. Faults in sampling and draining of the reactor coolant 1.7.11. Rupture of the sampling pipeline outside the containment 2. Internal impacts
2.1. Fires	2.1.1. Fires in the floating power unit (FPU) compartments

2.2. Flooding, steaming of the compartments

2.3. Explosion of the gas balloons

Class of initiating events	Initiating event 3. Accidents in a shutdown state
3.1. Disruptions of reactivity & core power distribution	3.1.1. Drop of a ‘fresh’ fuel assembly to the wrong place during refuelling
3.2. Disruptions in heat removal	3.2.1. Total blackout during long term cooling of the reactor unit 3.2.2. Total blackout during refuelling 3.2.3. Total blackout during equipment maintenance 3.2.4. Termination of heat removal during refuelling 3.2.5. Termination of heat removal during equipment maintenance
3.3. LOCAs	3.3.1. Guillotine break of the pressurizer surge line in reactor hot shutdown state 3.3.2. Faults in sampling and draining of the reactor coolant

3.4. Disruption of water and gas chemistry in an opened reactor

3.5. Fire in the reactor equipment compartment during refuelling or maintenance 4. Disruptions in nuclear fuel and radioactive waste handling 4.1. Disruptions at refuelling 4.1.1.Hang-up of a spent fuel assembly during refuelling 4.1.2.Hang-up of a container with spent fuel assemblies 4.1.3.Drop of a spent fuel assembly 4.1.4.Drop of a case with a spent fuel assembly 4.1.5.Blackout of refuelling equipment 4.2. Disruptions in nuclear fuel storage systems 4.2.1.Depressurization of a cooling circuit and gas system for spent fuel and solid waste storage 4.2.2.Blackout of the cooling system for spent fuel assembly storage tanks or decrease of heat removal from the tanks 4.2.3.Termination of heat removal from the spent fuel assembly storage tank 4.2.4.Leak of a case in the spent fuel assembly storage tank 4.2.5.Flooding or steaming of the storage tank and of the case with spent fuel assemblies 4.2.6.Disruption of gas content conditions in the spent fuel storage 4.3. Release of radioactive fluids from equipment and systems 4.3.1.Leaks in pipelines and equipment sealing: Leak in the gas removal system; Leak in the drainage and sampling system; Leak in the zero-discharge technology system 4.3.2.Disruptions during reloading of the reactor coolant system filter, resulting in the release of radioactive substances 5. External impacts on the FPU 5.1. Taking place on site, as a result of natural events 5.1.1.Break of the rigid mooring bars due to formation of an ice plug with subsequent FPU grounding under the impact of wind and rough water 5.1.2.Earthquake 5.2. Taking place on site, as a result of human induced events 5.2.1.Explosion of an external source on the shore 5.2.2.Explosion on a moored tanker 5.2.3.Pressing of a mooring ship 5.2.4.Break of shore communication pipelines 5.2.5.Helicopter crash-landing on the FPU 5.3. Taking place at hauling 5.3.1.Collision of the FPU with another ship 5.3.2.Grounding

Groups of beyond design basis accidents	Representative scenarios of beyond design basis accidents 1. Accidents in leaktight reactor coolant system
1.1. Accidents with disruption of reactivity	1.1.1.Inadvertent withdrawal of shim control rod groups driven simultaneously with normal or emergency speed 1.1.2.Inadvertent withdrawal of any of the two shim control rod groups accompanied by a failure of the system of detection and termination of control rod inadvertent movement, and a failure of the control system of reactor shutdown on power and/or doubling period signal 1.1.3.Drop of one control rod group with failures in the CPS: failures of interlocks, failures of control rod movement algorithms, failure of emergency reactor shutdown 1.1.4. Erroneous loading and operation of a fuel assembly in a wrong position 1.1.5. Break of a steam line inside the containment
1.2. Anticipated Transients Without Scram (ATWS)	1.2.1. ‘Hang up’ of all shim or scram control rod groups or failures of the control system of emergency reactor shutdown on all protection signals, incited by the following initiating events: (1) Termination of steam flow to the turbine (closure of valves on the main steam lines); (2) Maximum increase of steam flow in the secondary system (full opening of the safety valve and its seizure in this position); (3) Termination of the feedwater flow (full closure of the feedwater valve); (4) Switch off of all MCPs; (5) Total blackout of the two auxiliary power switchboards; (6) Inadvertent withdrawal of simultaneously driven control rod groups (at reactor startup or during power operation)
1.3. Disruption of heat removal with failures in the emergency heat removal system (EHRS)	1.3.1.Break of the feedwater line with a failure of the fourth circuit and a failure of the system of outboard water supply to process condenser 1.3.2. Break of the feedwater line with EHRS failure to start on automatic signals 1.3.3. Total blackout with failure of all emergency and backup alternate current (AC) sources 1.3.4.Termination of heat removal by the secondary circuit with inadvertent cut off of the high pressure gas balloons 1.3.5. Break of the feedwater line with complete failure of the reactor shutdown system 1.3.6. Partial blockage of the reactor coolant circuit or of the fuel assembly inlet 2. Loss of coolant accidents
2.1. LOCAs inside the containment	2.1.1.Guillotine break of the reactor coolant system pipeline with failure of the active ECCS subsystem 2.1.2.Guillotine break of the reactor coolant system pipeline with failure of the passive ECCS subsystem (hydro-accumulators) 2.1.3.Guillotine break of an ECCS pipeline of one of the channels with a pump failure at the second channel
	2.1.4.Guillotine break of a reactor coolant system pipeline with a double end leak (failure of the cut-off valves of the purification system) and a failure of the active ECCS subsystem 2.1.5.Guillotine break of a reactor coolant system pipeline with failure to cut off the high pressure gas balloons 2.1.6.Small LOCA with total blackout, due to the loss of all AC sources 2.1.7.Guillotine break of a reactor coolant system pipeline with total blackout, due to the loss of all AC sources 2.1.8.Guillotine break of a reactor coolant system pipeline with failure to close the cut-off valves in the containment ventilation system on automatic signals 2.1.9.Rupture of a CPS drive support

Groups of beyond design basis accidents

Representative scenarios of beyond design basis accidents

2.2. Accidents with bypassing of the containment

2.2.1.SG tube rupture with a failure of the cut-off valves to close 2.2.2.Break of a steam line — SG collector with a failure of the cut-off valves to close 2.2.3.Leak of a cooler supporting the CPS drives with a failure of the cut-off valves to close 2.2.4.Rupture of an MCP cooler tube with a failure of the cut-off valves to close 2.2.5.Rupture of an MCP cooler tube with a failure to cut off the high pressure gas balloons 2.2.6.Rupture of a tube in the heat exchanger of the purification and cooldown system with a failure to close the cut-off valves 2.2.7.Break of a cooling water outlet pipeline in the heat exchanger of the purification and cooldown system with failure to close the cut-off valves 2.2.8. Rupture of a pipeline of the sampling system with failure to close cut-off valves located on the lines of the sampling systems and the purification and cooldown system

2.3. Accumulation of a potentially explosive gas mixture in the reactor in an accident with diluent gas release outside the reactor primary coolant system

	3. Accidents in a shut down reactor; accidents during fuel handling
3.1. Insertion of a positive reactivity	3.1.1. Inadvertent withdrawal of one shim control rod group during dismantling operations in the reactor
3.2. Disruption in heat removal from the reactor	3.2.1.Total blackout with a failure of all AC sources during refuelling 3.2.2. Total blackout with a failure of all AC sources during equipment maintenance (maintenance of the SG, MCP, cooldown system pumps, valves)
3.3. Depressurization of the primary circuit	3.3.1. Guillotine break of the pressurizer surge line in a hot shutdown state of the reactor with a failure of the ECCS active subsystem
3.4. Accidents during refuelling	3.4.1.Drop of a spent fuel assembly container: (1) Onto the reactor (2) Onto the spent fuel storage 3.4.2. Destruction of spent fuel assemblies as a result of an inadvertent closure of the container gate or an inadvertent turn of the aiming mechanism 3.4.3.Drop of a container with the case loaded by spent fuel assemblies 3.4.4.Drop of a container with the reactor coolant system filter
3.5. Accidents in spent fuel storage	3.5.1. Failure of a cooling system of the spent fuel storage tanks (all channels)

3.6. Release of radiolysis products from the opened reactor in an accident with loss of heat removal from the reactor (during refuelling, during equipment maintenance)

4. External impacts on the FPU

4.1. Collisions of the FPU with other ships having a speed above critical value 4.2. Fall of an aircraft onto the FPU from high altitude

4.3. Sinking of the FPU

4.4. Grounding of the FPU, including on rocky ground

I — 4.2. Acceptance criteria for design basis accidents and beyond design basis accidents

Substantiation of the KLT-40S NPP safety in design basis and beyond design basis accidents has been performed on the basis of safety assessment criteria (acceptance criteria) presented in Tables I-4 and I-5.

Table I-6 establishes a correspondence between safety assessment criteria (acceptance criteria) and design basis accidents.

Table I-7 establishes similar correspondence for beyond design basis accidents.

Bhabha Atomic Research Centre,

India

V — 1. DESCRIPTION OF THE AHWR DESIGN

The Advanced Heavy Water Reactor (AHWR) is a concept for a 300 MW(e), vertical pressure tube type reactor cooled by boiling light water and moderated by heavy water. The AHWR design is being developed by the Bhabha Atomic Research Centre (BARC, India). The reactor is designed to be fuelled with (U233-Th)O2, together with (Pu-Th)O2. In this, the AHWR would be nearly self-sustaining in U233. The design of the AHWR is fine tuned to derive most of its power from thorium based fuel, while achieving a negative void coefficient of reactivity. A detailed description of the AHWR concept and its design status can be found in [VI-1].

The general arrangement of the AHWR is shown in Fig. VI-1. Heat removal from the core is achieved by natural circulation of the coolant. The core consists of vertical fuel channels housed in a calandria containing the heavy water moderator.

The calandria is located in a water filled reactor cavity. The core is connected to four steam drums. A large water pool, called the gravity driven water pool (GDWP), is located near the top of the containment. Moderator heat is utilized for feedwater heating. As shown in Fig. VI-2, double containment is provided to prevent any release of radioactivity to the environment.

The fuel assembly is suspended from the top into the coolant channel of the reactor. The assembly consists of a single, long fuel cluster (see Fig. VI-2) and two shield sub-assemblies. The cluster has 54 fuel pins arranged in three concentric rings, 12 pins in the inner ring, 18 pins in the intermediate ring, and 24 pins in the outer ring

FIG. VI-1. General arrangement of AHWR [VI-1].

FIG. VI-2. AHWR fuel cluster arrangement.

around a central rod containing the burnable absorber dysprosium as Dy2O3-ZrO2. The 24 fuel pins of the outer ring incorporate (Th-Pu)O2 fuel and the 30 fuel pins in the inner and intermediate rings are based on (Th-233U)O2 fuel. Like other pressurized heavy water reactor designs, the AHWR provides for on-line refuelling.

The AHWR incorporates several passive safety systems to facilitate the execution of safety functions related to normal reactor operation, residual heat removal, emergency core cooling, confinement of radioactivity, etc. Passive shutdown during a high pressure transient due to a failure of wired (sensors, signal carriers and actuators) shutdown systems and high temperature protection of the concrete by passive cooling are some of the additional features of the AHWR. A 6000 m3 capacity GDWP, located at higher elevation inside the containment, serves as a heat sink for the residual heat removal system and several other passive systems; in addition to this, it acts as a suppression pool.

Major design specifications of the AHWR are given in Table VI-1.

For each of the reactor lines considered (pressurized water reactors, pressurized light water cooled heavy water moderated reactors, high temperature gas cooled reactors, sodium cooled and lead cooled fast reactors, and non-conventional designs), the design features contributing to different levels of defence in depth are summarized and structured as described below.

The first five tables for each reactor line give a summary of design features contributing to Level 1 through Level 5 of defence in depth with a short explanation of the nature of these contributions, in line with the definitions given in [7]. Passive and active safety systems are highlighted in more detail in conjunction with Level 3 defence in depth.

It should be noted that original safety design concepts of the considered SMRs do not always follow the defence in depth concept recommended in by IAEA safety standards [7]. Although all designers were requested to follow the recommendations of [7] when providing descriptions of SMR safety design features enclosed as Annexes I-X, the results are non-uniform. For example, some Level 4 features were in several cases attributed to Level 5 for PWRs, etc. To provide a uniform basis for descriptions, the attribution of safety design features to certain levels of defence in depth was harmonized for all SMRs considered, following the recommendations of [7], and in this way presented in all tables of this section. Therefore, attribution indicated in the tables below may be in some cases different from that originally provided by designers in the corresponding annexes.

The sixth table for each reactor line summarizes the degree of detail in the definition of design basis and beyond design basis events, as observed in the corresponding annexes, and highlights the events specific to a particular SMR, but not to the corresponding reactor line.

The seventh table gives a summary of deterministic and probabilistic acceptance criteria for design basis and beyond design basis events as applied by the designers, and specifically highlights cases when a risk — informed approach is being used or targeted.

The eighth table for each reactor line summarizes design features for plant protection against external event impacts, with a focus on aircraft crashes and earthquakes, and refers to recent IAEA publications of relevance [6], when applicable.

Finally, the ninth table gives a summary of measures planned in response to severe accidents.

The final paragraph in each of the following subsections provides a summary of safety design approaches pursued by designers of SMRs, using the above mentioned tables as references, with a link to IAEA safety standards [7] and other publications of relevance.

The safety design features of IRIS intended to cope with external events and external/internal event combinations are described in detail in [II-8].

The reactor, containment, passive safety systems, fuel storage, power source, control room and backup control are all located within the reinforced concrete auxiliary building and are protected from on-site explosions. The reactor unit appears as a very low profile, minimum sized target to an aircraft. The IRIS containment is completely within the reinforced concrete auxiliary building and one-half of it (13 m) is actually underground, since the containment is only 25m in diameter. The external, surrounding building target profile is only about 30 m high, and can easily be hardened and/or placed further underground. Also, the IRIS’s safety features are passive and are contained within the auxiliary building.

TABLE II-2. SAFETY-BY-DESIGN™ IRIS PHILOSOPHY AND ITS IMPLICATIONS ON DESIGN BASIS EVENTS

IRIS Design Characteristic	Safety Implication	Accidents Affected	Design Basis Events	Effect on Design Basis Events by IRIS Safety-by-Design™
Integral layout	No large primary piping	• Large break loss of coolant accidents (LOCAs)	Large break LOCA	Eliminated
Large, tall vessel	Increased water inventory Increased natural circulation Accommodates internal control rod drive mechanisms (CRD Ms)	• Other LOCAs • Decrease in heat removal various events • Control rod ejection, head penetrations failure	Spectrum of control rod ejection accidents	Eliminated
Heat removal from inside the vessel	Depressurizes primary system by condensation and not by loss of mass Effective heat removal by steam generators (SG)/ emergency high removal system (EHRS)	• LOCAs • LOCAs • All events for which effective cooldown is required • Anticipated transients without scram (ATWS)
Reduced size, higher design pressure containment	Reduced driving force through primary opening	• LOCAs
Multiple, integral, shaftless coolant pumps	Decreased importance of single pump failure No shaft	• Locked rotor, shaft seizure/ break • Loss of flow accidents (LOFAs)	Reactor coolant pump shaft break Reactor coolant pump seizure	Eliminated Downgraded
High design pressure steam generator system	No SG safety valves Primary system cannot over-pressure secondary system Feed/Steam System Piping designed for full reactor coolant system (RCS) pressure reduces piping failure probability	• Steam generator tube rupture • Steam line break • Feed Une break	Steam generator tube rupture	Downgraded
. Steam system piping failure Feedwater system pipe break	Downgraded Downgraded
Once through steam generators	Limited water inventory	• Feed Une break • Steam line break
Integral pressurizer	Large pressurizer volume/reactor power	• Overheating events, including feed line break • ATWS
			Fuel handling accidents	Unaffected

TABLE II-3. PROBABILISTIC ACCEPTANCE CRITERIA FOR BDBA IN IRIS

Core damage frequency (CDF)	<10-7
Large early release frequency (LERF)	~10-9

The IRIS is designed to survive a hypothetical flood called the probable maximal flood (PMF), which combines the worst possible values of all factors that contribute to producing a flood. This and other capabilities of the IRIS design are connected to use of the passive features, which are all contained within the auxiliary building and do not require external water or power supplies for at least 7 days.

As an example, the plant ultimate heat sink is provided by water stored in the auxiliary building in the refuelling water storage tank (RWST). This water is heated and boiled and steam is vented to the atmosphere. This safety grade ultimate heat sink provides for the removal of sensible heat of the reactor coolant system and core decay heat for at least one week, without credit for any water make-up. The design objective of IRIS is to apply both the safety-by-design™ philosophy [II-3] and the PRA guided design approach to design the plant in such a way as to minimize the contribution of external events to core damage frequency (CDF) to a level lower or at most comparable to that of internal events, which is currently estimated to be ~2 x 10-8.

[1] D. C. WADE AND R. N. HILL, The design rationale of the IFR, Prog,. Nucl. Energy, 31 (1997) 13-42.

[2] PLANCHON, H. P., SACKETT, J. I., GOLDEN, G. H., SEVY, R. H., Implications of the EBR-II Inherent Safety Demonstration Test, Nucl. Eng. Des. 101, (1987) 75.

TERMS USED

Small and medium sized reactors (SMRs)

According to the classification currently used by the IAEA, small reactors are reactors with an equivalent electrical power output of less than 300 MW, medium sized reactors have an equivalent electrical power output of between 300 and 700 MW [1].

Small reactors without on-site refuelling

According to the definition given in Ref. [1], small reactors without on-site refuelling are reactors designed for infrequent replacement of well-contained fuel cassette(s) in a manner that prohibits clandestine diversion of nuclear fuel material.

Safety related terms

Definitions from IAEA safety standards

The format used to describe passive safety design options for SMRs — provided in Appendix 3 and used in Annexes I-X — contributed by Member States, was developed reflecting definitions used in IAEA Safety Standards Series No. NS-R-1 Safety of Nuclear Power Plants: Design [2]:

Active component: A component of which function depends on an external input such as actuation, mechanical movement or supply of power.

Passive component: A component of which function does not depend on an external input such as actuation, mechanical movement or supply of power.

Plant equipment: (see Fig. 1).

Safety system: A system important to safety, provided to ensure safe shutdown of the reactor or residual heat removal from the core, or to limit the consequences of anticipated operational occurrences and design basis accidents.

Plant equipment

Items[27] important to safety

Items not important to safety

Safety related items

FIG. 1. Plant equipment [2].

beyond design basis accidents

(a) Accident conditions which are not explicitly considered design basis accidents but which they encompass;

(b) Beyond design basis accidents without significant core degradation.

FIG. 2. Plant states [2].

Protection system: A system which monitors the operation of a reactor and which, on sensing an abnormal condition, automatically initiates actions to prevent an unsafe or potentially unsafe condition.

Plant states: (see Fig. 2).

Normal operation: Operation within specified operational limits and conditions.

Postulated initiating event: An event identified during design as capable of leading to anticipated operational occurrences or accident conditions.

Anticipated operational occurrence: An operational process deviating from normal operation which is expected to occur at least once during the operating lifetime of a facility but which, with appropriate design provisions, does not cause any significant damage to items important to safety or lead to accident conditions.

Accident conditions: Deviations from normal operation more severe than anticipated operational occurrences, including design basis accidents and severe accidents.

Design basis accident: Accident conditions against which a nuclear power plant is designed according to established design criteria, and for which the damage to the fuel and the release of radioactive material are kept within authorized limits.

Severe accidents: Accident conditions more severe than a design basis accident and involving significant core degradation.

Ultimate heat sink: A medium to which residual heat can always be transferred, even if all other means of removing the heat have been lost or are insufficient.

Single failure: A failure which results in the loss of capability of a component to perform its intended safety function(s), and any consequential failure(s) which result from it.

Common cause failure: Failure of two or more structures, systems or components due to a single specific event or cause.

Safety function: A specific purpose that must be accomplished for safety.

The occurrence and consequences of a significant number of accidents are either eliminated outright or reduced by the SCOR concept at the design level. The major safety systems are passive; they require no operator action or off-site assistance for a long period after an accident. Moreover, core and containment cooling is provided during a long period without AC power.

The inherent safety features incorporated in the SCOR design are: [46]

The SCOR design incorporates the following passive safety systems:

• Passive residual heat removal system on the primary circuit (RRP). Passive operation of this system is ensured simultaneously in the primary circuit, in the RRP loop, and in the ultimate heat sink; the RRP system has two types of heat sinks: water pool and air-cooling tower;

• No action regarding the steam line of the steam generator is needed to ensure decay heat removal[47];

• In the case of a blackout, natural convection in the primary circuit with 4 operating RRPs is sufficient to remove the decay heat (and to achieve zero reactivity via feedback due to the moderator reactivity coefficient in the case of a anticipated transient without scram (ATWS));

• A dedicated steam dump pool, located in the containment building, prevents radioactivity release into the atmosphere in the case of a steam generator tube rupture;

• Passive control of the containment pressure by pressure suppression in the case of a LOCA;

• In-vessel retention of corium achieved via reactor cavity flooding in the case of a hypothetical severe accident;

• Infinite autonomy with the air cooling tower heat sink;

• Prevention of hydrogen combustion by maintaining an inert atmosphere in the reactor vessel compartment;

• One of the shutdown systems is based on insertion of gravity driven control rods to the core (the actuation of this system is the same as in a standard PWR), see [IV-1].

More details about passive safety systems incorporated in the SCOR design are given below.

The SMR concepts included represent pressurized water reactors (5 inputs), pressurized light water cooled heavy water moderated reactors (1 input); high temperature gas cooled reactors (HTGRs, 1 input); liquid metal cooled fast reactors (1 input for sodium and 1 input for lead cooled reactors), and a single non-conventional design, which is a lead-bismuth cooled very high temperature reactor with pin-in-block HTGR type fuel.

Of the pressurized water reactors included, the KLT-40S (Annex I) has entered the deployment stage — construction began in 2007 in the Russian Federation of a pilot floating cogeneration plant of 400 MW(th)/ 70 MW(e) with two KLT-40S reactors. Actual deployment is scheduled for 2010.

Two reactors with integrated design of the primary circuit are in advanced design stages, and their commercialization could start around 2015. These are the 335 MW(e) IRIS design (Annex II) developed by the international consortium led by Westinghouse, USA; and the prototype 27 MW(e) CAREM (Annex III) developed in Argentina, for which construction is scheduled to be complete in 2011.

Two other PWR type designs, the SCOR (France) and the MARS (Italy) have the potential to be developed and deployed in the short term but show no substantial progress toward deployment. The SCOR, with 630 MW(e) (Annex IV), is in the conceptual design stage, and is of interest as it represents a larger capacity integral-design PWR. The modular MARS, with 150 MW(e) per module (Annex V), is at the basic design stage, and is of interest as it represents an alternative solution to other pressurized water SMRs, the solution based on the primary pressure boundary being enveloped by a protective shell with slowly moving low enthalpy water.

Advanced pressurized light water cooled heavy water moderated reactors are represented by one design — the AHWR, with 300 MW(e) (Annex VI). The AHWR (India) is at the detailed design stage with the start-up of construction related actions expected before 2010.

The GT-MHR, with 287.5 MW(e), a collaborative US-Russian concept of an HTGR with pin-in-block type fuel, is at the basic design stage (Annex VII). Its progress toward deployment may be not so advanced as that of some other HTGRs (e. g., the PBMR of South Africa or the HTR-PM of China [2]), however, as passive safety design features of all HTGRs have much in common, the GT-MHR is quite representative of the passive safety design options implemented in other HTGRs.

Sodium and lead cooled fast SMRs are represented by the 4S-LMR concept of a sodium cooled small reactor without on-site refuelling developed by the Central Research Institute of Electric Power Industry (CRIEPI) and Toshiba in Japan (Annex VIII) and by the SSTAR and STAR-LM concepts of small lead cooled reactors without on-site refuelling developed by the Argonne National Laboratory in the USA (both described in Annex IX). Of the two designs, the 4S-LMR with 50 MW(e) and a 10-year core lifetime is at a more advanced stage because the conceptual design and major parts of the system design have already been completed for a similar design differing essentially in the type of fuel and named the 4S. A pre-application review by the US NRC started in the fall of 2007. Construction of a demonstration reactor and safety tests are planned for early 2010 [3]. Different from this reactor type, both the SSTAR with 19.7 MW(e) and a 30-year core lifetime and the STAR-LM with 181 MW(e) and a 15-year core lifetime are at the pre-conceptual stage [3]. In 2008, due to

FIG. 2. Deployment potential map of innovative SMRs [2,3].

reduced funding, activities in the USA refocused on a lead cooled fast reactor (LFR) Technology Pilot Plant (a demonstration plant) under a GNEP programme.

Finally, non-conventional designs are represented by the CHTR with 100 kW(th) and a 15-year core lifetime (Annex X). The CHTR (India) is a small reactor without on-site refuelling designed to be a semi­autonomous ‘power pack’ for operation in remote areas and, specifically, for advanced non-electrical applications, such as hydrogen production. The CHTR is a non-conventional reactor merging the technologies of high temperature gas cooled reactors and lead-bismuth cooled reactors. The core uses 233U-Th based pin-in­block fuel of the HTGR type with BeO moderator blocks, while the coolant is lead-bismuth. When this report was prepared, an extensive research and development programme including both analytical studies and testing was in progress for the CHTR at the Bhabha Atomic Research Centre (BARC) in India [3].

Detailed design descriptions of the abovementioned and other SMRs, as well as some results of safety analyses performed for these reactors are provided in Refs [2, 3]. Figure 2 illustrates deployment potential of innovative SMRs. Brown indicates concepts with noticeable progress towards advanced design stages and deployment.

Structures, systems and components of a floating NPP with KLT-40S nuclear installations are developed taking into account possible impacts of natural and human induced external events, typical of a floating NPP location site and transportation routes, and meet the currently adopted regulatory requirements. NPP safety is ensured at the specific values of the parameters of natural impacts on the NPP and reactor unit, determined in the design, that have a frequency of 10-2 year-1; including the impacts of design (10-2 year-1 frequency) and maximum design (10-4 year-1 frequency) earthquakes.

For the FPU location in Severodvinsk (the Russian Federation), design earthquake magnitude is taken to mean equal to 7, and maximum design earthquake magnitude is equal to 8 on the MSK scale.

Equipment, machinery, and systems important for safety, and their mounting, are designed to withstand shock loads corresponding to a peak ground acceleration (PGA) of 3g in all directions. Also, they remain operable under inclination and heaving, typical of FPU operating conditions.

TABLE I-4. SAFETY ASSESSMENT CRITERIA FOR DESIGN BASIS ACCIDENTS

Criterion formulation

1. Maximum fuel temperature shall be below melting point

2. Specific threshold enthalpy of fuel rod destruction shall not be exceeded

3. Minimum value of the departure from nucleate boiling (DNBR) in the core shall be >1.0, taking into account the most unfavourable deviation of parameters, the maximum non-uniformity of power distribution, and the uncertainties of local power and critical heat flux calculations

4. The core shall be covered by the coolant

5. Maximum temperature of the fuel element claddings shall not exceed 500°C

6. Primary circuit pressure shall not exceed 1.15 of the design pressure value

7. Containment pressure shall not exceed 1.1 of the design pressure value

8. Radiation doses for the population (critical group) at the control area[29] boundary and beyond this area shall not exceed the values requiring a decision on measures for population protection in the case of a radiation accident (the values that shall not be exceeded are specified in Tables 6.3 and 6.4 of the NRB-99 [I-4])

9. Radiation dose to personnel shall not exceed the dose value planned for liquidation of accident consequences; 100mSv, as established by the NRB-99 [I-4]

10. Effective neutron multiplication factor (Keff) of fresh or spent fuel storage shall not exceed 0.95 in normal operation and in design basis accidents

11. Maximum temperature of the fuel element claddings in spent fuel assemblies during a refuelling process or in storage shall not exceed 650°C

12. Pressure in the fuel storage tanks shall not exceed the limiting value of 1.4 MPa

Criterion formulation

1. Radiation doses for the critical population group at the boundary of the area of emergency action planning and beyond this area shall not exceed values requiring a decision on measures for population protection in the case of a radiation accident (the values that shall not be exceeded are specified in Tables 6.3 and 6.4 of the NRB-99 [I-4]; beyond area of emergency planning, temporary restrictions may be established on consumption of local agricultural products)

2. Radiation dose to personnel shall not exceed the dose value planned for liquidation of accident consequences; 100mSv, as established by the NRB-99 [I-4]

3. * Pressure in the primary circuit shall not exceed the value that ensures the elastic deformation of the primary

system components is preserved

4. * Containment pressure shall not exceed the value that ensures the elastic deformation of the containment

system components is preserved

5. * Time margin to core uncovery shall be sufficient for personnel to take accident management actions (not less

than 1 hour)

6. * Maximum temperature of fuel element claddings shall not exceed the value corresponding to cladding

rupture (taking into account fuel burnup) [30] [31]

Design basis accident number according to table I-2

Criterion number according to table I-4

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

1.1.1.

+

+

+

+

+

1.1.2.

+

+

+

1.1.3.

+

1.1.4.

+

1.1.5.

+

+

1.1.6.

+

1.1.7.

+

+

+

1.2.1.-1.2.4.

+

+

+

1.2.5.

+

1.2.6.

+

1.3.1.-1.3.12.

+

+

1.4.1.-1.4.2.

+

+

1.5.1.-1.5.6.

+

1.6.1.

+

1.7.1.-1.7.11.

+

+

+

+

+

+

2.1.1.

+

+

+

+

+

2.2.

+

+

+

+

+

2.3.

+

+

3.1.1.

+

3.2.1.

+

+

3.2.2.-3.3.2.

+

+

+

+

3.4.

+

+

3.5.

+

+

+

+

4.1.1.-4.1.5.

+

+

+

4.2.1.

+

+

+

4.2.2.

+

+

4.2.3.

+

4.2.4.

+

4.2.5.

+

4.2.6.

+

4.3.1., 4.3.2.

+

+

5.1.1.-5.3.2

+

+

Beyond design basis accident number according to table I-3	Criterion number according to table I-5
1.	2.	3.	4.	5.	6.
1.1.1.			+			+
1.1.2.			+			+
1.1.3.						+
1.1.4.	+	+				+
1.1.5.						+
1.2.1. 1)-6)			+			+
1.3.1.-1.3.6.			+			+
2.1.1.-2.1.9.	+	+		+	+	+
2.2.1.-2.2.8.	+	+			+	+
2.3.	+	+		+
3.1.1.	+	+				+
3.2.1.	+	+			+	+
3.2.2.	+	+			+	+
3.3.1.	+	+			+	+
3.4.1.	+	+				+
3.4.2.	+	+				+
3.4.3.	+	+				+
3.4.4.	+	+				+
3.5.1.	+	+			+	+
3.6.	+	+
4.1.-4.4.	+	+

Pressurized water small and medium sized reactors are represented by three concepts using integral layout of the primary circuit with in-vessel location of steam generators and control rod drives; one compact modular loop-type design features reduced length piping, an integral reactor cooling system accommodating all main and auxiliary systems within a leaktight pressure boundary, and leak restriction devices, and one design, originating from the mid 1980s, has the primary pressure boundary enclosed in an enveloping shell with low enthalpy, slow moving water.

The concepts with integral primary circuit layout include the CAREM-25 with 27 MW(e), a prototype for a series of larger capacity SMRs being developed by the CNEA (Argentina), the IRIS with 335 MW(e), being developed by the international consortium led by Westinghouse (USA), and the SCOR concept with 630MW(e), being developed by CEA (France). The CAREM-25 and the IRIS have reached detailed design stages with deployments targeted for 2011 and 2015 respectively, while the SCOR is just a conceptual design. Detailed design descriptions of the CAREM-25, IRIS, and SCOR are presented in [2], and corresponding structured descriptions of their passive safety design features are given in Annexes II, III, and IV. Figure 3 provides an illustration of the primary coolant system layout for the indicated designs.

Compact modular loop-type concepts are represented by the KLT-40S, a 35 MW(e)/150 MW(th) reactor for a twin-unit floating heat and power plant, the construction of which started in the Russian Federation in April 2007. The power circuits of the two units are separate, with each producing more heat power than required to generate the rated electrical output; the remaining heat power is to be used for district heating (as provided for in ‘Lomonosov’, a first of a kind floating nuclear power plant under construction in Russia) or for seawater desalination (it is foreseen future units will be deployed outside of the Russian Federation). A detailed description of the KLT-40S design, developed by OKBM and several other Russian organizations, is provided in [4]; a structured design description of passive safety design features is given in Annex I. IAEA publications [2, 3] provide descriptions of several other floating reactors as well as land-based NPPs, employing a design concept similar to that of the KLT-40S. Layout of the KLT-40S reactor is shown in Fig. 4.

The MARS reactor with 150 MW(e) per module, in which the primary pressure boundary is enclosed in a pressurized low enthalpy containment, was developed by a consortia of academic, research and industrial organizations in Italy. The detailed design stage was reached, and several testing programmes were completed. A design description of the MARS is presented in [2]; passive safety design features of the MARS are described in Annex V. Layout of the MARS primary coolant system is shown in Fig. 5.

Design features of pressurized water SMRs contributing to enhancement of Level 1 of defence in depth are summarized in Table 1; subsequent levels are summarized in Tables 2, 3, 4 and 5, respectively.

At Level 1 of defence in depth, “Prevention of abnormal operation and failure”, the dominant tendency is to exclude loss of coolant accidents (LOCA) or limit their scope and hazard by applying certain features in reactor design, such as:

— In-vessel location of steam generators in PWRs with integral design of the primary circuit (CAREM-25, IRIS, SCOR), eliminating large diameter piping and, hence, large-break LOCA;

— In-vessel location of the control rod drive mechanism (CAREM-25, IRIS, SCOR), which reduces the number and diameter of necessary in-vessel penetrations;

— Compact modular design of the reactor unit, eliminating long pipelines in the reactor coolant system, leak restriction devices in the primary pipelines, and a so-called ‘leaktight’ reactor coolant system with packless canned pumps, welded joints, and leaktight bellows sealed valves (KLT-40S, based on submarine and icebreaker reactor experiences); internal, fully immersed pumps are also applied in the IRIS and the SCOR reactors with integral design of the primary circuit;

— Primary pressure boundary enclosed in a pressurized, low enthalpy containment (a shell) with only a single, small diameter pipeline between the primary coolant pressure boundary and the auxiliary systems (MARS).

UPPER HEAD
REACTOR COOLANT PUMP (1 OF 8)
Control rod drive
SG STEAM OUT
CONTROL RODS DRIVE MECHANISMS
RPV
Barrel ■+-
STEAM GENERATOR ——— (1 OF 8)
Steam generator
SG FEED­WATER IN
DOWNCOMER
Core
(a)	(b)
FIG. 3. Schematics of the primary coolant system for (a) IRIS; (b) CAREM-25; and (c) SCOR.

1- REACTOR

2- STEAM GENERATOR

3- MAIN CIRCULATION PUMP

4- CPS DRIVES

5- ECCS ACCUMULATOR

6- PRESSURIZER (1st vessel)

7- PRESSURIZER (2nd vessel)

8- STEAM LINES

9- LOCALIZING VALVES

10- HX Of PURIFICATION AND

COOLDOWN SYSTEM

# Design features	What is targeted	SMR designs

1 Elimination of liquid boron reactivity control system

2 Relatively low core power density

3 Integral design of primary circuit with in-vessel location of steam generators and (hydraulic) control rod drive mechanisms

4 Compact modular design of the reactor unit, eliminating long pipelines in the reactor coolant system

5 Primary pressure boundary enclosed in a pressurized, low enthalpy containment

6 Leaktight reactor coolant system (welded joints, packless canned pumps, and leaktight bellows, sealed valves, etc.)

7 Internal, fully immersed pumps

8 Leak restriction devices in the primary pipelines

9 A single, small diameter double connecting line between the primary coolant pressure boundary and auxiliary systems

10 Natural circulation based heat removal from the core in normal operation, eliminating main circulation pumps

11 Steam generator with lower pressure inside the tubes in normal operation mode

12 Steam generator designed for a full primary system pressure

Exclusion of inadvertent reactivity insertion as a result of boron dilution

Larger thermal-hydraulic margins

Exclusion of large-break loss of coolant accidents (LOCA), exclusion of inadvertent control rod ejection, larger coolant inventory and thermal inertia

Decreased probability of LOCA

Elimination of LOCA resulting from failure of the primary coolant pressure boundary, elimination of control rod ejection accidents

Decreased probability of LOCA

Elimination of pump seizure, rotor lock, and seal LOCA

Limitation of the break flow in case of a pipeline guillotine rupture

Prevention of LOCA caused by rupture of the connecting line

Elimination of loss of flow accidents (LOFA)

Reduced probability of a steam tube rupture; prevention or downgrading of a steam line break or a feed line break

Prevention or downgrading of a steam line break or a feed line break

As already mentioned, all PWRs with integral design of the primary circuit incorporate in-vessel control rod drives, which is not only a design feature intended to minimize reactor vessel penetration but which is meant primarily to exclude reactivity initiated accidents with inadvertent control rod excursion (otherwise potentially facilitated by high primary pressure). Integral design of the primary circuit with in-vessel steam generators and control rod drives[3] apparently necessitates using a relatively low core power density, which in turn contributes to providing larger thermal-hydraulic margins.

Elimination of liquid boron reactivity control, which facilitates prevention of inadvertent reactivity excursion as the result of boron dilution, can not be attributed to a certain class of reactor concepts; it is applied in the KLT-40S and the CAREM-25 but not in other concepts considered.

Finally, the use of natural convection for heat removal in normal operation, which eliminates loss of flow accidents owing to pump failure, is not a preferable feature of PWR type small and medium sized reactors; it is applied only in the small-powered CAREM-25 design (with 27 MW(e)).

Four of the considered reactors have applied design features to prevent steam generator tube rupture, see Table 1. The KLT-40S, the MARS and the IRIS use steam generators with lower pressure inside the tubes in normal operation mode. Also in the IRIS and the MARS, steam generators are designed for full primary system pressure.

All in all, PWRs with integral design of the primary circuit have a tangible and transparent approach to the elimination of several accident initiators caused by design. The question of whether this can only be applied to reactors within the small to medium power range is, however, open. For example, the French SCOR has up to 630 MW(e), credited to a steam generator of original design borrowing from the experience of marine propulsion reactors [2]. A recent paper on SCOR [16] points to the option to develop a PWR of integral design with as much as 1000 MW(e). In the latter case, however, the reactor vessel height would exceed 30 m (actually, two vertically adjusted half-vessels are used in SCOR). It should also be noted that the SCOR is at a conceptual design stage, while the IRIS and CAREM-25 have reached detailed design stages.

At Level 2 of defence in depth, “Control of abnormal operation and detection of failure”, active systems of instrumentation and control and negative reactivity coefficients over the whole burnup cycle are common to all designs. These are features typical of all state of the art reactor designs, independent of their unit power range.

A relatively large coolant inventory in the primary circuit and high heat capacity of the nuclear installation as a whole, resulting from integral (IRIS, CAREM-25, SCOR) or compact modular (KLT-40S) design of the nuclear installation, are factors contributing to large thermal inertia and a slow pace of transients, altogether allowing more time for failure detection or corrective actions. Larger coolant inventory and higher heat capacity of the primary circuit are related to relatively large reactor vessels and internals or lower core power density as compared to a typical large PWR.

TABLE 2. DESIGN FEATURES OF PRESSURIZED WATER SMR CONCEPTS CONTRIBUTING TO LEVEL 2 OF DEFENCE IN DEPTH

Timely detection of abnormal operation All designs and failures

2 Negative reactivity coefficients over the whole cycle [4]

Prevention of transient over-criticality due to abnormal operation and failures

Slow progression of transients due to abnormal operation and failures

Slow progression of transients due to KLT-40S abnormal operation and failures

5 Favourable conditions for Facilitate implementation of leak before KLT-40S

implementation of the leak before break break concept

concept, through design of the primary circuit

6 Little coolant flow in the low Facilitate implementation of leak before MARS

temperature pressurized water break concept

containment enclosing the primary pressure boundary

7 Redundant and diverse passive or active Reactor shutdown shutdown systems

#	Design feature	What is targeted	SMR designs
1	Negative reactivity coefficients over the whole cycle	Prevention of transient over-criticality and bringing the reactor to a sub­critical state in design basis accidents	All designs
2	Relatively low core power density	Larger thermal-hydraulic margins	MARS, IRIS, CAREM-25, SCOR
3	Relatively low primary coolant temperature	Larger thermal-hydraulic margins	MARS
4	A relatively large coolant inventory in the primary circuit (or primary circuit and the pressurized low enthalpy containment, enclosing the primary pressure boundary; or primary circuit and the reactor building), resulting in large thermal inertia	Slow progression of transients in design basis accidents	CAREM-25, SCOR, IRIS, MARS
5	High heat capacity of nuclear installation as a whole	Limitation of temperature increase in design basis accidents	KLT-40S
6	Restriction devices in pipelines of the primary circuit, with primary pipelines being connected to the hot part of the reactor	Limitation of scope and slower progression of LOCA	KLT-40S
7	Use of once-through steam generators	Limitation of heat rate removal in a steam line break accident	KLT-40S
8	Steam generator designed for full primary pressure	Limitation of the scope of a steam generator tube rupture accident	IRIS, MARS
9	A dedicated steam dump pool located in the containment building	Prevention of steam release to the atmosphere in case of a steam generator tube rupture	SCOR
10	Enclosure of the relief tank of a steam generator safety valve in a low temperature pressurized water containment enclosing the primary pressure boundary	Prevention of steam release to the atmosphere in the case of a steam generator tube rupture	MARS
11	‘Soft’ pressurizer system3	Damping pressure perturbations in design basis accidents	KLT-40S
12	Self-pressurization, large pressurizer volume, elimination of sprinklers, etc.	Damping pressure perturbations in design basis accidents	CAREM-25, IRIS, SCOR
13	Limitation of inadvertent control rod movement by an overrunning clutch and by the limiters	Limitation of the scope of reactivity insertion in an accident with control rod drive bar break	KLT-40S
14	Redundant and diverse reactor shutdown and heat removal systems	Increased reliability in carrying out safety functions	All designs
15	Insertion of control rods to the core, driven by gravity	Reactor shutdown	KLT-40S, CAREM-25
16	Insertion of control rods to the core, driven by force of springs	Reactor shutdown	KLT-40S
17	Non-safety-grade control rod system with internal control rod drives	Reactor shutdown	IRIS
18	One shutdown system based on gravity driven insertion of control rods to the core	Reactor shutdown	SCOR

#	Design feature	What is targeted	SMR designs
Safety-grade active mechanical control rod Reactor shutdown scram system Additional (optional) passive scram system Reactor shutdown actuated by a bimetallic core temperature sensor and operated by gravity Gravity driven high pressure borated water Reactor shutdown injection device (as a second shutdown system) Injection of borated water from the Reactor shutdown emergency boron tank at high pressure (as an auxiliary shutdown measure)
19 20	MARS MARS CAREM-25 IRIS SCOR
21
22
23 24 25 26
Active safety injection system based on Reactor shutdown devices with a small flow rate
27
28
29
30
31
32
33
A small automatic depressurization system Depressurization of the reactor vessel IRIS from the pressurizer steam space when in-vessel coolant inventory drops below a specified level Safety (relief) valves Protection of reactor vessel from IRIS, CAREM-25 overpressurization
34

#	Design feature	What is targeted	SMR designs
35	Long term gravity make-up system	Assures that the core remains covered indefinitely following a LOCA	IRIS
36	Emergency injection system (with borated water), actuated by rupture disks	Prevention of core uncovery in LOCA	CAREM-25

a A ‘soft’ pressurizer system is characterized by small changes in primary pressure under a primary coolant temperature increase. This quality, due to a large volume of gas in the pressurizing system, results in a period of pressure increase up to the limit value under the total loss of heat removal from the primary circuit.

Compact modular design of a reactor unit, eliminating long pipelines in the reactor coolant system, with leak restriction devices in the primary pipelines and a so-called ‘leaktight’ reactor coolant system with packless canned pumps, welded joints, and leaktight bellows sealed valves, implemented in the KLT-40S, are mentioned as factors contributing to effective realization of the leak before break concept. In the MARS design, implementation of leak before break is facilitated by maintaining a small coolant flow in the low temperature pressurized water shell (containment) enclosing the primary pressure boundary.

Finally, redundant and diverse passive or active shutdown systems are provided in all designs in case abnormal operation runs out of control or the source of failure is not detected in a timely and adequate fashion.

As discussed above, certain design features provided at Level 1 of defence in depth in PWR type SMRs contribute to prevention or de-rating of certain design basis accidents, such as large break or medium break LOCA, core uncovery in LOCA, steam generator tube rupture, reactivity accidents with inadvertent ejection of a control rod or loss of flow, thus narrowing the scope of events to be dealt with at Level 3 of defence in depth, “Control of accidents within design basis”. For the remaining events, a variety of design features are specified at Level 3. Altogether, these features fit into the following main groups: [5]

#	Design feature	What is targeted	SMR designs
1	Relatively low core power density	Limitation or postponement of core melting	IRIS, CAREM-25, SCOR, MARS
2	Relatively low temperature of reactor coolant	Limitation or postponement of core melting	MARS
3	Low heat-up rate of fuel elements predicted in a hypothetical event of core uncovery, owing to design features	Prevention of core melting due to core uncovery	CAREM-25
4	Low enthalpy pressurized water containment embedding the primary pressure boundary	Additional barrier to possible radioactivity release into the environment	MARS
5	Passive emergency core cooling, often with increased redundancy and grace period (up to infinite in time)	Provision of sufficient time for accident management, e. g., in the case of failure of active emergency core cooling systems	KLT-40S, IRIS, CAREM-25 SCOR, MARS
6	Passive system of reactor vessel bottom cooling	In-vessel retention of core melt	KLT-40S
7	Natural convection of water in flooded reactor cavity	In-vessel retention of core melt	SCOR
8	Passive flooding of the reactor cavity following a small LOCA	Prevention of core melting due to core uncovery; in-vessel retention	IRIS
9	Flooding of the reactor cavity, dedicated pool for steam condensation under a steam generator tube rupture	Reduction of radioactivity release to the environment due to increased retention of fission products	SCOR
10	Containment and protective enclosure (shell) or double containment	Prevention of radioactive release in severe accidents; protection against external event impacts (aircraft crash, missiles)	KLT-40S, IRIS, CAREM-25 MARS
11	Containment building	Prevention of radioactive release in severe accidents; protection against external event impacts (aircraft crash, missiles)	All designs
12	Very low leakage containment; elimination or reduction of containment vessel penetrations	Prevention of radioactivity release to the environment	IRIS
13	Reasonably oversized reactor building, in addition to a primary coolant pressure boundary and additional water filled pressurized containment	Prevention of radioactivity release to the environment in unforeseen LOCA and severe accidents (LOCAs are prevented by design through the CPP	MARS
14	Indirect core cooling via containment cooling	Prevention of core melting; in-vessel retention	IRIS
15	Passive containment cooling system	Reduction of containment pressure and limitation of radioactivity release	KLT-40S
16	Relatively small, inert, pressure suppression containment	Prevention of hydrogen combustion	SCOR
17	Inert containment	Prevention of hydrogen combustion	IRIS
18	Reduction of hydrogen concentration in the containment by catalytic recombiners and selectively located igniters	Prevention of hydrogen combustion	CAREM-25
19	Sufficient floor space for cooling of molten debris; extra layers of concrete to avoid containment basement exposure directly to such debris	Prevention of radioactivity release to the environment	CAREM-25

The approaches for using safety grade or non-safety-grade systems vary between different SMR concepts. In the IRIS (Annex II), all passive safety systems are safety grade; all safety grade systems are passive. For example, the refuelling water storage tank is safety grade. All active systems are non-safety-grade.

In the CAREM-25 (Annex III), all safety systems are passive and safety grade; auxiliary active systems are safety grade also.

In the SCOR (Annex IV), redundant residual heat removal systems on the primary coolant system with pool as a heat sink (RRPp) are safety grade; similar designation systems with air as a heat sink (RRPa) are safety grade, except for the chilled water pool and pumps. The startup shutdown system is non-safety-grade. The safety injection system is the only active safety system that is safety grade. In the case of a steam generator line rupture, there is no need for a safety grade auxiliary feedwater system, because normal operation systems are used in this case.

In the MARS (Annex V), all nuclear components of the reactor core are safety grade. CPP — the enveloping primary circuit boundary — is non-safety-grade. The hydraulic connections to the primary coolant boundary are safety grade. The steam generator tubes are safety grade. The containment building is safety grade. SCCS — the passive core cooling system — is safety grade. The optional passive scram system is safety grade, as well as the active scram system.

No information on the grade of safety systems was provided for the KLT-40S.

The design features of PWR type SMRs contributing to Level 4 of defence in depth, “Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents”, could be categorized as follows:

(1) Inherent or passive safety features, provided by design, contributing to the limitation or postponing of core melting, or the prevention of core melting due to core uncovery, or providing additional barriers to possible radioactivity release to the environment. These are highlighted in numbers 1-4 of Table 4;

(2) Passive emergency core cooling systems, often redundant and offering an increased grace period up to infinite autonomy. These are intended to provide sufficient time for accident management. Passive emergency core cooling systems and passive decay heat removal systems are highlighted in more detail in Table 3;

(3) Passive systems of reactor vessel cooling based on natural convection of water in a flooded reactor cavity, intended to secure in-vessel retention of the corium; see numbers 6-9 of Table 4. It should be noted that features of smaller reactors such as reduced core power density or relatively larger or taller reactor vessels, discussed above in conjunction with Level 1 of defence in depth, facilitate effective in-vessel retention of corium and allow exclusion of core catchers from the reactor design;

(4) Containment buildings, in most cases a containment and a protective shell or a double containment, typical of all PWR type SMRs, are highlighted in numbers 10-13 of Table 4. Similar to reactors of other types and capacities, these are intended to prevent radioactivity release to the environment in severe accidents, and are also designed to provide protection against the impacts of external events (discussed later in this section). The containments for PWR type SMRs are more compact than for large PWRs, providing a smaller target for external aircraft missiles. However, they can be made reasonably oversized to confine hydrogen and other gaseous products in case of a severe accident;

(5) Design features to prevent hydrogen combustion of limited hydrogen concentration inside the containment; see numbers 16-18 of Table 4;

(6) In the CAREM-25, sufficient floor space for cooling of molten debris and extra layers of concrete to avoid containment basement exposure directly to such debris provides a kind of substitute to the core catcher.

For Level 5 of defence in depth, “Mitigation of radiological consequences of significant release of radioactive materials”, the designers of several PWR type SMRs considered in the present report mention smaller source terms, possibly resulting from relatively smaller fuel inventory, less non-nuclear energy stored in the reactor, and lower integral decay heat rates compared to a typical large PWR; see Table 5. The designers also suggest that design features for Levels 1-4 of defence in depth could be sufficient to achieve the goal of defence in depth Level 5. However, such a suggestion needs to be proven and accepted by regulators, which had not occurred at the time this report was prepared. Certain activities of PWR type SMR designers targeted at proving the option of a reduced emergency planning zone were, however, in progress. One such activity, generic for

#	Design feature	What is targeted	SMR designs

1 Mainly administrative measures Mitigation of radiological consequences KLT-40S

resulting in significant release of radioactive materials

2 Relatively small fuel inventory, less non — Smaller source term Several designs

nuclear energy stored in the reactor, and

lower integral decay heat rate

3 Design features of Levels 1-4 could be Exclusion of a significant release of KLT-40S, IRIS, CAREM,-25

sufficient to achieve defence in depth Level 5a radioactive materials beyond the plant MARS, SCOR

boundary or essential reduction of the zone of off-site emergency planning

a Some features mentioned by contributors to Annexes II, III, IV as contributing to defence in depth level 5 generically belong to the defence in depth level 4.

many innovative SMRs, is being carried out under the IAEA coordinated research project Small Reactors without On-site Refuelling, using the IRIS reactor as an example.

Table 6 summarizes information on design basis and beyond design basis events provided by the designers of PWR type SMRs in Annexes I-V, and highlights events specific to a given SMR but not for generic PWR reactor lines. De facto, such events are mentioned only for the KLT-40S, for which two groups of specific events are specified, the first group of two related to the ‘soft’ pressurizer system operated by gas from a gas balloon, and the latter group of five specific to a floating (barge-mounted) NPP For an IRIS design version under consideration for future licensing without off-site emergency planning, consideration of such rare hypothetical events as rupture of the reactor vessel and failure of all safety systems is made. It should be noted that this will not be the case for first of a kind plant licensing. In several cases, a qualitative comparison of the progression of transients in a given SMR and in a typical PWR is provided; see Annexes I-V for details.

Table 7 summarizes the information on acceptance criteria for design basis and beyond design basis events, provided by the designers of PWR type SMRs in Annexes I-V. Deterministic acceptance criteria for design basis accidents (DBA) are in most cases similar to those used for typical PWRs. Probabilistic acceptance criteria for beyond design basis accidents (BDBA) are specified as numbers for core damage frequency and large (early) release frequency in all cases except for the CAREM-25, where the requirement is to meet nationally established risk informed criteria set by the annual probability-effective dose curve shown in Fig. 6. For one design, the MARS of Italy, notwithstanding the fact that the probabilistic safety assessment granted a much lower value, core damage frequency is still accepted at 10-7 1/year level, in view of a possible common cause failure resulting from ultra-catastrophic, natural events (meteorite impact).

Table 8 summarizes the information on design features for protection against external event impacts provided by the designers of PWR type SMRs in Annexes I-V, with a focus on protection against aircraft crash and seismic events. Regarding other natural and human induced external events, more detailed information on the IRIS and the CAREM-25 designs is provided in a dedicated IAEA report Advanced Nuclear Plant Design Options to Cope with External Events, IAEA-TECDOC-1487 [6]. The requirements for plant protection against external hazards, excluding seismic hazard, are in the IAEA safety standard [9].

Protection against aircraft crash is generally provided by the containment or a double containment (or the containment and a protective shell), with relatively small containment size rated as a factor that reduces the probability of an external missile impact on the plant. In the case of the IRIS, the reactor building is half­embedded underground; thus, the reactor additionally appears to be a low profile, minimum sized target from an aircraft.

Structures, systems, and components of the KLT-40S are designed taking into account possible impacts of natural and human induced external events typical of floating NPP installation sites and transportation routes; see details in Table 6. Crash landing of a helicopter is mentioned as an event considered in the design. For the

TABLE 6. SUMMARY OF DESIGN BASIS AND BEYOND DESIGN BASIS EVENTS, INCLUDING THOSE SPECIFIC FOR A PARTICULAR SMR

# SMR design Lists of initiating events

CAREM-25, protection against aircraft crash is assumed to be provided by appropriate site selection, while the MARS containment is designed to withstand the worst aircraft impact.

Seismic design corresponds to 0.4-0.5 g peak ground acceleration (PGA); for the KLT-40S, the equipment, machinery, and systems important to safety, and their mounting, are designed to withstand 3 g PGA. Where indicated, the approach to seismic design is in line with IAEA safety standards [8].

The designers of all SMR type PWRs foresee that, eventually, their designs could be licensed with reduced or even eliminated off-site emergency planning measures, or at least without evacuation measures beyond the plant boundary; see Table 9.

As a desired or possible feature, reduced off-site emergency planning is mentioned in the Technology Goals of the Generation IV International Forum [15] in the User Requirements of the IAEA’s International Project on Innovative Reactors and Nuclear Fuel Cycles (INPRO) [14], and in the recommendations of the International Nuclear Safety Advisory Group (INSAG-12) [11], with a caution that full elimination of off-site emergency planning may be difficult to achieve or with a recommendation that Level 5 of defence in depth still needs to be kept, notwithstanding its possibly decreased role [11].

Achieving the goal of reduced off-site emergency planning would require both development of a methodology to prove that such reduction is possible in the specific case of a plant design and siting, and adjustment of existing regulations. A risk-informed approach to reactor qualification and licensing could be of value here, once it gets established. Within the deterministic safety approach it might be very difficult to justify reduced emergency planning in view of a prescribed consideration of a postulated severe accident with

TABLE 7. SUMMARY OF ACCEPTANCE CRITERIA

# SMR design Deterministic acceptance criteria Probabilistic acceptance criteria (or targets)

Probabilistic acceptance criteria defined in compliance with Russian regulatory document OPB-87/97 (see Annex I):

Core damage frequency (CDF) 10-5 1/year; Probability of large radioactivity release 10-61/year The probabilistic risk assessment (PRA) has demonstrated CDF to be one order of magnitude less than the prescribed limit, taking into account uncertainties

3 CAREM-25 Deterministic acceptance criteria for DBA are Risk-informed criteria set by the annual probability — assumed to be the same as for conventional effective dose curve are applied to BDBA (Annex III) PWRs

The qualitative and quantitative objectives of No details have been provided radiological protection of the population and the environment developed for Generation III reactors, e. g., the EPR, are applied

radioactivity release to the environment, e. g., owing to a common cause failure, such a catastrophic natural disaster. Probabilistic safety assessment (PSA), as a supplement to the deterministic approach, might help justify very low core damage frequency (CDF) or large early release frequency (LERF), but it does not address the consequences and, therefore, does not provide for assessment of the source terms. Risk informed approach that introduces quantitative safety goals based on the probability-consequences curve, could help solve the dilemma by providing for a quantitative measure for the consequences of severe accidents and by applying a rational technical and non-prescriptive basis to define a severe accident.

It is worth mentioning that nuclear regulations in some countries, e. g., Argentina, already incorporate provisions for applying a risk-informed approach in the analysis of severe accidents, see Fig. 6 and Annex III.

The IAEA has recently published a report entitled Proposal for a Technology-Neutral Safety Approach for New Reactor Designs, IAEA-TECDOC-1570 [13]. Based on a critical review of the IAEA safety standard NS-R-1 Safety of the Nuclear Power Plants: Design Requirements [7], IAEA-TECDOC-1570 outlines a methodology/process to design a new framework for development of the safety approach based on quantitative safety goals (a probability-consequences curve correlating to each level of defence in depth), fundamental safety functions, and generalized defence in depth, which includes probabilistic considerations. Different from this, the current safety approach [7] is based on qualitative safety goals, fundamental safety functions, application of defence in depth, and application of probabilistic safety assessments complementing deterministic methods.

Future IAEA publications and, specifically, a report of the above mentioned coordinated research project, will provide more details on the progress of justification for limiting measures of Level 5 of defence in depth to plant sites.

In the meantime, the designers of PWR type SMRs accept that licensing of their plants in the near term could be accomplished in line with existing regulations prescribing standard measures for the mitigation of

TABLE 8. SUMMARY OF DESIGN FEATURES FOR PROTECTION AGAINST EXTERNAL EVENT IMPACTS

# SMR design Aircraft crash / Earthquakes

1 KLT-40S No details provided regarding aircraft crash; crash-landing

of a helicopter is considered in the design. The equipment, machinery, and systems important to safety and their mounting are designed to withstand 3 g peak ground acceleration (PGA). Seismic design: 7 on the MSK scale at 10-2 1/year frequency for design earthquakes; 8 on the MSK scale at 10-4 1/year frequency for maximum design earthquakes

2 IRIS The reactor, the containment, the passive safety systems,

the fuel storage, the control room, and the back-up control room located in the reinforced concrete auxiliary building are half-embedded underground. The reactor appears as a low-profile, minimum sized target from an aircraft; 0.5g PGA

3 CAREM-25 Aircraft crash is not considered in the CAREM-25 design —

protection is assumed to be provided by site selection and administrative measures; there are two shells (containment, confinement), and the nuclear module is compact and small, which reduces the probability of an external missile impact on the containment; 0.4 g PGA; ‘probable earthquake’ is similar to operating basis earthquake (US NRC) or L-S1 (IAEA classification); ‘severe earthquake’ is similar to safe shutdown earthquake (US NRC) or L-S2 (IAEA classification)

4 SCOR No information was provided

5 MARS Designed against aircraft crash/seismic loads under

reference site conditions

TABLE 9. SUMMARY OF MEASURES PLANNED IN RESPONSE TO SEVERE ACCIDENTS

# SMR design Measures [6]

Effective Dose (Sv)

FIG. 6. Acceptance criteria for beyond design basis accidents as provided for by regulations in Argentina (see Annex III).

radiological consequences of significant release of radioactive materials. These measures are mostly of an administrative character. In particular, the KLT-40S designers mention that administrative measures are foreseen for plant personnel and the population within a 1 km radius of the plant, but indicate that evacuation is not required at any distance from the floating NPP; for more details see Annex I.

Design approaches used to achieve defence in depth in pressurized water SMRs considered in this report are generally in line with recommendations of the IAEA Safety Standards Series No. NS-R-1, Safety of the Nuclear Power Plants: Design Requirements [7]. Specifically, designers often refer to [7] when discussing safety objectives, safety functions, defence in depth concepts, accident prevention, radiation protection and acceptance criteria, safety classifications, safety assessment and single failure criterion, common cause failure and redundancy, diversity and independence, conservatism in design, and human factors. It should be noted that, because of limited information obtained from Member States, this report is not intended to provide a review of safety design approaches applied by SMR designers against IAEA safety standards.

Designers anticipate that future revisions of safety standards with more focus on a risk informed approach to design qualification, such as suggested in IAEA-TECDOC-1570 [13], could facilitate the goal of achieving plant qualification and licensing with reduced off-site emergency planning requirements.

See Table II-3.

II-7. MEASURES PLANNED IN RESPONSE TO SEVERE ACCIDENTS

The passive safety design features of the IRIS aimed at prevention of core damage (decrease of core damage probability) are described in section II-2; those aimed at mitigation of severe accident consequences are listed in section II-3 (DID Level 5).

Regarding measures for population evacuation/relocation in the vicinity of a plant, the designers are considering an option to license IRIS with the off-site emergency planning zone being drastically reduced in area or even essentially eliminated by reducing it to the site boundary.

II-8. SUMMARY OF PASSIVE SAFETY DESIGN FEATURES FOR IRIS

Tables II-4 to II-8 below provide the designer’s response to questionnaires developed at an IAEA technical meeting, “Review of passive safety design options for SMRs”, held in Vienna on 13-17 June 2005. These questionnaires were developed to summarize passive safety design options for different SMRs according to a common format, based on provisions of IAEA Safety Standards [II-6] and other IAEA publications [II-7, II-9]. The information presented in Tables II-4 to II-8 provided a basis for the conclusions and recommendations of the main part of this report.

TABLE II-4. QUESTIONNAIRE 1 — LIST OF SAFETY DESIGN FEATURES CONSIDERED FOR/ INCORPORATED INTO THE IRIS DESIGN

#	Safety design features	What is targeted?
1	Integral primary circuit	Elimination of large break LOCA
2	Integral primary circuit	Increased coolant inventory/thermal inertia
3	Internal CRDMs	Elimination of rod ejection
4	Internal CRDMs	Elimination of vessel head penetrations
5	Increased natural circulation	Downgraded LOFA
6	Reduced size, high design pressure containment	Small break LOCA mitigation
7	Pressure suppression containment	Fission product retention improvement
8	Inerted containment	Prevention of hydrogen explosion
9	Reduced core power density	Slower progression of accidents
10	Integral steam generators, designed for full system pressure and with tubes in compression	Prevention or downgrading of: — SG tube rupture — Steam line break — Feed line break Elimination of tensile stress induced cracking
11	Internal (fully immersed) axial design pumps	Elimination of: — Shaft seizure — Locked rotor
12	Thick downcomer acting as internal neutron shield	No vessel embrittlement, and no need for surveillance resulting from a reduction of fast neutron fluence on the reactor vessel
13	Large volume integral pressurizer	Prevention of overheating events, elimination of sprays

TABLE II-5. QUESTIONNAIRE 2 — LIST OF INTERNAL HAZARDS

j. Specific hazards that are of concern

# Explanation of how these hazards are addressed in an SMR

for a reactor line [41]

TABLE II-6. QUESTIONNAIRE 3 — LIST OF INITIATING EVENTS FOR ABNORMAL OPERATION OCCURRENCES (AOO)/DESIGN BASIS ACCIDENTS (DBA)/BEYOND DESIGN BASIS ACCIDENTS (BDBA)

List of initiating events for AOO/ DBA/BDBA typical for a reactor line (PWRs)	Design features of IRIS used to prevent progression of initiating events to AOO/DBA/BDBA, to control DBA, to mitigate BDBA consequences, etc.	Initiating events specific to this particular SMR
Large break LOCA	-Integral primary circuit eliminates large break LOCA
Small break LOCA	Coupled response of reactor vessel and containment to small break LOCA limits loss of coolant and prevents
	core uncovery
LOCA Steam generator tube rupture	-Integral primary system — High design pressure containment — Increased coolant inventory extends grace period — Pressure suppression system -Because the primary coolant is on the shell side of the steam generators, the tubes are compressed and the possibility of a steam generator tube rupture (e. g., by stress corrosion cracking) is greatly reduced — SG designed for full primary system pressure, up to main isolation valves (MIV)	Nothing in particular specified here
Rod ejection	Internal CRDMs
LOFA	-Multiple (8) main circulating pumps (MCPs) — Increased natural circulation fraction because of a large, tall vessel

# 1 2

3

4

5 6

TABLE II-7. QUESTIONNAIRE 4 — SAFETY DESIGN FEATURES ATTRIBUTED TO DEFENCE IN DEPTH LEVELS

TABLE II-8. QUESTIONNAIRE 5 — POSITIVE/NEGATIVE EFFECTS OF PASSIVE SAFETY DESIGN FEATURES IN AREAS OTHER THAN SAFETY.

Passive safety design features	Positive effects on economics, physical protection, etc.	Negative effects on economics, physical protection, etc.
Integral primary circuit with safety-by-design™	-Core damage frequency (CDF) and large early release frequency (LERF) are reduced, allowing for twin unit or multiunit power plants; potential economic benefits from reduced or eliminated emergency planning — Allows use of a compact steel containment, minimizing the siting area and improving protection from external events, such as aircraft crash — Safety-by-design™ results in a reduced complexity of the plant and its safety systems, contributing to reduced costs — Intrinsic security (‘security by design’) contributes to reduced costs	-Limits power of a single module (counteracted by modular construction of multiple units at site) — Increases reactor pressure vessel size (however, containment and overall footprint are decreased)
All safety grade systems are passive	-Results in reduced complexity and improved reliability of the plant, contributing to reduced capital and maintenance costs -Added resilience to sabotage and other malevolent acts	None identified

REFERENCES TO ANNEX II

[II-1] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Advanced Light Water Reactor Designs 2004, IAEA-TECDOC-1391, IAEA, Vienna (2004).

[II—2] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Innovative Small and Medium Sized Reactor
Designs 2005: Reactors with Conventional Refuelling Schemes, IAEA-TECDOC-1485, IAEA, Vienna (2006).

[II-3] CARELLI, M. D., et al., The design and safety features of the IRIS reactor, Nucl. Eng. Des. 230 (2004) 151-167.

[II-4] FINNICUM, D., et al., “IRIS preliminary PRA analysis”, GLOBAL 2003, paper 2069 (Proc. Int. Mtg., New Orleans, LA, 2003), American Nuclear Society/European Nuclear Society (2003).

[II—5] MAIOLI, A., FINNICUM, D. J., KUMAGAI, Y., “IRIS simplified LERF model”, ANES 2004 (Proc. Int. Conf., Miami, FL, 2004).

[II-6] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA, Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[II—7] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

[II—8] INTERNATIONAL ATOMIC ENERGY AGENCY, Advanced Nuclear Power Plant Design Options to Cope with External Events, IAEA-TECDOC-1487, IAEA, Vienna (2006).

[II—9] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA- TECDOC-626, IAEA, Vienna (1991).

Annex III