At the moment, the IAEA safety standards do not provide a complete set of definitions necessary for the description of safety features of NPPs with innovative reactors. In view of this, some missing definitions related to passive safety features could be taken from IAEA-TECDOC-626 [3]:

Inherent safety characteristic: Safety achieved by elimination of a specified hazard by means of the choice of material and design concept.

Passive component: A component which does not need any external input to operate.

Passive system: Either a system which is composed entirely of passive components and structures or a system which uses active components in a very limited way to initiate subsequent passive operation.

Grace period: The grace period is the period of time during which a safety function is ensured without the necessity of personnel action in the event of an incident/accident.

Recommendations from the International Nuclear Safety Advisory Group (INSAG)

Although IAEA safety standard NS-R-1 [2] provides a consensus definition of defence in depth levels, the definitions suggested in INSAG-10 [4] may better suit for NPPs with innovative reactors. For future reactors, Ref. [3] envisages the following trends for different levels of defence in depth:

Level 1, for the prevention of abnormal operation and failures is to be extended by considering in the basic design a larger set of operating conditions based on general operating experience and the results of safety studies. The aims would be to reduce the expected frequencies of initiating failures and to deal with all operating conditions, including full power, low power and all relevant shutdown conditions.

— Level 2, for the control of abnormal operation and the detection of failures, is to be reinforced (for example by more systematic use of limitation systems, independent from control systems), with feedback of operating experience, an improved human-machine interface and extended diagnostic systems. This covers instrumentation and control capabilities over the necessary ranges and the use of digital technology of proven reliability.

— Level 3, for the control of accidents within the design basis, is to consider a larger set of incident and accident conditions including, as appropriate, some conditions initiated by multiple failures, for which best estimate assumptions and data are used. Probabilistic studies and other analytical means will contribute to the definition of the incidents and accidents to be dealt with; special care needs to be given to reducing the likelihood of containment bypass sequences.

— Level 4, for the prevention of accident progression, is to consider systematically the wide range of preventive strategies for accident management and to include means to control accidents resulting in severe core damage. This will include suitable devices to protect the containment function such as the capability of the containment building to withstand hydrogen deflagration, or improved protection of the basemat for the prevention of meltthrough.

— Level 5, for the mitigation of the radiological consequences of significant releases, could be reduced, owing to improvements at previous levels, and especially owing to reductions in source terms. Although less called upon, Level 5 is nonetheless to be maintained.”

As the reactor has only one steam generator, passive decay heat removal systems are diversified by being included in both the primary and the secondary circuit.

Secondary circuit

A decay heat removal system should not release steam to the atmosphere under a steam generator tube rupture (SGTR). In the case of an overpressure transient in SCOR, the released steam is condensed in a dedicated pool. The steam generator is not considered as a main system for decay heat removal. It acts as a thermal buffer until the safety systems on the primary side are fully operational.

Primary circuit

The primary coolant system is after cooled by means of heat exchangers located in the downcomer, see Fig. IV-6. Each heat exchanger has a dedicated heat sink. There are 16 independent loops used for this purpose, altogether forming the RRP system (an abbreviated ‘residual heat removal on primary circuit’). There are two types of heat sinks:

• Four RRP loops are cooled by heat exchangers immerged in a pool (RRPp);

• The other twelve RRP loops are cooled by heat exchangers located in an air cooling tower (RRPa).

All RRP loops are designed to operate on natural convection both in the loop and in the heat sink.

The RRP design is very simple. RRP loops are designed to resist the primary pressure. Isolating valves are placed in RRP circuits to minimize the risk of the primary water passing outside the containment in the event of a heat exchanger tube rupture. A surge tank compensating for water dilation from a cold shutdown to a full power operating state carries out pressure control of the RRP circuit.

The control valves are placed on the level of the heat sink: thermal valves or air leaves function so that the temperature of the RRP loop remains high when the reactor is in power [IV-1]. In the case of an accident, the RRPs operate passively by opening the air leaves in the RRP air coolers or by opening the thermal valves in the RRP pools. These valves are automatically opened on a SCRAM signal.

Forced convection is only required when the chilled water cooling is requested for core refuelling. The 12 RRPa are able to cool the primary system down to a cold shutdown state. They replace the normal heat removal system of the reactor.

The report includes an introduction, 6 Sections, 4 appendices and 10 annexes.

The introduction (Section 1) describes the background and identifies the objectives, the scope and the structure of this report, as well as the approach used in its preparation and the design status of the SMRs considered.

Section 2 provides an overview of the considerations for the incorporation of inherent and passive safety features into safety design concepts of SMRs. These considerations, presented in a generic way and for each reactor line separately, were elaborated at the IAEA technical meetings in June 2005 and in October 2006.

Section 3 presents the design approaches applied by the designers to achieve defence in depth in SMRs. Both passive and active safety design features and systems are included to highlight the role of inherent and passive features and show how they may affect the design/function of the active safety systems. This section is based on the information and data provided by the designers of SMRs in Member States and presented, in a
structured form, in Annexes I-X in this report. The common format used to describe passive and active safety design features of SMRs is given in Appendix IV.

Section 3 is structured as follows. First, a common general approach is described. Then a description is provided for each reactor line addressed in the present report, including pressurized water reactors, pressurized light water cooled heavy water moderated reactors, high temperature gas cooled reactors, liquid metal cooled fast reactors, and non-conventional designs. For each reactor line, a short summary of the design features of one or more of the corresponding SMRs presented in the annexes is included, followed by summary tables and discussions of the safety design features contributing to each level of defence in depth. In this, dedicated passive and active safety systems are discussed in more detail in conjunction with defence in depth level 3. After that, summary tables and discussions follow on design basis and beyond design basis events, on acceptance criteria, and on features for plant protection against external event impacts. Each section winds-up with a summary table and a discussion of the measures planned in response to severe accidents.

Section 4 provides a review of the benefits and negative impacts in areas other than safety that in view of the SMR designers arise from incorporation of the corresponding inherent and passive safety design features. The discussion is structured along the reviewed reactor lines, in the same way as in Section 3.

Section 5 summarizes the approaches and considerations applied in the selection of combinations of passive and active safety systems in the considered SMRs.

Section 7 is the conclusion. It is elaborated as an executive summary of the report.

Appendix 1 addresses the issue of performance assessment of passive safety systems by providing a summary of background and experience, a short description of the two methodologies for reliability assessment of passive safety systems, and a recommendation for further research and development based on the outputs of a dedicated IAEA technical meeting on June 2006. This appendix is referenced from Section 5.

Appendix 2 includes a paper on periodic confirmation of passive safety feature effectiveness, contributed by D. C. Wade of the Argonne National Laboratory (ANL), USA. This paper is referenced from Appendix 1.

Appendix 3 includes consensus and non-consensus definitions from the IAEA safety standards and other publications relevant to the subject of this report, and also highlights some non-conventional terms used by Member States.

Appendix 4 gives a common format for description of the design features of SMRs as used in Annexes I-X.

Annexes I-X provide descriptions of the design features of the considered SMRs used to achieve defence in depth. The descriptions were contributed by Member States and are done according to the common outline in Appendix 3. The order of the inputs corresponds to that used in Sections 3 and 4, with pressurized water SMRs going first (Annexes I-V), followed by a pressurized light water cooled heavy water moderated reactor (Annex VI), a high temperature gas cooled reactor (Annex VII), the liquid metal cooled fast-spectrum SMRs (Annexes VIII, IX), and the non-conventional design (Annex X).

Contributors to drafting and review of this report are listed on the last page.

The analyses of more probable scenarios of accidents with a loss of core cooling, potentially resulting in core damage, and PRA results show that the most critical LOCA scenario is that accompanied by a failure of ‘normal’ ECCS channels, caused by the failure of active elements (pumps or connecting valves of the same type).

To cope with such situation, the KLT-40S design provides for an option to supply water to the reactor via the pipelines of the purification system, using the turbine plant pumps.

Measures on accident mitigation include measures on limitation of the core damage fraction, measures on in-vessel retention of the corium, and measures on limitation of radiological consequences.

Measures on limitation of core damage fraction

Core damage process in the KLT-40S nuclear installation is relatively slow due to the injection of water from the hydro-accumulator that cools overheated and partially degraded core elements. Successful realization of the measures on water supply to the reactor at this stage of an accident will lead to the flooding and cooling of core materials, and would allow prevention of a molten pool formation on the reactor bottom head and exclude an impact of the corium on the reactor vessel.

Measures on in-vessel retention of corium

For retention of the molten core inside the reactor vessel, a special system is provided for in the reactor unit design that secures external cooling of the reactor vessel in accidents with core damage and core melt relocated to the reactor vessel bottom. In-vessel retention of the corium allows for exclusion of negative phenomena associated with corium release to the containment.

Measures on limitation of radiological consequences

To exclude irradiation of the personnel and population in case of a severe accident, the following protective measures need to be implemented:

(1) To ensure protection of the personnel, it is necessary to exclude staff presence in the compartments adjacent to the containment and in other compartments with high radiation levels;

(2) To limit radiation dose to the population living within a 1 km radius from the floating NPP, it may be required (depending on the actual radiation situation) that some protective measures, such as iodine prophylaxis or sheltering, are implemented. As a protective measure, a temporary limitation should be established on the consumption of separate agricultural products grown within a radius of up to 5 km from the floating NPP and contaminated by radioactive release.

Evacuation of the population is not required at any distance from the floating NPP.

All fast reactor designs in the SMR family offer design flexibility in setting desired combinations of reactivity coefficients and effects. This flexibility, coupled with the inherent properties of advanced types of fuel, creates a potential to prevent transient overpower accidents, to ensure increased reactor self-control in a variety of other anticipated transients without scram and combinations thereof, and to enable ‘passive shutdown’ (see definition at the end of Appendix 2) and passive load following capabilities of a plant.[8] Smaller specific core power or relatively tall reactor vessels facilitate the use of natural convection of a single phase liquid metal coolant to remove decay heat or even the heat produced in normal operation (for heavy liquid metal cooled SMRs). For sodium cooled

reactors, smaller reactor size facilitates achievement of negative whole core sodium void reactivity effect. For lead cooled reactors, there could be a certain size limit to ensure reliable seismic design [2].

Figure 9 and 10 show general layouts of the 4S-LMR and the SSTAR, respectively.

t— CLOSURE HEAD

CO2 OUTLET NOZZLE (1 OF 8)

CO2 INLET NOZZLE (1 OF 4)

Pb-TO-CO2 HEAT

EXCHANGER (1 OF 4)

FLOW SHROUD

RADIAL REFLECTOR

ACTIVE CORE AND

FISSION GAS PLENUM

FLOW DISTRIBUTOR HEAD

Fast spectrum liquid metal cooled SMR designs are represented by the 4S-LMR concept of a sodium cooled small reactor without on-site refuelling developed by the Central Research Institute of Electric Power Industry (CRIEPI) and Toshiba in Japan (see Annex VIII) and by the SSTAR and STAR-LM concepts of small lead cooled reactors without on-site refuelling developed by the Argonne National Laboratory (ANL) in the USA (see Annex IX). Lead cooled SMR concepts use CO2 as the working media in the Brayton cycle power circuit, and incorporate no intermediate heat transport system. Although essentially different in several important features, both the sodium cooled and the lead cooled SMR concepts belong to a family of pool type integral design liquid metal cooled fast reactors, and close cooperation between their designers was established long ago [3]. Of the two designs, the 4S-LMR is in a more advanced stage, because for a similar design — different essentially in the type of fuel used and named the 4S — the conceptual design and major parts of the system design have been completed [3]. A pre-application review by the US NRC was initiated in the fall of 2007. Construction of a demonstration reactor and safety tests are planned for early 2010 [3]. Different from the 4S-LMR, both the SSTAR and STAR-LM are at a pre-conceptual stage. It should be noted that the small size and capacity of fast reactors considered in this section are, first of all, conditioned by the requirement for operation without on-site refuelling (see [3] for more detail) and not by the a priori considerations of achieving a somewhat higher degree of passive response in accidents.

Tables 28-32 summarize the design features of the 4S-LMR, the SSTAR and the STAR-LM contributing to defence in depth Levels 1-5.

Design features contributing to Level 1 of defence in depth, “Prevention of abnormal operation and failure”, are summarized in Table 28.

11 Pb coolant not reacting chemically with CO2 working fluid; no intermediate heat transport system

12 Natural convection of coolant plus open fuel element lattice (large fuel element pitch to diameter ratio)

13 Primary electromagnetic (EM) pumps arranged in two units connected in series, with each unit capable of taking on one half of the pump head

14 Reactor vessel enclosed in a guard vessel to prevent loss of the primary coolant; pool type design with intermediate heat exchangers located inside the main reactor vessel

15 Use of double piping, double tubes and double vessels for secondary sodium, including heat transfer tubes from the steam generator

16 Reactor vessel enclosed in a guard vessel such that even in the case of primary vessel boundary rupture, the faulted level of lead will always exceed Pb entrances to the PB to CO2 heat exchangers;

High boiling point of the Pb coolant (1740°C), exceeding the point at which stainless steel core structures melt;

Pool type design configuration;

High density of Pb coolant limits void growth and downward penetration following a postulated in-vessel heat exchanger tube rupture

17 Highly reliable system of control of dissolved oxygen potential in the Pb coolant

Maintenance of the integrity of stainless steel SSTAR, cladding in all modes of operation by preventing STAR-LM corrosion;b

Prevention of the formation of corrosion debris with a potential to block the coolant area

a ‘Passive shutdown’ is used to denote bringing a reactor to a safe low power state with balanced heat production and passive heat removal, with no failure of the barriers preventing radioactivity release to the environment. The shutdown should take place using inherent and passive safety features only, with no operator intervention, no active safety systems involved, no requirement for external power and water supplies, and with a practically infinite grace period. b Corrosion/erosion is generally a slow and easily detectable process.

A low pressure primary coolant system, securing low non-nuclear energy stored in the primary coolant system is a common feature of all liquid metal cooled reactors, irrespective of their size and capacity. In addition to this, like many innovative liquid metal cooled reactors of a variety of capacities and sizes, all SMRs considered in this section rely on advanced fuel designs with high thermal conductivity, ensuring increased margins to fuel failure.

The lead cooled SSTAR and STAR-LM reactors incorporate optimum sets of reactivity feedbacks, provided by design and contributing to the elimination of transient overpower, as well as to the prevention or de-rating of the initiating events resulting from malfunctioning of systems or operator actions. Specifically, the designers of the SSTAR and STAR-LM mention the so-called ‘passive shutdown’ capability of their reactors as provided by design.

1 All-negative temperature reactivity coefficients

2 Large negative feedback in fast spectrum Increased self-control in case of

core; natural convection of coolant in all abnormal operation, including passive

modes; physical properties of Pb coolant load following and ‘passive shutdown’ and nitride fuel with high heat conductivity

Slow pace of transients due to abnormal 4S-LMR, SSTAR, STAR-LM operation

4 Sodium leak detection system in heat Enhanced detection of failure of the 4S-LMR

transfer tubes of the steam generator, secondary sodium boundary

capable of detecting both inner and outer tube failures

5 Two redundant power monitoring systems; Enhanced control of abnormal operation 4S-LMR balance of plant temperature monitoring and detection of failure system; electromagnetic pump performance monitoring system; cover gas radioactivity monitoring system, etc.

Control of the corrosion/erosion SSTAR, STAR-LM

processes of stainless steel claddings in Pb flow and detection of failures

7 Independent and redundant shutdown Reactor shutdown

systems (see Table 30 for details)

The sodium cooled 4S-LMR provides for power control via pump flow rate in the power circuit, with no control rods in the core, and for pre-programmable movement of axial reflectors with no feedback control, contributing to burnup reactivity compensation. Both of these features contribute to the prevention of transient overpower accidents.

To prevent a sodium-water reaction, the 4S-LMR incorporates an intermediate heat transport system, like most of sodium cooled fast reactors. As the CO2 is used as a working medium in the power circuits of the SSTAR and STAR-LM, which does not react chemically with Pb, these reactors do not incorporate an intermediate transport system.

Natural convection is used in the SSTAR and STAR-LM to remove heat under normal operation, eliminating loss of flow accidents. De-rating of loss of flow in the 4S-LMR is achieved by a scheme with two electromagnetic pumps connected in series.

Both sodium and lead cooled SMRs incorporate guard vessel to prevent LOCA; the 4S-LMR also incorporates double piping and double vessels for secondary sodium, including heat transfer tubes of the steam generator.

Finally, a reliable system of corrosion control is assumed to be provided for the SSTAR and STAR-LM to maintain the integrity of stainless steel claddings and to prevent the formation of corrosion debris with the potential of coolant area blockage. For these reactors it is important to maintain the oxygen potential in the correct regime to prevent the formation of PbO, which needs to be avoided. There could also be corrosion debris such as Fe that migrates into the coolant where it forms iron oxide, which should be filtered out.

For Level 2 of defence in depth, “Control of abnormal operation and prevention of failure”, contributions come from large thermal inertia of the primary coolant system and reactor internals, resulting in the slow progress of transients, and from optimum negative feedback, provided by design and ensuring a high-degree of reactor self-control. Specifically, passive load following and ‘passive shutdown’ capabilities are mentioned for the SSTAR and STAR-LM. Monitoring and detection systems are other important contributors. Finally,

1 Use of metallic fuel with high thermal conductivity (relatively low temperature)

2 Use of nitride fuel with high thermal conductivity (relatively low temperature)

3 Relatively low linear heat rate of fuel

4 All-negative temperature reactivity coefficients

5 Large negative feedback from fast spectrum core, natural convection of coolant in all modes, physical properties of Pb coolant and nitride fuel with high heat conductivity

6 Negative whole core void worth

7 — Very high boiling point of Pb coolant (1740°C);

— Escape path for gas/void to reach free surface provided by design;

— The reactor vessel is enclosed in a guard vessel such that even in the case of primary vessel boundary rupture, the faulted level of lead will always exceed Pb entrances to the PB to CO2 heat exchangers

8 Large specific (per unit of power) inventory of the primary coolant

9 Effective radial expansion of the core (negative feedback), provided by design

10 Low pressure loss in the core region, provided by design

11 A combined system of electromagnetic pumps and synchronous motors (SM), ensuring favourable flow coast-down characteristics

12 Natural convection of coolant in all modes of operation plus open fuel element lattice (large fuel element pitch to diameter ratio)

13 Two independent systems of reactor shutdown, each capable of shutting down the reactor by:

— A drop of several sectors of the reflector; or

— Gravity-driven insertion of the ultimate shutdown rod

14 Two independent and redundant active safety grade shutdown systems

High margin to fuel failure; larger grace period

High margin to fuel failure; larger grace period

Higher margin to fuel failure; larger grace period

Increased reactor self-control in design basis accidents

Increased self-control of the reactor in design basis accidents, including passive load following and ‘passive shutdown’ (in the case of a failure of both scram systems)

Prevention of design basis accidents propagation into beyond design basis conditions (due to coolant boiling or loss)

Prevention of core void as the extension of design basis accidents; securing of normal heat removal path through Pb/CO2 heat exchangers in DBA

Increased grace period

Increased reactor self-control in design basis accidents; prevention of DBA propagation into beyond design basis conditions

Increased level of natural circulation to remove decay heat from the core

Increased grace period in the case of pump failure

Increased reliability of heat removal through natural convection of coolant via Pb-CO2 heat exchangers and, in the case of their failure, by natural convection based decay heat removal systems RVACS and DRACS

Reactor shutdown

Reactor shutdowna

15

Redundant and diverse passive auxiliary cooling Increased reliability of decay heat removal systems (RVACS and IRACS or PRACS), both from the core using draught of environmental air as an ultimate heat sink

Protection of the reactor vessel and enclosure SSTAR, STAR-LM from over-pressurization when one or more in­vessel Pb to CO2 heat exchanger tubes fail [9] [10] [11] [12] [13] [14]

The 4S-LMR incorporates no active safety systems. However, there are several active systems providing normal operation of the reactor at rated or de-rated power, e. g., electromagnetic pumps providing forced convention of sodium coolant to remove core heat, or a burnup reactivity compensation system based on slow upward movement of the reflector, using an advanced pre-programmed drive mechanism. These systems can contribute to performing safety functions in certain accident scenarios. No information was provided on which systems of the 4S-LMR are safety grade.

All passive and active safety systems in the SSTAR and the STAR-LM are assumed to be safety grade.

The design features contributing to Level 4 of defence in depth, “Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents” fit in the following main groups; see Table 31:

(1) Inherent safety features contributing to prevention of core melting, numbers 1-5 of Table 31;

(2) Redundant and diverse passive decay heat removal systems with natural draught of air used as an ultimate heat sink, discussed in more detail in conjunction with Level 3 of defence in depth;

(3) Inherent and passive design features for the prevention of recriticality, numbers 8-9 of Table 31. These include an effective mechanism of fuel carry-over from the core in case of fuel element cladding failure (4S-LMR) and high density of the Pb coolant securing movement of molten fuel to the upper free level of lead (SSTAR and STAR-LM);

(4) Guard vessels in addition to the main vessels, for all designs, and double piping for the 4S-LMR; see numbers 11-13 of Table 31;

(5) Location of the containment and reactor in a concrete silo below ground level, for all designs considered.

For Level 5 of defence in depth, “Mitigation of radiological consequences of significant release of radioactive materials”, the designers of the 4S-LMR foresee no measures needed beyond the plant boundary in response to any severe accidents or combinations thereof, even when there is no operator intervention, no emergency team actions, and no external power and water supply. The designers of the SSTAR and STAR-LM take a more conservative approach, suggesting that standard measures may still be applicable, but within the exclusion zone reduced against that of present day reactors; see Table 32 and Table 35.

Issues of achieving plant licensing with reduced off-site emergency planning requirements are discussed in more detail in section 3.2.1., in conjunction with measures planned in response to severe accidents for pressurized water type SMRs. This discussion is also relevant to sodium cooled and lead cooled fast reactors considered in this section.

Tables 33 and 34 summarize the information on design basis and beyond design basis accidents and acceptance criteria.

TABLE 32. DESIGN FEATURES OF SODIUM COOLED AND LEAD COOLED FAST SMRs CONTRIBUTING TO LEVEL 5 OF DEFENCE IN DEPTH

# Design feature What is targeted SMR designs

1 Inherent and passive safety features ensure the plant will survive all postulated design basis and beyond design basis accidents, including anticipated transients without scram and combinations thereof, without operator intervention, emergency team actions, and external power and water supply [15]

Eliminate the need for any intervention 4S-LMR in the public domain beyond plant boundaries as a consequence of any accident condition within the plant

To reduce the exclusion zone compared SSTAR, STAR-LM

to that provided for currently operated

reactors

TABLE 33. SUMMARY OF DESIGN BASIS AND BEYOND DESIGN BASIS EVENTS, INCLUDING THOSE SPECIFIC FOR A PARTICULAR SMR

Table 33 also lists the features that are specific for the considered SMRs but not for a reactor line as a whole. For the sodium cooled 4S-LMR, these are failure in insertion of the ultimate shutdown rod and failure in the operation of the pre-programmed moveable reflector, in view of the fact that these design features are unique to the 4S-LMR. As both SSTAR and STAR-LM are being designed with a non-conventional CO2 based Brayton cycle power circuit, specific events are indicated as those related to disruption in the operation of this power circuit.

The 4S-LMR appears to be the only SMR concept in this report for which the acceptance criteria for design basis accidents are specified in a risk-informed way; see Annex VIII. Addressed within the design basis are events with a frequency as low as 10-6 x 1/year. In contrast, the acceptance criteria for severe accidents, which
in the case of the 4S-LMR include extremely rare failures of more than one redundant system, are specified in a deterministic way, with no frequency indicated.

For the SSTAR and STAR-LM, an expectation of new technology neutral and risk informed regulations to arrive in time for design completion is mentioned, but no details are provided regarding the acceptance criteria themselves.

Table 35 summarizes design features for protection against external event impacts, while Table 36 lists measures foreseen in response to severe accidents.

For both the 4S-LMR and the SSTAR and STAR-LM, strong reliance on inherent and passive safety features expected to render unnecessary operator intervention, emergency team actions and external power and water supplies, while ensuring a ‘passive shutdown’ capability of the reactor, are mentioned as factors important for protection against both internal and external event impacts and combinations thereof.

The design features of sodium cooled and lead cooled fast SMRs addressed in this report fit in within the fundamental requirements suggested in the IAEA safety standard Safety of Nuclear Power Plants: Design Requirements [7].

However, all considered fast spectrum SMR designs are being developed to offer several unique qualities, such as:

(1) A ‘passive shutdown’ capability, i. e., the capability to bring the reactor to a safe low power state with balanced heat production and passive heat removal, and with no failure to barriers preventing radioactivity release to the environment; all relying on inherent and passive safety features only, and with practically indefinite grace period;

(2) Very low pressure in the primary coolant system, challenging the notion of a primary pressure boundary used throughout the safety standard [7];

(3) Design basis events encompassing events with occurrence frequencies as low as 10-6 1/year and including combinations of unprotected transients [2, 3], each of which is rated severe for the current generation of light water reactors.

The designers of fast spectrum SMRs target licensing within the currently established national regulatory framework but mention that further elaboration of national regulatory norms toward technology-neutral and risk-informed approach could facilitate licensing considerations and further design improvements.

As an example, the recently published IAEA report Proposal for a Technology-Neutral Safety Approach for New Reactor Designs [13] suggests that “the means for shutting down the reactor shall consist of a minimum of two lines of protection (shutdown mechanisms — whether they be control rods or inherent feedback features of the core design) required to achieve the mission within the reliability requirements for safety”.

CNEA,

Argentina

III — 1. DESCRIPTION OF THE CAREM DESIGN

CAREM is an Argentine project for design and technology development and construction of an innovative, simple and small nuclear power plant (NPP). This nuclear power plant is based on an indirect cycle nuclear reactor with some distinctive and characteristic features which simplify design, and contribute to enhanced safety. A detailed description of the CAREM design and features is presented in [III-1, III-2].

The first step of this project is the construction of a prototype of about 27 MW(e) (CAREM-25) [III-2]. Main features of the CAREM approach and, specifically, the CAREM-25 design, are the following; see Fig. III-1:

• Integrated primary coolant system;

• Primary cooling by natural circulation (for CAREM-25 and CAREM designs below 150 MW(e));

• Self-pressurization (active pressurizer is eliminated);

• Safety systems relying on passive features.

Main characteristics of the CAREM nuclear power plant are given in Table III-1.

In order to simplify design, the whole high energy primary system, including the core, the steam generators, primary coolant and the steam dome, is contained inside a single reactor pressure vessel. This considerably reduces the number of pressure vessels and simplifies the layout.

The absence of large diameter piping associated with the primary system, removes the possibility of large break loss of coolant accidents (LOCA). The elimination of large break LOCA substantially reduces the necessity for emergency core cooling system (ECCSA) components, alternate current (AC) supply systems, etc.

Large coolant inventory in the primary circuit results in large thermal inertia and long response time in the case of transients or accidents.

The reactor primary coolant system operates on natural convection. Water enters the core from the lower plenum. After being heated, the coolant exits the core and flows up through the riser to the upper dome. In the upper part, water leaves the riser through lateral windows, going to the periphery region of the in-vessel space. Then it flows down through the modular steam generators, with decreased enthalpy. Finally, the coolant exits the steam generators and flows down through the down-comer to the lower plenum, closing the circuit.

The CAREM primary coolant system is self-pressurized.

Due to the innovative design of the reactor core cooling system (RCCS), an extensive experimental plan has been developed and is being implemented [III-2, III-3].

RCCS modelling and qualification are supported by tests performed in a high pressure natural circulation rig (CAPCN), covering thermal hydraulics and techniques of reactor control and operation. The CAPCN rig reproduces all dynamic phenomena of the RCCS, except for 3D effects.

The fuel is enriched UO2. Core reactivity is controlled by the use of Gd2O3 as a burnable poison in special fuel rods and moveable absorbing elements belonging to the reactor control and adjustment system. Liquid chemical compositions (like boric acid solution) are not used for reactivity control during normal operation.

Each absorbing element (AE) consists of a cluster of rods linked by a structural element (namely, ‘spider’), so that the cluster moves as a single unit. Absorber rods fit into guide tubes. The absorber material is the commonly used Ag-In-Cd alloy. Absorbing elements (AE) are used for reactivity control during normal operation (control and adjustment system) and to interrupt nuclear chain reaction promptly when required (fast shutdown system).

The shutdown system is diversified to fulfil the requirements of the Argentine regulatory authority.

The first shutdown system (FSS) consists of gravity driven neutron-absorbing elements. In CAREM-25, this system provides a total negative reactivity of 6880 pcm in a cold shutdown state, with all rods inserted.

During normal operation, elements of the FSS are kept in the upper position. They are designed to provide a minimal dropping time, so it takes only a few seconds to completely insert the absorbing rods into the core. In CAREM-25, this system has a minimum worth of 3500 pcm, with one rod unavailable.

The second shutdown system (SSS) is a gravity driven injection device based on high pressure borated water. In CAREM-25, this system provides a total negative reactivity of 5980 pcm in a cold shutdown state, assuming a single rod failure.

Twelve identical ‘mini-helical’ vertical steam generators (see Fig. III-2) of the once-through type are placed equidistant from each other along the inner surface of the reactor pressure vessel (RPV) [III-1, III-2]. They are used to transfer heat from the primary to the secondary circuit, producing superheated dry steam at 47 bar. The secondary system circulates upwards within the tubes, while the primary is in counter current flow. An external shell surrounding the outer coil layer and adequate seal form the flow separation system. It guarantees that the entire stream of the primary system flows through the steam generators.

To achieve rather uniform pressure-loss and superheating on the secondary side, the length of all tubes is equalized. For safety reasons, steam generators are designed to withstand the primary pressure without pressure in the secondary side and the live steam system is designed to withstand primary pressure up to the isolation valves (including the steam outlet/water inlet headers) in case of SG tube breakage.

The designers were not requested to adjust safety related terminology of their projects accordingly when preparing design descriptions for this report; they followed the definitions accepted in their respective Member States. However, in line with the recommendations of [6] and upon the approval from designers, terms such as ‘revolutionary design’, ‘passive, simplified and forgiving design’, ‘inherently safe design’, ‘deterministically safe design’, ‘catastrophe free design’ etc. were edited out from design descriptions, except for in cases when they appear in the names of certain reactor concepts.

The maximum power removed by each RRP loop is about 5 to 7 MW(th), depending on operating conditions. The low amount of removed power ensures that, whatever the reactor power, it is possible to test the heat removal system while the reactor is in operation without significantly disturbing operating conditions. The abovementioned testing procedure is a significant element in validation of the reliability of such passive heat removal systems.

The RRPp are safety grade. The RRPa are safety grade, except for the chilled water loop and pumps. Normal residual heat removal system

In the reactor hot state, residual heat is removed through the steam generator. The steam is discharged to the atmosphere, and the steam generator is fed by the startup shutdown system (SSS). This system is not safety grade. At low temperatures, the RRP with the air-cooling tower (RRPa) removes decay heat.

When the reactor vessel is open, especially during refuelling operations, decay heat is removed by the twelve RRPa cooled by chilled water to secure a very low primary water temperature, compatible with the maintenance action conditions. The primary circuit operates on natural convection and the RRPa loops operate in an active mode (with forced circulation in the chilled water loop).

The safety injection system is the only active safety system of the SCOR; it is safety grade. A short description of this system is provided below.

Safety injection system

As large break LOCAs are eliminated by design, and as the primary system thermal inertia is larger than that of a loop type PWR, the safety injection system requires devices with a small flow rate. With the selected low pressure for the reactor, there is safety injection of only one with a pressure of about 20 bars. The pump power required for the safety injection is very small, about 35 kW(e).

All structured descriptions of SMR design features used to achieve defence in depth were prepared and reviewed first hand by the designers of SMRs in Member States, in communication with international experts and the IAEA Secretariat.

Appendix 1 of this report was elaborated upon through participation of research teams involved in development of methodologies for the reliability assessment of passive safety systems in advanced reactors.

The introductory and cross-cutting sections were developed by international experts and the Secretariat, and reviewed by SMR designers in Member States. The conclusions were elaborated through the effort of the two IAEA technical meetings convened in June 2005 and October 2006.

Tables I-8 to I-12 below provide the designer’s response to questionnaires developed at an IAEA technical meeting “Review of passive safety design options for SMRs” held in Vienna on 13-17 June 2005. These questionnaires were developed to summarize passive safety design options for different SMRs according to a common format, based on the provisions of IAEA Safety Standards [I-2] and other IAEA publications [I-3, I-6]. The information presented in Tables I-8 to I-13 provided a basis for conclusions and recommendations of the main part of this report.

TABLE I-8. QUESTIONNAIRE 1 — LIST OF SAFETY DESIGN FEATURES CONSIDERED FOR/ INCORPORATED INTO THE KLT-40S DESIGN

# Safety design features

1. Negative reactivity coefficients on specific volume of the coolant, on fuel and coolant temperature and on reactor power in the whole range of variation of reactor parameters

2. Absence of liquid boron reactivity control system

3. High thermal conductivity of the fuel composition (uranium dioxide granules in the inert matrix)

4. Use of a gas pressurizer system

5. Insertion of scram control rods into the core by force of accelerating springs [32] [33]

What is targeted?

In reactivity initiated accidents: limitation of reactor power increase, ensuring reliable core cooling, prevention of pressure and temperature increase in the primary circuit

Exclusion of inadvertent reactivity insertion as a result of boron dilution

Prevention of the fuel element cladding temperature increase in loss of flow accidents; prevention of the primary pressure and temperature increase in accidents with disruption of heat removal

Exclusion of electric heaters — a potentially unreliable component

Increased reliability of a reactor shutdown Increased reliability of a reactor shutdown

# Safety design features What is targeted?

7. Use of a passive emergency heat removal system

8. Adequate level of natural circulation flow in the primary system

9. Limitation of uncontrolled movement of the control rods by an overrunning clutch and by movement limiters, for an accident with a break in the CPS drive support bar

10. Use of self-actuating devices in safety systems

11. Use of once-through steam generators

12. Use of a ‘soft’ pressurizer system

13. Provision of a mechanical strength margin on the primary pressure

14. High thermal capacity of primary system components

15. Modular design of the reactor unit

16. Leaktight reactor coolant system

17. Favourable conditions for the realization of a ‘leak before break’ concept in application to the structures of the primary circuit, provided by design

18. Use of restriction devices in the pipelines of the primary circuit systems

19. Connection of primary coolant systems to a ‘hot’ part of the reactor

20. Use of hydro-accumulators in the ECCS

21. Use of a steam generator with lower pressure inside the tubes in normal operation mode

22. Use of secondary system pipelines designed for primary pressure, up to the cut-off valves

23. Use of a passive reactor vessel cooling system

24. Use of a passive containment heat removal system [34]

Increased reliability of emergency heat removal Reliable core cooling

Decrease of a positive reactivity inserted under impact loads or under a break of the CPS drive casing, or under a break of the CPS drive support bar

Increased reliability of an emergency reactor shutdown; increased reliability of a startup of emergency heat removal systems

Limited increase of heat power removed by the secondary circuit in case of a steam line break accident

Damping of the transients; increased time margins for measures on accident management

Increased time margin for measures on management of accidents with heat removal disruption

Increased time margin for measures on management of accidents with heat removal disruption

Elimination of long pipelines in the reactor coolant system

Decreased probability of loss of coolant accidents

Reduced probability of a guillotine break for the primary pipelines

Limitation of the break flow in case of a pipeline guillotine rupture; less strict requirements to the ECCS

Ensuring fast transition to a steam flow through a break in case of a pipeline rupture; limitation of break flow; less strict requirements to the ECCS

Providing a time margin for personnel to take actions on accident management in case of a failure of the active means of emergency water supply (pump failure)

Reduced probability of a steam generator tube rupture Absence of coolant release in the case of a steam generator leak In-vessel retention of the corium

Reliable decrease of containment pressure and limitation of radioactive release in accidents

Limitation of radioactive release in accidents; additional protection from the impacts of external events

TABLE I-9. QUESTIONNAIRE 2 — LIST OF INTERNAL HAZARDS

Hazards (safety functions) that are of concern How these hazards (safety functions) are addressed (performed)

(relevant) for a reactor line in the KLT-40S

5. Avoid exothermic chemical reactions — It is ensured that thermal state of the fuel rods in emergency

conditions excludes the exothermic reaction of zirconium oxidation by steam.

TABLE I-10. QUESTIONNAIRE 3 — LIST OF INITIATING EVENTS FOR ABNORMAL OPERATION OCCURRENCES (AOO)/DESIGN BASIS ACCIDENTS (DBA)/BEYOND DESIGN BASIS ACCIDENTS (BDBA)

TABLE I-10. QUESTIONNAIRE 3 — LIST OF INITIATING EVENTS FOR ABNORMAL OPERATION OCCURRENCES (AOO)/DESIGN BASIS ACCIDENTS (DBA)/BEYOND DESIGN BASIS ACCIDENTS (BDBA) (cont.)

4. Loss of primary system — Modular design of the reactor unit; elimination of integrity (LOCAs) long pipelines in the reactor coolant system;

-Connection of the primary coolant systems to a ‘hot’ part of the reactor;

-Installation of restriction devices in pipelines of the primary circuit systems.

See Table I-11 Specific initiating event for the

KLT-40S is a break of the connection pipeline between the pressurizer and the gas balloons; Specific beyond design basis accident for the KLT-40S is a break of the primary circuit pipeline with a failure to cut off the gas balloons.

5. Interfacing systems LOCA — Up to the cut-off valves, the interfacing systems are

designed for primary pressure.

6. Loss of power supply — Use of a passive emergency heat removal system

providing the removal of heat over 24 hours.

Structures, systems and components of the floating NPP are designed taking into account possible impacts of natural and human induced external events typical of a floating NPP location site and transportation routes, and meet the regulatory requirements. [35] [36] [37]

TABLE I-11. QUESTIONNAIRE 3 (PART 2) — DESIGN FEATURES OF THE KLT-40S THAT PREVENT PROGRESSION OF SPECIFIC INITIATING EVENTS TO A MORE SEVERE PHASE

о

о

REFERENCES TO ANNEX I

[I-1] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Advanced Light Water Reactor Designs 2004, IAEA-TECDOC-1391, IAEA, Vienna (2004).

[I-2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[I-3] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, Vienna (1996).

[I-4] Radiation Safety Regulations (NRB-99): Hygiene Regulations, Ministry of Health (Minzdrav) of the Russian Federation, Moscow, (1999) (in Russian).

[I-5] General Principles of Safety Provision for NPPs, OPB-88/97. NP-001-97 (PNAE G-01-011-97). Moscow, Gosatomnadzor RF (1997).

[I-6] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).

Annex II