In accordance with modem NPP safety approaches, radiation exposure on personnel, population and environment in normal operation and design-basis accidents should not lead to excess dose rates for people, and in beyond design-basis accidents, this effect should reasonably limited. To this end, technical and organisational measures are taken to ensure safety with any initiating event envisaged by the design with superposition of one failure independent of the initiating event of any of the following safety system element: active or passive element with mechanical movable parts or one personnel error independent of the initiating event. Besides one failure independent of the initiating event, it is necessary to take into account the nondetectable failure of elements affecting safe operation, which are uncontrolled in operation, and influencing accident propagation.

Safety of the UNITHERM NPP is achieved by a complex of technical solutions among which the following are worth mentioning.

The NPP employs water-moderated, water-cooled reactor with inherent safety features which reflect its capability of keeping safety on the basis of internal feedbacks, natural physical processes applying passive residual heat removal systems and automatic protection devices which ensure chain fission reaction suppresion without intervention of operator. The UNITHERM NPP is also capable of self-controlling chain fission reaction due to negative temperature, power and void coefficients of reactivity. The core physical characteristics are so selected that the above coefficients are negative in the entire range of temperatures during the core life both in normal and emergency operation modes. This eliminates spontaneous core power excursion in normal startup and heatup and stabilizes operation in steady-state and transient conditions when heat consumer circuit modes of operation change.

After NSSS is started up and brought to a preset load, moving of shim groups upwards is mechanically blocked thereby eliminating possibility of unauthorized introduction of additional positive reactivity.

The NSSS design is such that all potential leak initiation locations are in the top part of the vessel with limiting equivalent leak diameter sufficiently small and not exceeding DN 20. The integral layout of NSSS unit with rather efficient iron-water radiation shield between the core and wall of NSSS vessel excludes vessel brittle fracture because of metal neutron irradiation. All this allowed to exclude accidents associated with large and medium leaks, and prevent dangerous propagation of accidents due to core dryout. To this end, the containment (Fig. 3) is used designed for localization of primary leaks within the inner volume. The use of three-section liquid

Fig.3. Reactor Plant

1 — Iron-water shielding tank; 2 — radioactive gases storage cylinders; 3 — liquid absorber supply system; 4 — containment; 5 — shock-proof casing; 6 — cooldown system heat exchanger; 7 — safeguard housing; 8 — steam generating unit; 9 — biological shielding blocks; 10 — liquid and solid wastes storage tanks; 11 — basement

absorber feed system ensures flooding this part of the containment in the emergency situation under consideration with liquid medium up to the level above potential primary circuit depressurization points which completely eliminates core drying in any design initiating events or accident scenarios. Thus, as a maximum design-basis accident it is possible to consider the primary circuit leak of conventional equivalent size of DN 20 max. The estimates showed that propagation of such an accident follows the scenario typical for the small leaks in containment without deterioration of its leaktightness and core damage. This is contributed by reasonable emergency cooling core system (ECCS) redundancy and its passive principle of operation using no forced circulation means. ‘

Incorporation into the UNITHERM NPP of additional localizing safety barrier — safeguard housing — enables even in the case of beyond design-basis accidents due to containment depressurization practicale to eliminate radioactivity release to the environment and risk of core drying. Beyond design-basis accident due to containment depressurization and postulated damage of 10 % of fuel elements and primary coolant and radionuclides discharge to the safeguard housing does not lead to significant radiation damage for population and individual exposure will not exceed 0.11 rem/y.

The UNITHERM NPP three-loop thermal-hydraulic design when consumers even with two consecutive interloop leaks can be reliably protected by reasonably redundant shut-off and cut-off localizing valves against radionuclides discharge to heat consumer circuit, and against harmful effect of ionizing radiation on personnel. Thanks to this, NPP personnel is beyond the area of ionizing radiation and the ionizing radiation rate on the NPP protection surfaces does not exceed the background values in normal operation. The dose rate of ionizing radiation in maximum design-basis accident 100 m away from NSSS is only by 10% above the background level.

Special attention has been paid to NPP UNITHERM emergency core cooling system (ECCS) which plays the important role in safety assurance. This was mostly due to the fact that because of inapplicability of traditional technical solutions we had to search for new ones taking into account not only general approach to NPP design, but climatic conditions of the NPP site as well.

The ECCS is designed as independent process loop associated with the intermediate loop. In emergency situations, the heat removed from the core via steam generators arranged within the NSSS vessel is fed to the intermediate loop, and further, through heat exchangers of the loop, is removed, via independent ECCS, to its heat exchange surfaces cooled by atmospheric air. The low winter temperature level in UNITHERM NPP application areas demands the selection of low-boiling coolant of the aforementioned independent loop of ECCS. To this end ammonia may be used.

Specific features of ECCS is that it does not have isolating and cut-off devices, i. e., the system is in continuous operation. Therefore, marked seasonal ambient air temperature fluctuations may greatly influence the amount of heat discharged through the system to atmosphere. So, in summer the capacity of heat removed through the system is 3-4 % of the nominal NPP heat capacity, the respective figures in winter may increase as high as 1.5-2 times. To reduce heat losses, the system of shudder-type gate valves is envisaged in the air duct. Switching of the gate valves from summer to winter operation is made during NPP preventive maintenance. Apart from its main functions, ECCS provides the possibility to keep NPP in hot stanby, i. e., at minimum possible core power level when power take-off is stopped.

Another improvement in reliability and safety of the UNITHERM NPP is the passive nature of core protection system. During NPP operation under load variations, core power is self — controlled, whereas variation of reactivity during continuous operation practically compensated for by burnable absorber and temperature effect, and only once a year reactivity is adjusted by remote relocation of absorber rods.

Emergency scram of NSSS and the core subcriticality is achieved by insertion of absorber rods in the core by motor-operated drives or by gravity and compressed spring energy in case of de-energizing of drives. Shutdown of NSSS with malfunction of the above absorber rods is ensured by using additional emergency protection based on alternative design philosophy. To prevent unauthorized withdrawal of control and protection system elements in commissioning the electromagnetic "arrestors" are provided in the drives limiting movement of absorber rods.

For quantitative evaluation of the UNITHERM NPP safety the following possible scenarios of severe accidents have been considered (unauthorized introduction of positive reactivity in the core, loss of preferred power, and primary circuit depressurizationjand probabilities of final states of the following categories have been determined:

• the first category — accident localized without violation of safety limits;

• the second category — accident localized with partial deviations from safety limits and without core damage;

• the third category — accident localized with significant deviations from safety limits and accompanied by transition to core steam cooling which in the case of long-term accident can lead to partial core damage.

Predictions showed that core damage probability in any of the above-mentioned accident situations will not exceed 10’5 1/y. In this case, probability of core damage with primary circuit

—12 * —X

depressurization is 6.7 • 10 , and with blackout is 5.4 • 10 1/y.