Nuclear reactor safety is achieved through a sound design and the use of safety systems, i. e. protective systems which counteract the accident and/or attenuate its consequences. The ideal scenario would be a design so perfect that no safety systems are necessary, that is, a design where accidents either cannot occur or, if they do, their consequences are acceptable. Obviously this is Utopia, but the integral configuration offers a very good approximation to it. The most immediate, and universally adopted, possibility offered by the integral configuration is the elimination of the large LOCAs, simply because there are no large pipes to be broken. This is only one of the many opportunities offered to the designer. The IRIS project developed a unique approach, articulated over three tiers.

• The first tier, called Safety-by-Design, is a significant step beyond passive safety. The underlying principle is to intrinsically eliminate as many potential accidents as possible by proper design, rather than coping with their consequences through safety systems, either active or passive.

• The second tier is provided by simplified passive safety systems, which protect against the remaining potential accidents and mitigate their consequences.

• The third tier is provided by active systems which are not required to perform safety functions (i. e. are not safety grade) and are not accounted for in deterministic safety analyses, but are used as necessary to improve reliability and decrease the CDF. Their use and characteristics are optimized through a design based on probabilisitic safety assessment (PRA).

The iPWR offers the possibility of being able by design to: (1) eliminate some of the accidents (e. g. large LOCAs, control rod ejection); (2) decrease the probability of occurrence for the vast majority of the remaining accidents; and, (3) mitigate the consequences.

In loop-type PWRs there are typically eight accidents classified as Class IV design basis events (DBEs), i. e. accidents which can cause a radiation release to the environment. Thus, the DBEs eventually dictate the necessary safety systems. Table 3.1 (from Petrovic et al.5) summarizes the design characteristics; the safety implications of each design characteristic; the impacted accident and events; the related Class IV accident; and, bottom line, how they fare under the Safety-by-Design approach used by the IRIS reactor. As shown in the table, systematic implementation of the Safety-by-Design approach enables elimination of three out of the eight DBEs typically considered for LWRs, while four more are downgraded to a lower severity

class (as low as Class 1 for the locked rotor accident) where radiation release will not occur. The only remaining Class IV accident is the fuel-handling accident, because the iPWR, like practically all the power reactors, needs to be periodically refueled.

This is of course very impressive, but in reality DBEs very seldom do occur. Three Mile Island started with a small LOCA and Fukushima was the consequence of an external event (Chernobyl was atypical). So, attention must be paid to have proper, reliable passive safety systems (second tier). This practice is now adopted by all iPWR designs and most of the other LWR designs. The importance of the third tier, the active non-safety grade systems, was originally not recognized by the large LWRs where all the emphasis was placed on the passive systems, but the active systems do play a critical role in improving reliability and decreasing the CDF through an interactive and iterative PRA and safety design procedure.

From the very beginning of the IRIS design process, the PRA was iteratively used to guide and improve the design, as shown in Figure 3.1. The process is conceptually quite straightforward, but also quite time consuming, requiring tens of design iterations. It enabled IRIS to move from an initial CDF value of 2E-6 to a final value of 2E-8, at least a decade less than the most advanced of the other LWRs. As it will be recollected, E-8 is an act of God probability.

In the case of IRIS the cylindrical primary vessel has a 6 m diameter and the spherical containment a 25 m diameter. The containment is housed in the auxiliary building which also houses the remaining components of the nuclear steam supply system (NSSS), such as the spent fuel pool. The IRIS auxiliary building is of a cylindrical shape which is intrinsically more resistant to impact than an angular configuration. The containment is located one-third underground and also underground is the spent fuel pool. IRIS was designed several years before the occurrence of Fukushima, which would have been served very well by the IRIS Safety-by-Design.

Large break LOCAs cannot occur in an integral reactor, but small break LOCAs do. While their consequences are mostly insignificant from a technical standpoint, they do cause a negative financial, regulatory and public acceptance impact. And, of course, there is the possibility of triggering a higher-level accident. One of the accomplishments of the IRIS Safety-by-Design was to completely neutralize the small LOCAs. First, all lower level vessel penetrations are eliminated up to 2 m above the top of the core and there are no penetrations on the vessel head because of the internal control rods. The grand total is seven penetrations for safety and auxiliary systems. Furthermore, IRIS was designed such that if a penetration fails and a small LOCA does occur, there are no adverse consequences.

Once a break occurs, steam exits from the vessel into the containment, initiating the vessel depressurization; as the internal steam generators remove the decay heat,

steam condenses with a further depressurization effect. The IRIS containment was designed such that at the same wall thickness and design strain for traditional loop PWRs it can take an operating pressure approximately four times higher due to its spherical shape and diameter being about half. Because of the simultaneous vessel pressure decrease (due to the steam generators’ heat removal) and containment pressure increase that is safely allowed by the improved IRIS containment design, the two pressures equalize quickly and no further steam exits the break. LOCAs of various break sizes and elevations were evaluated and the LOCA duration was about half an hour, with the core remaining safely covered in all cases (for the worst size/elevation combination, about 2 m of water were still left above the top of the core). Once the steam egression phase is over, the vessel and containment are thermo-hydraulically coupled through the break and long-term cooling of the vessel/containment system can be controlled through external cooling of the containment.

The complex coupled behavior of this patented design was extensively analyzed and experimental verification was planned at the SIET test facility in Piacenza, Italy, where tests of the Westinghouse AP 600 passive systems had been performed. The design of the IRIS test facility mockup and the extensive test campaign plans were completed when the IRIS program was terminated.

Historically the emphasis in the safety design and analysis has been on the internal events. However, as more and more improved handling of the internal events is being achieved, the external events, in primis seismic, have become determinant in establishing the total CDF. And, of course, Fukushima has been quite a reminder. The very compact iPWR can dispose of the seismic events through the Safety-by­Design approach, since it can be sited on seismic isolators in a partly underground location.

Elimination of the consequences from the seismic events, which are by far the most significant of the external events, will keep the total CDF in the order of E-8/yr as determined by the internal events. On the other hand, seismic CDF for non-isolated plants could be of the order of E-6/yr or more, i. e. of the same order of magnitude as the internal events in the most recent LWR designs, thus significantly affecting the overall safety. Seismic is the most critical of the external events, while others can be kept under E-8/yr through proper application of the Safety by Design. An in-depth discussion can be found in Carelli et al1 and Alzbutas et al8

Another consideration is the plant resistance to terrorist attacks, which can be handled through Security-by-Design, rooted on the same principles as the Safety — by-Design. A typical example is a very low profile above ground (in the IRIS case it was less than 30 m), an uninviting choice to airborne terrorists with many taller targets to choose from. This application of the Security-by-Design would be even more effective for other iPWRs which are smaller than the 335 MWe IRIS.

In the same vein as the Safety-by-Design and Security-by-Design, the iPWR offers intrinsic possibilities to improve proliferation resistance and physical protection, as addressed in Chapter 9.