While not limited to SMRs, it is worth summarizing the safety approaches, commenting in particular on inherent safety features and safety-by-design that will be shown to be preferentially linked to SMRs. ‘Inherent safety’ and ‘safety-by-design’ are sometimes used interchangeably. However, the former primarily reflects the presence of a feature that eliminates certain accidents, while the latter emphasizes that the design was consciously modified to achieve such effect. There are other subtle differences in the use of safety-related terms in the US and worldwide; IAEA — TECDOC-626 (IAEA, 1991) is a good source for the latter, and therefore we will also cite it here. The following definitions may be applied to components as well as systems; we will introduce them as they apply to systems with the understanding that they extend to components. Furthermore, we will focus on essence rather than precise definitions.

All NPPs incorporate a number of safety systems designed to provide safety functions and perform appropriate actions in off-normal and accident situations. According to the modus of their operation, they are divided into active and passive ones.

Active safety systems require external power, force, action or signal. For example, decay heat removal may require an electric actuation signal, a motor-driven (or manually operated) valve to be opened, a pump to be operated to establish coolant flow, or some combination thereof. For active safety systems to operate, external power source(s) are required, and this can presents vulnerabilities, even with multiple redundant and diverse external power sources (power lines, diesel generators, batteries) as evidenced in the Fukushima Daiichi accident.

Passive safety systems, in contrast, operate based on the laws and forces of nature, and are thus less susceptible to external impacts, i. e., are ultimately less likely to fail. It is difficult to devise totally passive systems. In the US practice, this term is extended to include systems that in addition to their truly passive portion rely on stored energy to initiate the action (such as opening a valve, using battery or compressed air power, to establish natural circulation) which then proceeds based on the laws of nature.

Table 8.1 illustrates the division into active and passive systems/components by providing an example of a specific Nuclear Regulator Commission (NRC) classification of structures and components (for the purpose of aging management review). It is extracted from the 10 CFR 54.21(a)(1)(i), ‘Structures and Components Subject to Aging Management Review’ (CFR, 2010).

A more precise distinction may be achieved (IAEA, 1991) by considering the level of passivity, ranging from Category A denoting the most passive systems with no signals, external forces, power sources, moving parts or moving fluids involved, to the least passive Category D, that requires or allows the following:

• Energy must only be obtained from stored sources such as batteries or compressed or elevated fluids, excluding continuously generated power such as normal AC power from continuously rotating or reciprocating machinery.

• Active components are limited to controls, instrumentation and valves, but valves used to initiate safety system operation must be single-action relying on stored energy.

• Manual initiation is excluded.

An example is the emergency core cooling system, based on gravity-driven fluid circulation, initiated by fail-safe logic actuating battery-powered electric valves. For the complete definition of all categories, see IAEA (1991).

Older so-called Generation-II NPPs rely primarily on active safety systems. Many

Table 8.1 Example of passive and active systems and components classification Passive Active Reactor vessel Pumps (except casing) Reactor coolant system pressure Valves (except body) boundary Motors Steam generators Diesel generators Pressurizer Air compressors Piping Snubbers Pump casings Control rod drive Valve bodies Ventilation dampers Core shroud Pressure transmitters Component supports Pressure indicators Pressure-retaining boundaries Water level indicators Heat exchangers Switchgears Ventilation ducts Cooling fans Containment Transistors Containment liner Batteries Electrical and mechanical Breakers penetrations Relay Equipment hatches Switches Seismic Category I structures Power inverters Electrical cables and connections Circuit boards Cable trays Battery chargers Electrical cabinets Power supplies Source: CFR (2010).

modem NPPs implement a combination of active and passive safety systems (IAEA, 2004). The Westinghouse Gen-III+ AP1000 is a passive safety plant, meaning that all safety systems are passive (Schulz, 2006).

It should be noted that passive systems may still fail; for example, a wall intended to function as a safety separation barrier may be destroyed in an earthquake; a pipe in a natural circulation loop may be crushed, and so on. This is where the inherent (or intrinsic) safety and the safety-by-design, come in. One should differentiate between an overall inherently safe NPP and inherently safe features. Quoting IAEA — TECDOC-626 (IAEA, 1991): ‘Inherent Safety refers to the achievement of safety through the elimination or exclusion of inherent hazards through the fundamental conceptual design choices made for the nuclear plant.’ The reference continues on to emphasize:

Potential inherent hazards in a nuclear power plant include radioactive fission products and their associated decay heat, excess reactivity and its associated potential for power excursions, and energy releases due to high temperatures, high pressures and energetic chemical reactions. Elimination of all these hazards is required to make a nuclear power plant inherently safe. For practical power reactor sizes this appears to be impossible. Therefore the unqualified use of ‘inherently safe’ should be avoided for an entire nuclear power plant or its reactor.

We will therefore use ‘inherent safety’ to imply inherent safety feature(s), not the overall inherent safety.

A similar concept is expressed by the safety-by-design term, which emphasizes the fact that conscious design and engineering choices may lead to elimination of initiators for certain accidents or classes of accidents, and thus to elimination of possibility for those classes of accidents to occur. Clearly, it is then not necessary to deal with hypothetical consequences of such accidents, that is, corresponding safety systems are not necessary and the whole system becomes simpler, safer and more economical, all at the same time. The safety-by-design is present to certain degree in all (viable) reactor designs, more so in SMRs and in particular iPWR SMRs for the reasons that we will discuss. Arguably, it was most systematically pursued from the very beginning and implemented to a high degree in the IRIS design (Carelli et al., 2004; Petrovic et al., 2012), which may serve to illustrate many specific points.

Table 8.2 summarizes implementation of safety-by-design (i. e. inherent safety features) in IRIS, but individual features are common with other iPWR SMRs. The intent of the safety-by-design approach in IRIS was to eliminate or reduce in severity — by design — as many of the Class IV accidents as possible.

Examining the table, it may be observed that out of the eight Class IV accidents typically considered in large loop PWRs, three have been eliminated (large break loss-of-coolant accident (LOCA), control rod ejection, reactor coolant pump shaft break) and four reduced in severity (reactor coolant pump seizure, steam generator tube rupture, steam system piping failure, and feed-water system pipe break). The first two are a direct consequence of the integral configuration, while for the remaining five accidents the positive impact is partly due or supported by the integral configuration. Obviously, the integral configuration by itself does not automatically resolve potential safety concerns, but it does facilitate addressing or eliminating many of them.

Most PWR SMR designs base many of their inherent safety features on their integral design, i. e. they are of the iPWR type (IAEA, 2012a). This is not by chance; it results from the synergy of two fundamental factors:

• PWRs are high-pressure systems, and thus very sensitive to any leak or breach of the primary boundary. In contrast, for example, low-pressure lead or liquid-salt cooled systems would tend to self-plug leaks due to the solidification of the coolant, and this issue is not nearly as critical for them. The integral configuration eliminates external piping and multiple pressure vessels, thus eliminating or minimizing the probability of such events.

• Since the integral primary circuit configuration tends to significantly increase the pressure vessel size, it is generally not feasible for a large PWR, with an already large vessel, while it is generally feasible for an SMR with power level up to a few hundred MWe. However, an approach aiming to enable large power integral PWRs and thus facilitate extending SMR safety characteristics to GWe power level reactors is pursued in the I2S-LWR concept (Petrovic, 2014).

Table 8.2 Implementation of Safety-by-Design in IRIS IRIS design Safety implication Positively impacted Class IV design basis Safety-by-design impact characteristic accidents and events accidents on Class IV accident Integral layout No large primary piping Large break loss-of-coolant accidents LOCAs Large break LOCA Eliminated Large, tall vessel Increased water inventory Other loss-of-coolant Increased natural circulation accidents (LOCAs) Decrease in heat removal events Accommodates internal control rod Control rod ejection Spectrum of control Eliminated drive mechanisms Head penetrations failure rod ejection accidents Heat removal from Depressurizes primary system by Other loss-of-coolant inside the vessel condensation and not by loss of accidents (LOCAs) mass Effective heat removal by steam Other LOCAs generator and emergency heat All events requiring removal system effective cooldown Anticipated transient without scram (ATWS) Reduced size, higher Reduced driving force through Other LOCAs design pressure primary opening containment Multiple, integral, No shaft Shaft seizure/break Reactor coolant pump Eliminated shaftless coolant shaft break pumps Decreased importance of single Locked rotor Reactor coolant pump Downgraded pump failure seizure

High design-pressure steam generator system No steam generator safety valves Primary system cannot over-pressure secondary system Steam generator tube rupture Steam generator tube rupture Downgraded Feed-water/steam piping designed for full reactor coolant system pressure reduces piping failure probability Steam line break Feed line break Steam system piping failure Downgraded Once-through steam generators Limited water inventory Feed line break Steam line break Feed-water system pipe break Downgraded Integral pressurizer Large pressurizer volume/reactor power Overheating events, including feed line break ATWS Spent fuel pool underground Security increased Malicious external acts Fuel handling accidents Unaffected

An overview of representative approaches and passive and inherent safety features pursued in different iPWRs follows. We note that some also may apply or be used in large loop PWRs, and some may not be fully passive, but instead have elements enabling passive safety, or are specific safety approaches typically found in iPWR SMRs.

• Integral primary circuit, integral configuration, integral vessel layout. As already discussed, several safety features are driven or assisted by integral configuration:

о inherent elimination of large break LOCA;

о inherent elimination of control rod ejection (with internal control rod drive mechanism (CRDM) enabled by integral configuration);

о better response to transients (with a large primary inventory and increased pressurizer volume to power ratio, typical of integrated pressurizers); о immersed pumps may eliminate some primary pressure boundary penetrations and associated failure modes;

о novel internal steam generators and primary heat exchangers eliminate or reduce in severity certain associated failure modes, such as the steam generator tube rupture (if primary is in the shell), or steam-line/feed-line break; о confinement of primary coolant to reactor vessel; о overall more compact design due to elimination of external loops.

• Guard vessel, reducing the impact of the primary boundary breach, but potentially impacting economics.

• Natural circulation-based heat removal in normal (power) operation, eliminating (auxiliary) pumps and the possibility of their failure. Typically limited to low power systems.

• Natural circulation-based decay heat removal in off-normal conditions, eliminating the need for pumps and external power, considered in many designs.

• Soluble boron-free core. This reduces corrosion, eliminates the need for a coolant volume control system (CVCS) and associated piping with primary pressure boundary (pressure vessel) penetrations. Of course, large PWRs may also be designed for soluble boron — free operation. However, cost considerations favor boron-free operation of (in particular smaller) SMRs, and use of soluble boron in larger plant. This is due to the fact that the CVCS cost does not depend strongly on size, while the number of required control rods and their cost does. The cost breakeven point is design dependent, but estimated to be in the 100-200 MWe range.

• Increased operational margin, sometimes at a cost of power downrating.

• Enhanced self-regulation. Typically achieved through enhanced negative temperature and power feedback, frequently in conjunction with a soluble boron-free core, it provides a self-regulating and self-stabilizing effect. It is of particular interest for smaller units where load-follow operation is intended. It has to be considered, however, that a very strong negative feedback may have negative safety implications due to the reactivity insertion in cooldown scenarios.

• Long life core. It reduces the probability of refueling accidents and refueling outages and associated penalty, and may increase proliferation resistance. However, it needs to be carefully assessed against the needed higher enrichment or reduced power density, offsetting these positive impacts. There is usually an economically optimum balance.

• Very low power reactors (with a small core fuel inventory) may reduce the source term to the level that a small EPZ (e. g. no off-site need for EPZ) is deterministically defendable.

• Increased heat capacity of ultimate heat sink, typically implemented through a combination of smaller power units and large pool, providing increased or indefinite decay heat removal capability and thus grace period after a hypothetical accident.

• Inerted containment to prevent hydrogen explosion (easier implemented for compact SMR designs).

• Passive containment heat removal system as another layer of defense.

• Coupled pressure vessel and containment vessel response to LOCA events, aiming to limit the loss of coolant inventory.

• Application of the traditional defense-in-depth (DID) implemented through use of passive features as much as possible.

• Passive reactivity control systems, including passive shut-down systems.

• Near zero self-regulating excess reactivity, eliminating the possibility of prompt criticality, but usually limited to (very) low power systems.

• Enhanced seismic isolation. Not specific to SMRs, but economically more feasible for compact iPWR SMR designs (cf. e. g. Petrovic et al., 2012).

It is instructive to review the implementation of the above features to specific iPSWR designs. These specific designs have been selected among the many SMR designs that have been proposed over the last several decades. It would have been impossible as well as ineffective to include all or most of them. Instead, a narrow selection aiming to be somewhat representative is presented here, together with the rationale for selection, while the reader interested in further designs is advised to examine review papers and several IAEA TECDOCs and OECD Handbooks that are being periodically prepared to capture all or most of the then-current designs under development (OECD, 1991, 2011; IAEA, 1995, 2005a, 2006, 2012a; DOE, 2001; Ingersoll, 2009).

The following rationale was used to guide our selection:

• The specific SMR design and safety concept had to be developed to a certain degree of completeness, maturity and integration. Otherwise, it is possible to claim attractive features that however may or may not work together when the integrated design is analyzed.

• The selection focuses on power plants providing at least 40 MWe. Several interesting very low power (typically <10 MWe) iPWR concepts have been proposed, but they are geared for a very specific purpose.

• The selection includes two prominent historical US designs that pushed the envelope and attracted broad attention by their overall safety characteristics and maturity of the design, SIR in 1990s (OECD, 1991; Matzie et al., 1992), and IRIS in 2000s (Carelli et al., 2004; IAEA, 2012a; Petrovic et al., 2012).

• The selection includes two prominent non-US design that have been under development for some time and are actively pursued, SMART (Chapter 15) (IAEA, 2005a; 2012a) and CAREM (Chapter 16) (IAEA, 2005a; 2012a), as well as RITM-200 (Chapter 17) (IAEA, 2012a).

• The selection includes three of the four SMR designs proposed to the US DOE funding solicitations in 2012 and 2013: mPower (Azad, 2012; Halfinger and Haggerty, 2012; IAEA; 2012a), NuScale (IAEA, 2012a; Ingersoll, 2012; Reyes, 2012) and Westinghouse SMR (IAEA, 2012a; Kindred, 2012). There was not much detailed information publicly available on the fourth design, SMR-160 or HI-SMUR (Holtec Inherently-Safe Modular Underground Reactor (HI-SMUR™; www. smrllc. com).

Table 8.3 summarizes safety-related characteristics for the selected integral designs. The table is intended for illustrative purposes only to show the safety benefits of iPWR SMR designs as a whole, and is not intended for comparison between the designs, since it is nearly impossible and would be very lengthy to capture all the features implemented in all specific designs.

It should be noted that while some of the listed and tabulated features have simultaneously positive impact on safety as well as economics (e. g., those passive safety systems that improve the safety while simplifying the design, thus making it more economical), others may challenge economics and require careful considerations and trade-off studies. Examples include power downrating which increases the capital cost and needs to be compensated by some other economic benefits, or which may enable certain design features not viable for current systems. Although economics is discussed in a separate chapter, the reader is reminded here that the impact of safety choices on economics has always to be considered.