The enveloping design approach for SMR designs considered in the present report is meant to eliminate as many accident initiators and/or prevent as many accident consequences as possible by design, and then to deal with the remaining accidents/consequences using reasonable combinations of active and passive safety systems and consequence prevention measures.

To prevent accidents, inherent safety features are used in the design, making direct contributions to defence in depth Level 1. These features may be very different for different reactor lines, e. g., eliminated piping or internal location of control rod drives in pressurized water reactors; eliminated steam generators and steam power circuit in direct cycle HTGRs; optimum combinations of reactivity effects and negative void worth in sodium cooled and lead cooled fast reactors; they are summarized in more detail below.

When available, contributions of inherent safety features to subsequent levels of defence in depth can help reduce hazards associated with accidents by ensuring increased reactor self-control, by slowing down accident progression, or by limiting accident scope. Relatively high heat capacity of the primary circuit is typical here, for many reactor lines.

Certain inherent safety features, such as high temperature fission product confinement properties of fuel and high temperature margin to fuel failure contribute directly to defence in depth Levels 3 and 4.

In addition to inherent safety features, some reliable passive features, such as additional passive structures (containment, guard vessel, or additional pressure boundary around the primary circuit, or coaxial double pipes — categorized as Category A passive systems in [12] but often referred to as inherent or by-design safety features [2, 3]), or reliable mechanisms of heat transfer, such as heat transfer by conduction and radiation via reactor core and reactor internals, or ultimate heat sink based on natural draught of air outside of the reactor vessel, could contribute to various levels of defence in depth in a way similar to inherent safety features, i. e., help to prevent certain accidents or accident consequences or reduce their scope.

With maximum possible use of the inherent and passive safety features provided by design, the remaining accident sequences are then dealt with using dedicated active or passive safety systems.

There is no single approach in selecting an optimum combination of active and passive safety systems, even for a single reactor line. A balanced view is that passive safety systems that use natural mechanisms such as gravity or buoyancy, or spring force for their operation require no operator action to get actuated, and rely on no external power or working media supply, have a potential to make plant design, maintenance and operation more simple, to enhance plant safety under a variety of internal and external events and combinations thereof, to improve plant resilience to human actions of malevolent character (add ‘intrinsic security’), and to improve plant economy. At the same time, it is recognized that the incorporation of passive safety systems in reactor designs needs to be adequately validated and tested due to several issues highlighted in Appendix 1.

For a passive safety system, functional failure (i. e., a failure of the system to perform its function) may happen if the initial or boundary conditions deviate from a specified range of values on which the performance of the system depends. Mainly because the driving forces in passive systems are most often small, the overall balance of forces defining the functional operation of a system may easily get changed even with a small disturbance or change in operating parameters [19-28]. The difficulties in evaluation of a functional failure of passive safety systems may be related to:

• Lack of plant data and operating experience;

• The experimental data obtained from integral facilities or even from separate effect tests is insufficient to understand system performance characteristics in normal operation and in transients and accidents;

• Lack of a clear definition of failure mode for passive safety systems;

• Difficulties in modelling the physical performance of such systems; for example, for natural convection based systems, such difficulties may be related to:

—Low flow rate of natural convection, under which the flow cannot be fully developed and which is multi­dimensional in its nature;

—Flow instabilities, which include flashing, geysering, density waving, flow pattern transition instabilities, etc.;

— Critical heat flux changes under oscillatory conditions;

— Flow stratification with kettle type boiling, particularly in large diameter vessels;

— Thermal stratification in large water pools;

— Effects of non-condensable gases on condensation, etc.

• Unknown capability of the so-called ‘best estimate codes’ to simulate performance of passive safety systems, owing to the fact that such codes were mainly developed to model active safety systems.

Therefore, before incorporating passive safety systems into plant design, their capacity and reliability need to be validated and tested over a broad range of states, from normal power operation to transients and accidental conditions [22, 23].

In addition to what was mentioned above:

• Economics of advanced reactors with passive safety systems should be assessed, taking into account all related aspects of construction and decommissioning;

• Ageing of passive safety systems should be considered, especially for longer plant lifetimes; for example, corrosion and deposits on heat exchanger surfaces could impair the functional performance of passive safety systems;

• Passive safety systems should be designed with a provision for easy in-service inspection, testing and maintenance, and ensure that the dose rate to workers is within the limits prescribed by regulations.

With all these aspects in mind, selection of an optimum combination of active and passive safety systems depends on previous experience of their validation and testing, on the availability of a system prototype, on a function that the system is expected to perform, and on considerations of redundancy, diversity and independence as measures to cope with common cause failure [7], as well as on considerations of plant economy, operating complexity, applications, security, and other factors.

It should be noted that passive safety systems in the SMRs considered in this report are not limited to natural convection based systems for passive decay heat removal, such as emergency core cooling systems, or to passive safety injection systems, but also include passive shutdown systems, such as those based on gravity or spring-force driven insertion of control rods, actuated upon flow disruption or system de-energization; passive systems of gas gap filling with (liquid metal) coolant to boost conduction for heat removal to the outside of the reactor vessel; passive mechanisms of fuel carry over from the core in the case of a fuel element failure to avoid recriticality in fast reactors; and others.

A useful categorization of passive systems is provided in IAEA-TECDOC-626 [12]; for convenience, some definitions from this reference are reproduced in Appendix 1 of this report.

Particular approaches to application of passive versus active safety systems applied by the designers of the SMRs considered in the present report are highlighted in Section 3.2., in conjunction with Level 3 of defence in depth. A common feature of all SMRs considered in the present report is that they all use passive decay heat removal systems. In all cases these systems are redundant and safety grade. Regarding shutdown systems, they could be active or passive, safety grade or non-safety-grade, based on different principles and using different components — control rods, absorber balls, or safety injections. Where applicable, depressurization systems are provided, which in most cases are actuated passively, by safety relief valves (check valves).

All solutions with active and passive safety systems described in the present report follow the principles of redundancy, diversity and independence [7].

In the case of light water reactors, there are certain advantages regarding passive safety systems, because more experience in validation, testing, certification and operation of such systems has been accumulated [19]. Certain, although more limited, experience is available for HTGR type reactors [17]. For SMRs of other types, extensive R&D programmes are required; in some cases such programmes were already in progress during preparation of this report [2, 3].

Performance assessment issues for passive safety systems are highlighted in more detail in Appendices I and II.