It is expected that the probability of unacceptable radioactivity release beyond the plant boundary would be less than 1 x 10-7/year.

VI-7. MEASURES PLANNED IN RESPONSE TO SEVERE ACCIDENTS

One of the important design objectives of the AHWR is to eliminate the need for any intervention in the public domain beyond plant boundaries as a consequence of any postulated accident condition within the plant [VI-1].

Tables VI-2 to VI-6 below provide the designer’s response to the questionnaires developed at the IAEA technical meeting “Review of passive safety design options for SMRs” held in Vienna on 13-17 June 2005. These questionnaires were developed to summarize passive safety design options for different SMRs according to a common format, based on the provisions of IAEA Safety Standards [VI-3] and other IAEA publications [VI-2, VI-4]. The information presented in Tables VI-2 to VI-6 provided a basis for the conclusions and recommendations of the main part of this report.

TABLE VI-2. QUESTIONNAIRE 1 — LIST OF SAFETY DESIGN FEATURES CONSIDERED FOR/ INCORPORATED INTO THE MARS DESIGN

# Safety design features What is targeted?

1. Heat removal by natural convection of the coolant

2. Slightly negative void coefficient of reactivity

3. Negative fuel temperature coefficient of reactivity

4. Low core power density

5. Low excess reactivity

6. Large coolant inventory in the main coolant system

7. Two fast acting shutdown systems (mechanical shut off rods and liquid poison injection system)

8. Passive emergency injection of cooling water (initially from the accumulators and later from the overhead gravity driven water pool — GDWP) directly into the fuel cluster through four independent trains

9. Passive decay heat removal by isolation condensers

10. Passive injection of poison into the moderator, by using high pressure steam

11. Large inventory of water in the GDWP inside the containment

12. Use of the moderator as a heat sink

13. Flooding of the reactor cavity following a LOCA

14. Double containment [52]

Elimination of postulated initiating events associated with pump failure

Reduction of the extent of an overpower transient

Thermal inertia securing a reduced rate of temperature rise under certain transients

Safe termination of abnormal operational conditions and accidental conditions

Core heat removal during loss of coolant accidents (LOCA); including a prolonged core cooling for 3 days via GDWP water injection. Direct injection reduces the time for ECCS water to reach fuel

Core decay heat removal under non-availability of the main condenser, by transferring heat to the GDWP water without any operator action or active signal

— Effective reactor shutdown in the case of a failure of the wired (sensors, signal carriers and actuators) mechanical shutdown system and the liquid poison injection system

— Elimination of the possibility of radioactive steam release through safety relief valves, by performing an effective reactor shutdown and bringing the system back to a condition with restored heat removal capability of the isolation condensers

— Provides a heat sink/working fluid for decay heat removal by passive systems, containment cooling and containment isolation during a LOCA, as well as passive concrete cooling

— Provides prolonged core cooling during LOCAs, meeting the requirement of a three day grace period

Impedes accident propagation in the case of a failure of the ECC injection during a LOCA

Facilitates eventual submerging of the core after a LOCA

Minimization of radioactivity release from the reactor building during accident conditions, such as a LOCA

Prevention of radioactivity release from the reactor building through the ventilation ducts following a large break LOCA

TABLE VI-2. QUESTIONNAIRE 1 — LIST OF SAFETY DESIGN FEATURES CONSIDERED FOR/ INCORPORATED INTO THE MARS DESIGN (cont.)

# Safety design features	What is targeted?
16. Vapour suppression in the GDWP	Minimization of containment pressurization by the absorption of energy released immediately following a LOCA
17. Containment cooling by passive containment coolers	Limit post-LOCA primary containment pressure. Condensation of steam and cooling of hot air in the containment by natural convection of the GDWP water, to ensure long-term containment cooling after an accident

TABLE VI-3. QUESTIONNAIRE 2 — LIST OF INTERNAL HAZARDS

# Specific hazards that are of concern for a reactor line	Explain how these hazards are addressed in a SMR
1. Prevent unacceptable reactivity transients	— Slightly negative void coefficient of reactivity — Small overall reactivity margin — Increased reliability of the control system achieved through the use of high reliability digital control using advanced information technology — Reactor protection system comprised of two independent fast acting shutdown systems — Provision of passive injection of poison to the moderator using system high steam pressure in the case of a failure of both wired shutdown systems
2. Avoid loss of coolant	— Large coolant inventory in the main coolant system — Presence of water in the calandria vault — Core cooling by passive injection of ECC water using high pressure accumulators and low pressure injection from the GDWP — Filling of the reactor cavity with GDWP water
3. Avoid loss of heat removal	— Low core power density — Large coolant inventory in the main coolant system — A 6000 m3 capacity GDWP, located at higher elevation inside the containment, serves as a heat sink for the passive residual heat removal system, ensuring a grace period of not less than three days — Use of the moderator as a heat sink
4. Avoid loss of flow	Core heat is removed by natural convection of the coolant; the design incorporates no main circulation pumps
5. Avoid exothermic chemical reactions:
—Zirconium-steam reaction	— Passive systems adopted in design for core heat removal during all operational modes, transients, and accidental conditions — Under any transient or accident conditions, the clad temperature is maintained lower than the threshold temperature at which a zirconium-steam reaction of a significant rate may occur
—Deuterium concentration in cover gas system of the moderator reaching the deflagration limit	Recombination units are provided for recombining deuterium and oxygen, limiting the deuterium concentration in cover gas well below the deflagration limit

List of initiating events for Design features of AHWR used to prevent progression of the Initiating events # AOO/DBA/BDBA typical initiating events to AOO/DBA/BDBA, to control DBA, to mitigate specific to this for a reactor line (PHWRs) BDBA consequences, etc. particular SMR

1. Reactivity anomalies due Two independent fast acting shutdown systems to control rod malfunctions

Boron-free equilibrium core configuration. Boron is injected into the moderator, not into the primary coolant. During a prolonged shutdown, the boron removal ion exchange columns of the moderator purification circuit are isolated

— Slightly negative void coefficient of reactivity, which prevents large variations in reactor power

— Emergency core cooling water cannot enter the main heat transport (MHT) circuit, because there is a certain differential pressure requirement for the injection to start

Core heat is removed by natural convection of the coolant; there are no main circulation pumps in the AHWR

— Two independent fast acting reactor shutdown systems provided for shutting down the reactor upon a LOCA signal, such as high containment pressure or low primary pressure

— Core cooling by passive injection of ECC water using high pressure accumulators and low pressure injection from the GDWP

— Minimization of containment pressurization by vapour suppression in the GDWP and by condensation of the steam and cooling of the air by the passive containment coolers

— Prevention of radioactivity release by passive formation of a water seal in the ventilation duct, in addition to closure of the mechanical dampers

— Prevention of accident propagation, facilitated by a large inventory of the moderator surrounding the fuel channels, by the presence of water in the calandria vault, and by filling of the reactor cavity with GDWP water

Shutdown of the reactor in the case of non-availability of the secondary circuit and decay heat removal by the isolation condensers in a passive mode

Reactor shutdown on power supply failure and passive decay heat removal by the isolation condensers

— Large coolant inventory in the primary circuit provides thermal inertia to limit the rate of temperature rise

— Low excess reactivity, achieved through the types of fuel used

— Negative void coefficient of reactivity and low core power density reduce the extent of possible overpower transients

— Reliable reactor control and protection system

— Passive circulation of the coolant that transfers heat from the source to a sink

— Annulus gas monitoring system to detect leakage from a pressure tube or calandria tube

— Rupture discs installed before the safety relief valves, to prevent inadvertent coolant leakage

List of initiating events for # AOO/DBA/BDBA typical for a reactor line (PHWRs)	Design features of AHWR used to prevent progression of the Initiating events initiating events to AOO/DBA/BDBA, to control DBA, to mitigate specific to this BDBA consequences, etc. particular SMR
9. Malfunctions in the secondary systems	— Due to a large coolant inventory in the main heat transport circuit and low power, any malfunctioning of the secondary system leads to slow transients in the main heat transport circuit — Redundancy is provided for the feedwater pumps — In the case of non-availability of the secondary circuit, the reactor is shut down and the decay heat is removed by the isolation condensers
10. Anticipated transient without scram (ATWS)	ATWS is not included in the accident list for the AHWR because two independent, diverse shutdown systems are being incorporated, backed up by a passive shutdown system in which poison is passively injected into the moderator using the system high pressure steam in the case of a failure of both wired shutdown systems
11. Accidents in fuel handling	— Fuel insertion and withdrawal rate controlled by on-line fuelling machine, for reactivity considerations — Control system capable of arresting the reactivity increase due to a sudden fall of the fuel assembly
12. Accidents due to external events	— Core cooling function for decay heat removal is fulfilled without any external energy or water supply for at least three days, due to natural convection of the coolant in the heat transport circuit and decay heat removal by the isolation condensers immersed in a large pool of water in the GDWP inside the containment — Safety related components, systems, and structures are designed for an operating basis earthquake (OBE) and for a safe shutdown earthquake (SSE); sites having unacceptable seismic potential are excluded — The effects of flood related events are avoided by providing a high grade elevation level to take care of maximum probable precipitation, maximum possible sea level, etc. — Double containment provides protection against aircraft crash or missile attack — Damages related to lightning are avoided by grounding — Detection of toxic gases is provided for; minimization of ingress of toxic gases into the structures and air intakes is achieved by closing the dampers in the ventilation systems. Air bottles with a 30-minute capacity are provided to supply fresh air to operating personnel — Chemical explosions and toxic gas release from off-site facilities are excluded by executing control of hazardous industrial facilities located within a 5 km radius
13.	Appropriate startup procedure backed up by analysis and Instability experiments during a startup

TABLE VI-5. QUESTIONNAIRE 4 — SAFETY DESIGN FEATURES ATTRIBUTED TO DEFENCE IN DEPTH LEVELS

# Safety design features	Category: A-D (for passive systems only), according to IAEA-TECDOC-626 [VI-2]	Relevant DID level, according to NS-R-1 [VI-3] and INSAG-10 [VI-4]
1.Natural convection of the coolant	B	1, 2, 3
2.Slightly negative void coefficient of reactivity	A	1
3.Negative fuel temperature coefficient of reactivity	A	1
4.Low core power density	A	1
5.Low excess reactivity	A	1
6.Large coolant inventory in the main coolant system	A	1, 2, 3
7.Two independent fast acting shutdown systems	D	2, 3
8.Passive injection of the emergency coolant water (initially from the accumulators and later from the overhead GDWP) directly into the fuel cluster through four independent trains	C	3
9.Passive decay heat removal by isolation condensers	C, D	2, 3
10.Passive shutdown through injection of a poison into the moderator, done by high pressure steam	C	2,3
11.Large inventory of water in the GDWP inside the containment	A	3,4
12.Use of the moderator as a heat sink	A	4
13.Presence of water in the calandria vault	A	4
14.Flooding of the reactor cavity following a LOCA	B, C	4
15.Double containment	A	3, 4, 5
16.Passive containment isolation by formation of a water seal in the ventilation ducts	B	3, 4, 5
17.Vapour suppression in the GDWP	B	3, 4, 5
18.Containment cooling by the passive containment coolers	B	3, 4, 5

TABLE VI-6. QUESTIONNAIRE 5 — POSITIVE/NEGATIVE EFFECTS OF PASSIVE SAFETY DESIGN FEATURES IN AREAS OTHER THAN SAFETY

Passive safety design features	Positive effects on economics, physical protection, etc.	Negative effects on economics, physical protection, etc.
Core cooling by natural convection	Simplifies design and maintenance, eliminates nuclear grade main circulating pumps, their drives and control systems, contributing to reduced plant cost	Increased diameter and length of the piping; with associated increase in plant cost
	Reduces the power requirements for plant operation, resulting in higher net plant efficiency and lower specific capital cost

REFERENCES TO ANNEX VI

[VI-1] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Innovative Small and Medium Sized Reactor Designs 2005: Reactors with Conventional Refuelling Schemes, IAEA-TECDOC-1485, IAEA, Vienna (2006).

[VI-2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).

[VI-3] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[VI-4] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

[VI-5] INTERNATIONAL ATOMIC ENERGY AGENCY, Advanced Nuclear Power Plant Design Options to Cope with External Events, IAEA-TECDOC-1487, IAEA, Vienna (2006).

Annex VII