Category C passive systems [VII-2], which incorporate direct action actuation devices requiring no energy sources, are represented by the primary circuit overpressure protection system.

The primary circuit overpressure protection system protects the reactor unit, including the PCU, and other primary circuit equipment items, from pressure increase above allowable limits. The primary circuit overpressure protection system includes:

— Two overpressure protection trains;

— Pipelines;

— Primary measuring transducers.

Each overpressure protection train is a passive device because they are actuated upon direct action of the working fluid on a sensitive element. The system working fluid is a primary circuit coolant; highly pure helium. Overpressure protection trains are arranged in the PCU cavity.

The primary circuit overpressure protection system is a safety grade system.

Category D systems

Category D passive systems [VII-2], which incorporate ‘passive execution/active initiation’ type features, include:

— Bypass valve system of the turbomachine control and protection system (TM CPS);

— Emergency reactor shutdown system;

— Control systems;

— Localizing valves.

The bypass valve system of the TM CPS fulfils the following functions:

— Prevention of turbomachine over speed during loss of external load;

— Turbomachine emergency shutdown during failure of the turbomachine or the PCU equipment, and in

blackouts;

— Rapid decrease of electric power in reactor plant normal operation mode.

When the bypass valves open, a portion of primary coolant flow bypasses the reactor core and the turbine, thus decreasing electric power generated by the reactor plant, triggered by a decrease in the helium flow rate and expansion ratio in the turbine, or an increase of the flow rate and power in the compressors, or an increase in the power removed in the precooler and intercooler.

The TM CPS bypass valve system incorporates:

— Four bypass shut-off and control valves DN300;

— Electrically driven shut-off valves;

— Pipelines.

The adopted redundancy scheme of bypass shut-off and control valves is based on a single failure principle and allows the reactor plant power operation until shutdown and maintenance; all based on one failed valve.

The bypass valve system is a normal operation system, which shoulders the functions of a safety system. It is a safety grade system.

Two independent reactivity control systems based on different operation principles are used to execute reactor emergency shutdown and maintenance in a sub-critical state; these systems are:

(1) Electromechanical reactivity control system based on control rods moved into reactor core channels and

the inner and outer reflectors;

(2) Reserve shutdown system (RSS) based on spherical absorbing elements that fill in channels in the fuel

assembly stack over the whole height of a fuel assembly.

The electromechanical reactivity control system consists of 54 control rods with individual drives and provides for reactor emergency shutdown and maintenance in a subcritical state, taking into account cooling and unpoisoning, under a one (most effective) rod stuck condition. Control rods are inserted into the core driven by gravity, from any position and without the use of external power sources, in the case of de-energization actuated by control system signals. The electromechanical reactivity control system is a normal operation system, which shoulders the functions of a safety system. It is a safety grade system.

Reactor emergency shutdown signals are generated automatically according to parameters of different physical nature or via pressing corresponding buttons in the main and standby control rooms.

The RSS includes 18 RSS drives with individual hoppers containing absorbing elements, and 18 channels in the reactor core stack into which boric absorbing spheres are inserted. Each RSS channel may be filled individually. The RSS is intended to shut down the reactor and keep it in an unpoisoned cold subcritical state in case of a failure of the control rod based system, taking into account a postulated single failure in the system.

The RSS is started through a power supply to the RSS drive motors and through opening of the gates of hoppers containing absorbing elements. The RSS drives are powered by the emergency power supply system, which uses two emergency diesel generators. The absorbing boric spheres are inserted by gravity.

The design and materials of absorbing elements exclude primary coolant contamination by the absorber. RSS fulfils the functions of a protective safety system.

The RSS is a safety grade system.

GT-MHR NPP control and support safety systems (CSS) are intended to actuate equipment, mechanisms and valves, localizing and support safety systems in preaccidental conditions and in accidents; to monitor their operation; and generate control commands for the equipment of normal operation systems used in safety provision algorithms.

The CSS are based on the principles of redundancy, physical and functional separation, and safe failure.

The CSS include two independent three channel sets of equipment with emergency signal processing logic ‘2 out of 3’, implemented in each set. Each set is capable of carrying out the safety functions in full. CSS sets are physically separated so that internal (fire, etc.) or external (aircraft crash, etc.) impacts do not lead to a control system failure, and inability to perform the required functions.

The CSS provide automated and remote control of equipment of safety systems from the independent main and standby control rooms. Principal technical features are selected using the concept of a safe failure — blackouts, short circuits, or phase breaks start emergency signals in the channels or initiate safety actions directly. The CSS are safety grade.

Redundant localizing valves are used to prevent loss of coolant at depressurization of auxiliary systems of the primary circuit and to localize inter-circuit leaks of coolant from the primary to the adjacent circuits.

Air-driven normally closed bellows shut-off valves are used for localization. During normal operation of the plant the shut-off valves are open. Air to the pneumatic drives of the shut-off valves is supplied by electromagnetic control air distributors. Shut-off valves are actuated by the energy of a compressed spring when there is a loss of power supply to air distributor electromagnets or air release from the pneumatic drives of the valves. The valves and air distributors can be controlled automatically (actuated upon control system signals), remotely, or manually (by a manual drive amending the pneumatic drive).

Localizing valves fulfil the function of a localizing safety system. The localizing valves are safety grade.

Active safety systems

The GT-MHR design has no dedicated active safety systems. Active systems of normal operation, such as the power control unit (PCU) and the shutdown cooling system (SCS), are used for safety purposes. These systems remove heat under abnormal operation conditions, during design basis accidents (DBA) and in beyond design basis accidents (BDBA).