(1) Realization of prerequisites and conditions required to exclude brittle fracturing of the reactor vessel; these prerequisites include keeping the fast neutron fluence on the reactor vessel and the vessel temperature below allowable limits;

(2) High thermal inertia of the reactor, resulting in slow variation of reactor parameters;

(3) Accessibility of the base metal of welded joints for the purpose of diagnostics of the primary pressure boundary;

(4) Primary circuit in the premises designed to withstand external impacts, such as earthquakes, shock waves, aircraft crash, etc.;

(5) Provision of a sufficient design strength margin for all components of vessel equipment. For example, the vessel system retains its performance characteristics in all possible operation modes, including accidents;

(6) Seismic design of the primary circuit equipment;

(7) The overpressure protection system prevents overpressure in the primary circuit regardless of the condition of electric control circuits and of personnel actions.

Retention of radioactive fluids at primary circuit leaks is provided within the:

(1) Containment;

(2) Leaktight sections of the primary circuit are limited by redundant fast response isolation valves installed inside the containment;

(3) Isolation sections of the PCU and SCS cooling water systems are limited by redundant fast response isolation valves installed inside the containment.

Retention of radioactive products within the containment is achieved through:

(1) Arrangement of reactor plant equipment in a ferroconcrete leaktight containment;

(2) Keeping containment pressure lower than ambient pressure during normal operation;

(3) A system of leaktight hatches and gates in the containment;

(4) Containment resistance to impacts of external natural and human induced events, provided with a design strength margin;

(5) A system of containment radioactivity filtration during normal operation;

(6) Isolation of containment leaktight volume from groundwaters;

(7) Containment diagnostics systems (continuous monitoring for leaktightness).

Ingress of radioactive products to the cooling circuits connected with the environment is prevented through the use of intermediate circuits (+PCU and SCS cooling water circuits).

Some major highlights of passive safety design features in the GT-MHR, structured in accordance with the various levels of defence in depth [VII-3, VII-4], are related below.

Level 1: Prevention of abnormal operation and failure

The contributions to this defence in depth level generically come from:

— Proper evaluation and selection of a suitable NPP site;

— Design development based on a conservative approach with strong reliance on inherent safety features and preferential application of passive safety systems;

— Quality assurance of NPP systems and components; quality assurance of all steps in NPP design development and project realization;

— Compliance of NPP operations with the requirements of regulatory documents, technical regulations, and operation manuals;

— Maintenance of operability of safety related structures, systems and components with early detection of defects; application of preventive measures; and timely replacement of expired equipment; effective documentation of the output of all inspection and maintenance activities;

— Provision of required NPP staff qualifications, with a focus on operating personnel, who are to take action during normal and abnormal operation, including pre-accidental conditions and accidents; development of a safety culture.

The GT-MHR plant is being designed in compliance with a quality assurance programme. All design features and parameters incorporate required design margins.

In addition to the generic measures contributing to Level 1 of defence in depth, the GTMHR incorporates certain design features directly contributing to this level; they are:

— Direct closed gas turbine cycle, which provides considerable simplification, minimizes required NPP equipment and systems, and excludes the steam-turbine power circuit;

— TRISO coated particle fuel capable of reliable operation at high temperatures and burnup levels;

— Helium coolant, which offers good heat transfer properties, does not dissociate, is easily activated and chemically inert. Neutronic properties of helium exclude reactor power growth at coolant density variation;

— Large thermal inertia of the reactor core, large temperature margin between the operation limit and safe operation limit; slow temperature variation during power variation in a manoeuvring mode.

Level 2: Control of abnormal operation and detection of failure

The contributions to this level generically come from:

— Timely detection of defects; timely preventive measures; and on-time equipment replacement;

— Detection and correction of deviations from normal operation;

— Management of abnormal operation occurrences;

— Prevention of the progression of initiating events into design basis accidents using normal operation and safety systems.

The GT-MHR design provides for timely detection and correction of deviations from normal operation caused by malfunctions in external power grids, control systems, and by partial or complete inoperability of the equipment of redundant normal operation systems (pumps, heat exchangers, valves, etc.), as well as for other reasons. Management of abnormal operation is secured by:

— Self-control properties of the reactor, including a large temperature margin between the operation limit and safe operation limit;

— Neutronic properties of the reactor, including negative feedback on reactor temperature and power increase;

— The use of reliable automated control systems with a self-diagnostic capability;

— The use of state of the art operator information support systems.

Stable operation of the reactor plant is provided in case of individual equipment failure such as failure of the PCU cooler module, of the generator gas cooler module, of the SCS heat exchanger section, or of the SCS gas circulator cooler section.

The allowable time for detection and correction of deviations, as well as the allowable power level at various deviations, is determined by safe operation conditions defined by the safety design features of the GT — MHR, such as the use of TRISO coated particle fuel, helium coolant, and graphite as a structural material, etc.

Level 3: Control of accidents within the design basis

The objectives of this defence in depth level are:

— Prevention of progression of design basis accidents into beyond design basis accidents, executed through the use of safety systems;

— Mitigation of those accident consequences that could not be prevented by localization of released radioactive substances.

In the GT-MHR, effective control of design basis accidents is ensured by:

— Strong reliance on the inherent safety features, such as negative reactivity feedback and natural processes;

— Preferential use of passive safety systems;

— Conservative approach used in the design of protective barriers and safety systems;

— Residual heat removal from the reactor in accidents, carried out without external power sources, control signals or human intervention;

— The limitation of radiation consequences of accidents via localization of released radioactive substances and radiation.

Provisions for effective control of design basis accidents are incorporated in the GT-MHR design. The key design components for this are safety systems and localization safety systems. Support and control systems are provided too; however, their role is not as critical as in existing NPPs, due to broader use of inherent safety features and passive safety systems in the GT-MHR.

According to redundancy and diversity principles, two independent systems are provided to shut down the reactor and keep it in a safe subcritical state.

Heat removal systems include a passive heat removal system, the RCCS, which comprises two independent cooling channels of equal efficiency.

During primary circuit depressurization, reactor core cooling does not require compensation of coolant loss. Radioactive products are localized by the containment system and by fast response shut-off valves.

Level 4: Control of severe plant conditions, including prevention of accident progression and mitigation of consequences of severe accidents

The objectives of this defence in depth level are:

— Prevention of beyond design basis accidents and mitigation of their consequences;

— Protection of the leaktight boundary against destruction during beyond design basis accidents and maintenance of its operability;

— Return of the NPP to a controllable condition when the chain reaction of fission is suppressed and continuous cooling of the nuclear fuel and retention of radioactive substances within the established boundaries are provided.

The GT-MHR plant design provides for the means of beyond design basis accident management such as:

— Prevention (decrease) of radioactive product release into the environment, which is achieved through incorporated physical barriers;

— Ensuring that final stable and safe conditions are reached when the chain reaction of fission is suppressed

and when continuous cooling of nuclear fuel and retention of radioactive substances within established

boundaries are provided.

In the case of failure of safety components and systems, management of beyond design basis accidents can be executed by personnel. This requirement is fulfilled by:

— Reactor design safety features, which limit the progression of accidents;

— The characteristics of passive safety systems;

— The capabilities of normal operation systems;

— Large time margins for implementation of accident management measures.

High heat storage capacity of the reactor core and high acceptable temperatures of the fuel and graphite allow for passive shutdown cooling of the reactor in accidents, including LOCA (heat removal from the reactor vessel by radiation, conduction and convection), while maintaining fuel and core temperatures within allowable limits.

Safety for the population in beyond design basis accidents is secured by specific features of the reactor design, without on-line intervention of personnel required.

The time margin available for personnel to take action in an accident management scenario varies from several dozens of hours to several days from the moment of accident initiation.

Level 5: Mitigation of radiological consequences of significant release of radioactive materials

The objective of this level is generically achieved by preparation and implementation (if needed) of plans for response measures within and beyond the NPP site.

Analysis of radiological consequences of beyond design basis accidents (including the most severe accident with primary circuit depressurization accompanied by the actuation failure of shutdown systems, NPP blackout, and long term loss of all PCU and SCS active heat removal systems) performed at the GT-MHR plant design development stage, showed that no accident prevention measures are required either within or beyond the NPP site.