Analysis of the beyond design basis accidents is performed taking into account a superposition of the initiating events (including those not considered in design basis accidents) and the failure of safety systems on top of a single failure, as well as the additional failure of normal operation systems, and their possible combinations that may affect the propagation of accidents.

Additional failures affecting emergency heat removal from the reactor core include a blackout that leads to a reactor shutdown cooling by the RCCS.

In addition to this, the list of beyond design basis accidents for the GT-MHR includes the postulated simultaneous failure of all heat removal systems — the PCU, the SCS, and the RCCS. This beyond design basis accident is considered in the design to derive the maximum time margin for personnel to take accident management actions aimed at preventing the violation of safe operation limits for fuel temperature in the reactor core, for temperatures of in-vessel metal structures, the reactor vessel, and the reactor cavity concrete.

Failure of pneumatic double isolation valves to close (which leads to bypassing of the containment) is considered an additional failure, which affects the localization (isolation) function at primary circuit depressurization.

Analysis of the above mentioned beyond design basis accidents is performed under an NPP blackout, which results in the emergency cooling of a shutdown reactor by the RCCS.

Failure of the reactor emergency protection system is considered an additional failure which affects the reactor emergency shutdown function. Emergency protection failure in the GT-MHR means failure of all control rods to be inserted into the reactor core upon a signal by the reactor control system.

Beyond design basis accidents with actuation failure of the reactor emergency protection system are analyzed taking into account a superposition of initiating events and additional failures that affect conditions of emergency heat removal from the reactor, i. e., a NPP blackout and SCS failure to actuate upon request. An NPP blackout leads to a loss of PCU operability and requires SCS actuation. An SCS failure to actuate upon request leads to heat removal from the reactor by the RCCS.

In addition to this, the progression of beyond design basis accidents with primary circuit depressurization and emergency heat removal by the RCCS, including beyond design basis accidents with actuation failure of the reactor emergency protection system, is analyzed under an assumption that it is impossible to restart all active channels for heat removal from the reactor core — the PCU and the SCS — during the entire course of such an accident.