The probability of unacceptable radioactivity release beyond the plant boundary is targeted to be less than 1 x 10-7/year.

X-7. MEASURES PLANNED IN RESPONSE TO SEVERE ACCIDENTS

Due to the above mentioned features provided in the reactor, no adverse effects in the public domain are anticipated.

X-8. SUMMARY OF PASSIVE SAFETY DESIGN FEATURES FOR CHTR

Tables X-2 to X-6 below provide the designer’s response to questionnaires developed at an IAEA technical meeting, “Review of passive safety design options for SMRs”, held in Vienna on 13-17 June 2005. These questionnaires were developed to summarize passive safety design options for different SMRs according to a common format, based on the provisions of IAEA Safety Standards [X-4] and other IAEA publications [X — 5, X-3]. The information presented in Tables X-2 to X-6 provided a basis for the conclusions and recommendations of the main part of this report.

#	Safety design features	What is targeted?
1.	High negative Doppler (fuel temperature) coefficient	Reduction of the extent of overpower transient so as to keep the maximum fuel (kernel of TRISO coated particle fuel) temperature less than 1600°C
2.	Burnable poison in fuel
3.	Small excess reactivity
4.	Pb-Bi coolant — reactivity effects (void, power, temperature, etc.) are negative
5.	Negative moderator temperature coefficient
6.	Low core power density
7.	TRISO coated particle fuel	Low probability of release of fission products and gases even at very high temperatures of up to 1600°C
8.	High heat capacity ceramic core	Large thermal inertia ensures slow temperature rise of fuel even when all heat sinks are lost
9.	Use of Pb-Bi eutectic alloy as coolant	Chemically inert to water and air at high temperature
		High boiling point and good thermal properties increases reliability of heat removal from the core
		Operating temperature that is much below the boiling point — results in a low pressure system, reducing the possibility of high pressure related accidents as well as facilitating the use of carbon based coolant tubes so as to improve neutron economy
		In the case of a leakage, it solidifies, preventing further leakage as well as retaining the radioactive nuclides present in the coolant
10.	Heat removal from the core by natural circulation	Elimination of pump failure related initiating events, such as Loss of Coolant Flow
11.	Passive power regulation system	Passive power regulation
12.	Two independent shutdown systems	Redundancy in reactor protection during transient/postulated accident conditions
13.	A system of gas gap filling with high conductivity molten metal	Passive means of core heat removal under abnormal conditions and of transfer of heat to a heat sink outside the shell.
14.	Heat pipe based heat removal system during normal operation	Transfer of heat passively from coolant to heat utilizing system vessels
15.	Variable conductance heat pipes	Heat dissipation from coolant to the outside environment during postulated accident conditions
16.	Carbon-carbon composite heat pipes	Heat dissipation from the reactor core to the outside environment during postulated accident conditions
17.	Large capacity heat sink outside the outer steel shell	Absorb neutronically limited power fully in case of postulated accident condition

#	Specific hazards that are of concern for a reactor line	Explain how these hazards are addressed in an SMR
1.	Prevent unacceptable reactivity transients	• Passive power regulation and shutdown systems • Highly negative Doppler (fuel temperature) coefficient • TRISO coated particle fuel — capable of withstanding very high temperature and retaining fission products • Large heat capacity all ceramic core, resulting in slow temperature rise • Negative moderator temperature coefficients • Three redundant and passive heat removal systems to dissipate neutronically limited power to the atmosphere/heat sink • Pb-Bi coolant, ensuring that reactivity effects (void, power, temperature etc.) are negative
2.	Avoid loss of coolant	• Low pressure, high density, and high melting point Pb-Bi coolant leaks out very slowly in case of a break in the circuit and eventually solidifies • Natural circulation of Pb-Bi coolant in normal operation mode with no piping or joints in the circuit, thus reducing chances of loss of coolant • High boiling point of Pb-Bi coolant (1670°C)
3.	Avoid loss of heat removal	• Natural circulation of Pb-Bi in normal operation mode • Three redundant and passive heat removal systems to dissipate neutronically limited power to atmosphere/heat sink under postulated accident conditions
4.	Avoid loss of flow	• Natural circulation of Pb-Bi coolant in normal operation mode; No piping or joints in the circuit, thus avoiding the possibility of loss of flow
5.	Avoid exothermic chemical reactions: Graphite fire (Reaction with oxygen/water)	Graphite with SiC as outer coating is unlikely to burn
Blanket of inert gas on top of the coolant
Low pressure, high density, and high melting point Pb-Bi coolant leaks out very slowly in the case of a break in the circuit and eventually solidifies — low probability of ingress of a large quantity of air
Water ingress in the core and contact with the graphite is an unlikely event, as water is present only as an ultimate heat sink outside the thick steel vessel with no openings
6.	Polonium activity (specific for lead-bismuth eutectic cooled reactors)	-Inert gas blanket provided on top of the coolant prevents coolant from coming in contact with air thus preventing the release of radioactivity — In case of a leak; coolant will solidify, preventing further leakage

TABLE X-4. QUESTIONNAIRE 3 — LIST OF INITIATING EVENTS FOR ABNORMAL OPERATION OCCURRENCES (AOO)/DESIGN BASIS ACCIDENTS (DBA)/BEYOND DESIGN BASIS ACCIDENTS (BDBA)

List of initiating events forAOO/DBA/BDBA typicalfor a reactor line (heavy liquid metal cooled reactors)	Design features of CHTR used to prevent progression of initiating events to AOO/DBA/BDBA, to control DBA, to mitigate BDBA consequences, etc.
Inadvertent withdrawal of one control rod of the passive power regulation system creating positive reactivity	-High negative Doppler (fuel temperature) coefficient
-Passive power regulation and shutdown systems
-Negative moderator temperature coefficient
-Pb-Bi coolant, for which reactivity effects (void, power, temperature, etc.) are negative
Loss of load accident	-Highly negative Doppler (fuel temperature) coefficient
-Two redundant and passive heat removal systems to dissipate the neutronically limited power to a heat sink
-Passive power regulation and shutdown systems
-Large heat capacity of the all ceramic core results in a slow temperature rise
-Low core power density
-TRISO coated particle fuel with high temperature margin to failure
Loss of coolant accident	-High negative Doppler (fuel temperature) coefficient
-Passive shutdown system
-Carbon-carbon composite heat pipes provided in the core to dissipate heat
-Large heat capacity of the all ceramic core results in a slow temperature rise
-Low core power density
-TRISO coated particle fuel with high temperature margin to failure
Air ingress to the primary coolant system	-Graphite with SiC as outer coating is unlikely to burn
-Blanket of inert gas on top of the coolant
-Low pressure, high density, and high melting point Pb-Bi coolant leaks out very slowly in the case of a break in the circuit and eventually solidifies; creates low probability of a large quantity air ingress

#

1.

2.

3.

4.

Initiating events specific to this particular SMR

Nothing in particular specified here

#	Safety design features	Category: A-D (for passive systems only), according to IAEA-TECDOC-626 [X-4]	Relevant DID level, according to NS-R-1 [X-4] and INSAG-10 [X-5]
12.	Two independent shutdown systems	Reduction of the extent of possible overpower transient so as to keep the maximum fuel (kernel of TRISO coated particle fuel) temperature less than 1600°C — One B, and the other D Loss of load accident — One B, and the other D Loss of coolant accident — One B, and the other D	2, 3
13.	A system of gas gap filling with high conductivity molten metal	Loss of load accident — A	3
14.	Heat pipe based heat removal system during normal operation	B	1, partially 3
15.	Variable conductance heat pipes, intended to dissipate core heat	Loss of load accident— B	3
16.	Carbon-carbon composite heat pipes, intended to dissipate core heat	Loss of coolant accident — B	3
17.	Large capacity heat sink outside the outer steel shell	Loss of load accident — A	4
18.	Construction of the reactor in an underground pit	External events — A	4

TABLE X-6. QUESTIONNAIRE 5 — POSITIVE/NEGATIVE EFFECTS OF PASSIVE SAFETY DESIGN FEATURES IN AREAS OTHER THAN SAFETY

Natural circulation of heavy metal Saving in pump costs and associated coolant components; saving due to simplified

design and maintenance

Passive heat removal based on gas Simplified design and maintenance with gap filling with molten metal in an associated reduction in cost accident conditions

REFERENCES TO ANNEX X

[X-1] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Small Reactor Designs Without On-site Refuelling, IAEA-TECDOC-1536, IAEA, Vienna (2007).

[X-2] INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Innovative Small and Medium Sized Reactor Designs 2005: Reactors with Conventional Refuelling Schemes, IAEA-TECDOC-1485, IAEA, Vienna (2006).

[X-3] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA — TECDOC-626, IAEA, Vienna (1991).

[X-4] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).

[X-5] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).

[X-6] INTERNATIONAL ATOMIC ENERGY AGENCY, Advanced Nuclear Power Plant Design Options to Cope with External Events, IAEA-TECDOC-1487, IAEA, Vienna (2006).

CONTRIBUTORS TO DRAFTING AND REVIEW

Delmastro, D.	Comision Nacional de Energia Atomica, Centro Atomico Bariloche, Argentina
Carelli, M.	Westinghouse Science and Technology, USA
Petrovic, B.	Westinghouse Science and Technology, USA
Mycoff, C.	Westinghouse Science and Technology, USA
Gautier, G.-M.	DER/SESI/LESA CEA Cadarache, France
Delpech, M.	CEA-Saclay-DEN-DDIN, France
Naviglio, A.	The University of Rome ‘La Sapienza’, Italy
Cumo, M.	The University of Rome ‘La Sapienza’, Italy
Nishimura, S.	Central Research Institute of Electric Power Industry (CRIEPI), Japan
Nayak, A. K.	Reactor Engineering Division, Thermal Hydraulics Section, Bhabha Atomic Research Centre, India
Devictor, N.	CEA/DEN/DER/SESI/LCFR, France
Saha, D.	Reactor Engineering Division, Bhabha Atomic Research Centre, India
Dulera, I. V.	Reactor Engineering Division, Bhabha Atomic Research Centre (BARC), Trombay, Mumbai, India
Shepelev, S.	Experimental Design Bureau of Machine Building (OKBM), Russian Federation
Lepekhin, A. N.	Experimental Design Bureau of Machine Building (OKBM), Russian Federation
Sienicki, J. J.	Innovative Systems Development, Nuclear Engineering Division, Argonne National Laboratory (ANL), USA
Wade, D. C.	Nuclear Engineering Division, Argonne National Laboratory (ANL), USA
Minato, A.	Nuclear Energy Strategy Office, Central Research Institute of Electric Power Industry (CRIEPI), Japan
Sinha, R. K.	Reactor Engineering Division, Bhabha Atomic Research Centre (BARC), Trombay, Mumbai, India
Kuznetsov, V.	International Atomic Energy Agency, Vienna, Austria

Structure of the IAEA Nuclear Energy Series

Key		Examples
BP:	Basic Principles	NG-G-3.1:
O:	Objectives	NP-T-5.4:
G:	Guides	NF-T-3.6:
T: Nos. 1-6: #:	Technical Reports Topic designations Guide or Report number (1,2, 3, 4, etc.)	NW-G-1.1

Nuclear General (NG), Guide, Nuclear Infrastructure and Planning (topic 3), #1 Nuclear Power (NP), Report (T), Research Reactors (topic 5), #4 Nuclear Fuel (NF), Report (T), Spent Fuel Management and Reprocessing, #6 Radioactive Waste Management and Decommissioning (NW), Guide, Radioactive Waste (topic 1), #1

[1] IAEA-TECDOC-936 [5] defines an innovative design as a design “that incorporates radical conceptual changes in design approaches or system configuration in comparison with existing practice” and would, therefore, “require substantial R&D, feasibility tests and a prototype or demonstration plant to be implemented”.

[2] Throughout this report, ‘passive shutdown’ denotes bringing the reactor to a safe, low-power state with balanced heat production and passive heat removal, with no failure to barriers preventing radioactivity releases to the environment; all relying on inherent and passive safety features only, with no operator intervention, no active safety systems involved, and no requirement for external power and water supplies, as well as with the grace period infinite for practical purpose.

[3] Some PWRs use primary circuit with internal steam generators but have external control rod drives, such as the Republic of Korea’s SMART [2].

[4] A relatively large coolant inventory in the primary circuit, resulting in large thermal inertia

[5] Inherent safety features provided by design and contributing to larger thermal margins, lower parameter variation, better reactor self-control, slower pace of transients, and damping of perturbations in design basis events. These features are highlighted in numbers 1-13 of Table 3;

(2) All designs incorporate at least two redundant and diverse shutdown systems; see numbers 14-24 of Table 3. These systems may be passive, such as those using mechanical control rods inserted into the core driven by gravity or by the force of springs, or active, such as those using standard mechanical control rods. Some passive systems are passively actuated, e. g., by system de-energization, by core temperature sensor, or other means. The role of safety injection systems with borated water is essentially reduced in some cases, e. g., in the IRIS and SCOR, or the function of a safety injection is coupled with core uncovery prevention, e. g., in the CAREM-25. Safety injection may be passive (IRIS) or active (SCOR); it may also be actuated passively, by disk rupture due to an overpressure situation (CAREM-25). For some designs (KLT-40S), safety injection of borated water is not indicated at all;

(3) All pressurized water SMRs incorporate passive residual heat removal systems of various design, often redundant, based on natural convection of the coolant; see numbers 25-32 of Table 3. Features of PWR type SMRs such as reduced core power density, relatively large coolant inventory in the primary circuit, or a taller reactor vessel, discussed in more details above, in conjunction with levels 1 and 2 of defence in depth, contribute to passive residual heat removal that is effective under a total power station blackout, with an increased or practically infinite grace period. It can be emphasized that all decay heat removal systems in all PWR type SMRs are passive, and most of them require no operator action to become actuated;

(4) Finally, numbers 33-36 of Table 3 indicate design features or systems dedicated to prevention of core uncovery in design basis accidents. These may include automatic depressurization systems, safety relief valves, long term gravity make-up systems and emergency boron injection systems also acting as make-up systems. All of the indicated systems are passive and passively actuated.

[6] KLT-40S — Exclusion of staff presence in compartments adjacent to the containment and in other compartments

with high radiation levels.

-To limit radiation dose to the population living within a 1 km radius of the floating NPP it may be required (depending on the actual radiation situation) that some protective measures, such as iodine prophylaxis or sheltering, are implemented.

-As a protective measure, temporary limits could be established on the consumption of separate agricultural products grown in an radius of up to 5 km from the floating NPP contaminated by radioactive products.

-Evacuation of the population is not required at any distance from the floating NPP.

2 IRIS — Measures essentially not needed. An option to license IRIS with reduced or eliminated off-site

emergency planning is under consideration; otherwise, the plant could be licensed using measures typical of a conventional PWR.

3 CAREM-25 — Measures essentially not needed. An option to license CAREM with simplified or abandoned off-site

emergency planning requirements is considered, with a link to the risk-informed regulatory criteria for BDBA (see Fig. 6 and Annex III).

4 SCOR — No information was provided except for that on passive safety design features eliminating or preventing

radioactivity releases beyond the plant boundary.

5 MARS — Deterministic and probabilistic safety analyses performed conclude that licensing of MARS may not

require any off-site emergency planning.

[7] Long term passive decay heat removal may cause degradation of core structures, e. g., via graphite oxidation, etc., therefore, early restart of normal operation systems is targeted in management of design basis accidents to facilitate continuation of normal operation of the plant after the accident.

[8] It should be noted that features of liquid metal cooled reactors such as passive load following and ‘passive shutdown’ have been more analyzed in the past for smaller reactors, such as EBR-II with 65 MW(th) or PRISM with 850 MW(th). However, for sodium and lead cooled fast reactors, there is no reason such features can’t be realized in larger reactors with nitride or metallic fuel. Certain analytical studies carried out in the past provide preliminary proof of this [26, 27, 28].

a It is noted that the operation of these systems may actually be unnecessary because the inherent and passive features are in any case capable of ensuring a ‘passive shutdown’, i. e., bringing the reactor to a safe low power state with balanced heat production and passive heat removal, with no failure of the barriers preventing radioactivity release to the environment, and with a practically indefinite grace period.

independent and redundant active or passive shutdown systems are available for cases in which all other measures of control and prevention turn out to be ineffective.

For Level 3 of defence in depth, “Control of accidents within design basis”, the contribution comes from the following main groups of design features:

[10] Inherent safety features, highlighted in numbers 1-8 of Table 30. In addition to the features already discussed in conjunction with defence in depth Levels 1 and 2, it is important to note negative whole core void worth provided by design in the 4S-LMR and inherent features of the lead cooled SSTAR and STAR — LM, practically eliminating the option of coolant boiling or gas bubbles arriving at the core (preventing the propagation of a design basis accident into a severe accident with transient overpower);

[11] By-design provisions for certain passive mechanisms such as radial expansion or enhanced levels of natural convection in the primary coolant system, highlighted in numbers 9-12 of Table 30;

[12] Two independent systems of reactor shutdown, provided in each design; see numbers 13-14 of Table 30. These operate based on gravity in the 4S-LMR, while in the SSTAR and the STAR-LM both systems are active and safety grade. For the SSTAR and STAR-LM, it is mentioned that the operation of these systems may actually be unnecessary because inherent and passive features are in any case capable of ensuring a ‘passive shutdown’ of the reactor;

[13] Not less than two redundant and diverse passive decay heat removal systems in each design, with some of them, possibly, providing several passive decay heat removal paths, and all using natural draught of air as an ultimate heat sink; see numbers 15-16 of Table 30;

[14] Special design features provided to prevent or mitigate the effects of pressurized medium from the power circuit getting into the primary circuit; see numbers 17-18 of Table 30.

[15] Inherent and passive safety features ensure lower probability of radioactivity material release to the environment (compared to present day light water reactors)

[16] Use of an all-ceramic core with high heat capacity and high

temperature margins

[18] High density of Pb-Bi coolant, comparable to the density of the fuel

[19] It should be noted that all known designs and concepts of lead cooled reactors foresee no intermediate heat transport system, even if a steam turbine cycle is used for power conversion, which is most common [18].

[20] Supercritical carbon dioxide Brayton cycle energy conversion with CO2 working fluid that does not react chemically with Pb primary coolant

[21] The ‘soft’ pressurizer system is characterized by small changes in primary pressure under a primary coolant temperature increase.

[22] ‘Passive shutdown’ is used by designers to denote bringing the reactor to a safe low power state with balanced heat production and passive heat removal, with no failure to the barriers preventing radioactivity release to the environment; all relying on inherent and passive safety features only, with no operator intervention or active safety systems being involved, and no external power and water supplies being necessary, and with an infinite grace period for practical purpose.

[23] National regulations in some Member States are already technology neutral; examples are the United Kingdom or the Russian Federation.

[24] Risk informed regulations for beyond design basis accidents are already in place in some Member States, e. g., Argentina.

[25] Annex IV gives an example of how operation complexity of a plant could be quantified and used in comparative assessments of different design solutions.

[26] Failure surface [23] is an experiment backed predicted boundary of reliable operation of a passive safety system defined against all variables that may affect performance of such a system; it is used to support subsequent root cause analysis (actually, the failure surface defined in [23] is of iterative nature, also supporting identification of those tests that are still missing).

[27] In this context, an ‘item’ is a structure, system or component [2].

[28] A ‘soft’ pressurizer system is characterized by small changes of the primary pressure under a primary coolant temperature increase. This quality, due to a large volume of gas in the pressurizing system, results in an increased period of pressure increase up to the limit value under the total loss of heat removal from the primary circuit. For KLT-40S, the corresponding time is not less than 1.5 hours after the accident starts.

[29] The control area boundary coincides with the FPU boards, to the bow and stern directions it coincides with the monitored area boundaries, see Fig. I-2.

* Additional criteria for beyond design basis accidents not resulting in core damage