The main systems necessary to remove decay heat are primary circuit CO2 circulation and secondary circuit boiler feedwater. Such systems generally involve cir­culators and pumps which require electrical and aux­iliary systems to function, e. g., circulator seal oil.

The condensing cooling water system will normally also be used post-trip to condense secondary side steam and return feedwater to the boilers. Loss of this sys­tem can be tolerated however, as the boiler steam can be discharged to atmosphere. The key design criterion is therefore an adequate guaranteed supply of feed water from tanks or mains supplies.

In addition, it is important to provide information on the plant state and confirmation of the satisfac­tory operation of the post-trip heat removal system to the operator. Required systems therefore include instrumentation together with any necessary control facilities where there is operator involvement. For example, the operator may be able to correct any post-trip cooling system failures. Reasonable access provision is therefore required to any local control where the operator may be expected to take action, and systems may be provided to enhance main con­trol room habitability.

It is then necessary to show that the post-trip cooling duty, which must be initiated within a rela­tively limited time of a shutdown or trip, is met on a reliable basis. The systems design should have ade­quate redundancy to cover, for example, plant out for maintenance or plant failures. For relatively frequent events such as normal shutdowns, the reliability of the post-trip heat removal system must be extremely high. This may be achieved on magnox stations by continuing to run the normal cooling system. For ex­tremely unlikely faults, the design target reliability can be reduced to achieve the same overall risk level.

Finally, in essential system design, it is necessary to establish whether systems should be initiated and op­erated automatically or whether the operator should carry out this role. Generally, the operator can only be used where actions are relatively straightforward and well defined and the timescale available for action is a minimum of some 15 to 30 minutes. Other rele­vant factors include whether actions can be taken from the central control room or have to be taken locally on the plant, the complexity of indications available and the consequences of maloperation.