Safety Design and Evaluation in a Large-Scale Japan Sodium-Cooled Fast Reactor

As a next-generation plant, a large-scale Japan sodium-cooled fast reactor (JSFR) adopts a number of innovative technologies in order to achieve economic competitiveness, enhanced reliability, and safety. This paper describes safety requirements for JSFR conformed to the defense-in-depth principle in IAEA. Specific design features of JSFR are a passive reactor shutdown system and a recriticality-free concept against anticipated transients without scram (ATWS) in design extension conditions (DECs). A fully passive decay heat removal system with natural circulation is also introduced for design-basis events (DBEs) and DECs. In this paper, the safety design accommodation in JSFR was validated by safety analyses for representative DBEs: primary pump seizure and long-term loss-of-offsite power accidents. The safety analysis also showed the effectiveness of the passive shutdown system against a typical ATWS. Severe accident analysis supported by safety experiments and phenomenological consideration led to the feasibility of in-vessel retention without energetic recriticality. Moreover, a probabilistic safety assessment indicated to satisfy the risk target.


Introduction
Since 2006, the Japan Atomic Energy Agency (JAEA) has conducted a fast reactor cycle technology development (FaCT) project in cooperation with the Japanese electric utilities [1].In this project, a large-scale sodium-cooled fast reactor (SFR) is designed with oxide fuel cores towards its commercialization.This SFR was named the Japan sodiumcooled fast reactor (JSFR), characterized by an advanced loop type reactor with innovative technologies for economic competitiveness, enhanced safety, and improved reliability [2].Key milestones were set in the project: the determination of innovative technologies to be adopted to JSFR in 2010 and the presentation of the conceptual design of JSFR in 2015.The JSFR demonstration reactor was planned to start its operation in 2025, and research and development (R&D) efforts are currently made regarding the JSFR design study and innovative technologies.
Several innovative technologies need to be developed in order to meet the safety requirements and reliability and economical targets.The key concept of this reactor is a two-loop primary heat transport system (PHTS) for a large power output (to 1500 MW electric) and adoption of high-chromium steel pipes to simplify arrangement of piping, thereby leading to reducing the volume of building with concentrated arrangement of major components.These technologies can greatly contribute to reducing the capital cost of the plant.An intermediate heat exchanger (IHX) was integrated with a primary pump in order to compact the layout of components.A newly designed upper internal structure (UIS) with a single rotational plug allows reduction in the diameter of the reactor vessel.The UIS has a slit of a certain width, where a fuel-handling machine can handle fuel assemblies beneath the UIS without completely removing the UIS itself from the original position.Such innovative technologies could significantly reduce the capital cost, which Science and Technology of Nuclear Installations was estimated approximately 0.18 Japanese yen per kW electric [3].The JSFR design substantially mitigates adverse effects caused by sodium leakage or sodium-water reactions in steam generators (SGs).In particular, the leaked sodium can be accommodated by double boundary structures: guard pipes and guard vessels, which cover primary/secondary pipes and vessels, respectively.Besides, access routes for invessel structures are provided with the object of in-service inspection in the design [4].
JSFR is recognized as one of the Generation IV energy systems.Compared to current generation nuclear reactors, the Generation IV reactors are aimed to have superior features in terms of economics, safety, sustainability, and proliferation resistance.Therefore, the Generation IV SFRs require a number of innovative technologies, for which enormous R&D efforts are necessary.In contrast, evolutionary SFRs with conventional technologies are also being developed in some countries.Though there are two different approaches in the world, the development of SFRs is steadily moved ahead on.
The present paper describes conceptual safety designs and related evaluations for JSFR performed in Phase I of the FaCT project (i.e., Japanese fiscal years 2006-2010).Because fast breeder reactors are sure to contribute to future sustainable development, we assume that JSFRs with closed fuel cycle systems would be widely distributed through the global market.Safety design principles of JSFR and their implementation should be consistent with this assumption and also compatible with both economic targets and nuclear proliferation resistance/physical protection.Along this understanding, the safety design concept for JSFR will be developed in this study.Its validity will also be confirmed by safety evaluations for a wide accident range in this paper.

JSFR Safety Design Concept
2.1.Safety Design Requirements.In terms of safety, a development target and design requirements in the FaCT project are shown in Table 1 [3].It can be said that these targets are basically consistent with the safety-related goals or user requirements in both the Generation IV project [5] and the International Project on Innovative Nuclear Reactors and Fuel Cycles (INPRO) [6].

Deterministic Approach Based on Defense in Depth.
In order to achieve the previously mentioned design requirements SR-1.1 and SR-1.2, we deterministically applied the defense-in-depth (DiD) philosophy, which was defined in the report of INSAG [7], to the same extent as it has been in LWRs.This is because we believe that the validity of DiD philosophy has been proven through the long experience of LWRs and that the DiD philosophy is an adequate strategy to achieve a high level of safety in advanced or innovative nuclear systems for which operational experience is rather limited.Essential to this philosophy are the establishment of

Development target
Safety level shall be equal to future light water reactors (LWRs) and related fuel cycle system.

SR-1.1
Fundamental safety principles shall be observed.Safety standards and guidelines for former SFRs shall be reflected while specific features of new reactors shall be considered Prevention and mitigation against severe accident initiators shall be considered so as to avoid execution of offsite emergency plans Total core damage frequency shall be less than 10 −6 /reactor-year considering multiple units in a site, and total containment failure frequency in core damage conditions shall be less than 10 −7 /reactor-year a highly reliable system that rarely produces abnormal conditions and the design of measures for accident prevention and mitigation.
The deterministic approach was also adopted considering design-basis events (DBEs) to specify safety functions such as a reactor shutdown system (RSS) and a decay heat removal system (DHRS) for prevention of core damage.In this approach, it is necessary to have the following aims: (i) selecting DBEs to cover the plant conditions that might lead to core damage; (ii) selecting DBEs for JSFR with a similar sense to those for LWRs, taking into account their safety characteristics; (iii) selecting conservative design conditions, as with those for LWRs, which include a single-failure criterion and conservative treatment of safety parameters in the evaluation.
In recent LWRs, such as ABWR-II, EPR, and AP1000, some design measures to support the containment function are explicitly provided against severe accidents, which are recognized as another level category of design condition in addition to the design-basis approach.Although this category was formerly described as a beyond DBE, it has recently been recognized that some extended function both for prevention and mitigation should be considered more explicitly in the design work.Such conditions for extended safety design are called design extension conditions (DECs) [8].Therefore, we incorporated the DEC concept explicitly in our safety design policy.Passive safety features are also introduced into extended safety functions against DECs especially to enhance prevention capability.We believe that this safety design policy against DECs allows alleviating undue burden on offsite emergency plans.

Risk-Informed Approach.
In addition to the DiD philosophy, we also adopted a risk-informed approach using a probabilistic safety assessment (PSA) technique that plays a role in considerations on the proportion or balance of different levels of DiD.At the beginning of the FaCT project, we determined that the reference value for large offsite release frequency should be less than 10 −6 /site-year by referring to one one-thousandth of the risk encountered in our daily activities.We also paid attention to the specific sequences that could result in large early release so as to limit the frequency to be below that of the other sequences.For a reactor facility, our target for large offsite release frequency becomes the reference value with a further reduction by a factor of at least ten: judging from the fact that one site may already have several reactors, we assumed that about ten reactors would be located in a single site in the future.Therefore, the large offsite release frequency target was set less than 10 −7 /reactor-year (ry).In terms of the safety design of containment function, containment failure frequency (CFF) is preferable target for designers.In the FaCT project, the CFF was set less than 10 −7 /ry conservatively ignoring a reduction effect in the environment that can be considered in the large offsite release frequency.Since the containment function could suppress the offsite release of radioactive materials with a further reduction by a factor of ten, the risk target of core damage frequency (CDF) was determined less than 10 −6 /ry.

Safety Design Concept for JSFR.
Figure 1 shows the framework of safety assurance in JSFR.It also shows the structure of DiD, combined with three major safety functions, namely, reactivity control, heat removal, and containment.First of all, it is important to establish a reliable system by adequate design that stands on sound technologies.Furthermore, adequate operation and maintenance also have an important role in ensuring the first level of DiD.Then, the RSS and DHRS play key roles in the second and third levels of DiD, the objectives of which are the control of abnormal operation and accidents, respectively, as design measures against DBEs.Two independent RSSs (primary RSS and backup one) and a redundant/diverse DHRS with passive operation form sufficient defense lines so that fuel melting does not occur.Therefore, the containment function in these levels plays a role only for the confinement of radioactive materials which are not caused by fuel melting.The fourth level of DiD considers design measures against DECs.In this level including both of prevention and mitigation of severe accidents, the RSS and DHRS provide extended prevention functions (i.e., passive shutdown feature and accident management), and the containment system provides a mitigation function against radioactive material release.Moreover, attention is paid to the chemical activity of sodium so as to minimize and localize its influences.
Each of the safety functions is described in detail in Sections 2.3.1 to 2.3.4.It should be mentioned here that passive safety measures are preferable from the viewpoint of physical protection as well as enhancement of these functions [9].JSFR has such systems for reactor protection and decay heat removal as described below.

Reactor Shutdown Function.
The RSS has two independent subsystems, namely, primary and backup systems.Each of them, consisting of control rods and their drive and scram mechanisms, is designed to allow for rapid shutdown in order to prevent core damage against DBEs.RSSs are activated by the reactor protection system, which is composed of logic circuits for activation and an instrumentation system for detecting abnormal reactor conditions.In order to avoid common-cause failure and the propagation of failure, the diversity and independence of the two RSSs are promoted as much as possible.The primary RSS has mechanical delatch devices with acceleration by gas pressure for insertion of the control rods, while the backup RSS has electromagnets for the detachment devices.The control rods in the backup RSS are inserted by gravity.Various kinds of detectors are redundantly installed in the reactor protection system.Furthermore, different kinds of detectors are independently assigned to the primary and the backup RSSs against a single DBE.
In case of earthquakes, relative displacement between the core and the control rods might cause oscillatory reactivity insertion as well as hindering the control rod insertion.Both the stiff core barrel with its core-restraint function and the stiff support structure of the control rods are designed to suppress such displacement and oscillation so that the core fuel keeps its integrity against possible reactivity insertion during the postulated earthquake conditions.The seismic isolation of the reactor building has an important role in reducing the input acceleration for the reactor vessel.
When anticipated transients without scram (ATWS) are postulated, the reactor core becomes damaged in the order of minutes, during which period the operators may not be able to achieve any accident management measures to prevent core damage.Hence, a passive shutdown capability, especially against ATWS events, has been desired to bring the plant to the safe shutdown condition without the operator action as they become commercialized.In order to cope with ATWS, only for the backup RSS, JSFR introduced passive shutdown capability, in parallel with an active reactor protection system and instrumentation system.
A Curie-point electromagnet type self-actuated shutdown system (SASS) has been selected as the most promising provision for JSFR [10].The SASS concept is schematically illustrated in Figure 2. One of its superior features is simple one-dimensional movement of the control rods with a large negative reactivity, which is triggered once the coolant temperature around a temperature sensing alloy rises high.This passive actuation principle does not require the activation of the reactor protection system, so that it is not necessary to consider a common-cause failure between the passive and active shutdown systems.This serves to enhance the reactor shutdown capability, resulting in the increase of reliability of the overall RSS.There is a favorable characteristic in that the uncertainty of the reactivity feedback mechanism could be small because of its one-dimensional movement in comparison with other passive safety characteristics, such as radial core expansion.The in-service testability in periodic inspections could also present an advantage in maintaining the reliability and safety levels of the plant.In addition, a stable holding capability during normal reactor operation was demonstrated at the experimental fast reactor Joyo [11].
As previously mentioned, the core-restraint concept permits control rods to insert into the core in case of earthquake in the JSFR with the seismic isolation system.To assure the reactor shutdown capability in case of huge earthquake, flexible joints are adopted for the driveline of the backup RSS.Thanks to this, the control rods that stand by just above the active core can be inserted even if a large horizontal displacement unexpectedly occurs between the core structures and UIS.

Core Cooling Function.
Since SFRs are generally operated at nearly atmospheric pressure, there is negligible risk of a loss-of-coolant accident, which is a critical issue in LWRs.In terms of maintaining the core cooling function after reactor shutdown, the JSFR necessitates the prevention of both loss of reactor sodium level (LORL) and protected loss of heat sink (PLOHS).In addition, the reduction of the core flow rate due to a PHTS pump failure has a large influence on the short-term core cooling because of its higher power density and because of some positive reactivity feedback of coolant density in the fast reactor core.Particulary, a PHTS pump seizure accident is a critical issue in the JSFR twoloop cooling system.To cope with the PHTS pump seizure accident, the JSFR required some minor but important design modifications, that is, prolonging the delay time to activate the PHTS pump trip sequence (e.g., 1.0 s) and the halving time of the primary flow rate within reasonable range (e.g., 5.5 s) [12].
In the loop-type SFR, unlike the pool-type one, the possibility of LORL due to PHTS piping failure is apprehended.In order to prevent the LORL with high reliability, the following systematic design measures were adopted.
(i) The reactor vessel and its guard vessel have no penetration at either the sides or bottom.
(ii) The primary coolant boundaries in the PHTS piping are located in the position above the liquid surface level in the reactor vessel in order to reduce a possible amount of leak.
(iii) The pressure of the secondary heat transport system (SHTS) is kept slightly higher than that of the PHTS so as to prevent the leaking of primary coolant at the interface breach.
(iv) The primary coolant boundaries are enclosed with a leak-tight backup structure (i.e., guard vessel and guard pipe) so as to restrict coolant leakage against the boundary failure.
(v) Decompressing operations (i.e., PHTS pump trip, isolation of the reactor cover gas from its supply system) are automatically actuated so as to prevent the LORL combined with the above item (ii) against double failures in the PHTS boundary and its backup structure.
(vi) The open space between the primary pipe and its guard pipe is partitioned to limit the volume of the leak and prevent LORL.
Concerning the primary coolant leakage, the signal from the leaked sodium level meter inside the guard pipe for a large leak and sodium leak detector for a small leak can activate the reactor shutdown and cooling sequence so that core integrity is maintained.
As to prevention of the PLOHS, the decay heat removal is an important safety function, as in LWRs.In order to achieve sufficient reliability, certain redundancy and diversity are required.The DHRS should be designed so that the core is coolable under DBEs with a single-failure criterion as well as under DECs such that a long-term station blackout should be considered in the design.In addition, the DHRS should satisfy the reliability target value in order to achieve the reference CDF in the sense of the probability [12].
In general, a passive DHRS without any active components has higher reliability than an active system.The failure probability of a passive system is dominated by those of the vessel, pipes, and heat exchangers.Such probabilities are smaller than those of start-up or operation of active components (e.g., pumps, blowers).Thus, the passive DHRS is suitable for rational design from the viewpoints of minimizing redundancy and of suppressing subsystems such as the emergency power supply system.The current JSFR design adopts a combination of one loop of direct reactor auxiliary cooling system (DRACS) and two loops of primary reactor auxiliary cooling system (PRACS).These DHRSs can be operated under fully passive condition, which means that, without pumps and blowers, it is required only to activate the DC-power-operated dampers of the air coolers.The damper system has redundancy so that it does not lose its function even considering the single-failure criterion; that is, each air cooler has two dampers in parallel so that an opening failure of a single damper causes less than a 50% reduction in the air flow rate.In addition, diversity is taken into account in the mechanical design of the dampers between DRACS and PRACS.JSFR is suitable for natural circulation cooling due to its simple and short piping connection and due to the lower pressure loss of the core design, as well as the sufficient height Science and Technology of Nuclear Installations difference between the core and the heat exchangers.Both DRACS and PRACS have a sodium-sodium heat exchanger inside the PHTS.Therefore, they are not affected by the abnormal conditions initiated in the SHTS and the steamwater systems.
For DECs, accident management can be expected to prevent core damage because the grace period is long enough for operators to implement it.With PSA results, effective accident management measures are being proposed (e.g., additional damper system).

Containment Function.
The reinforced reactor block of the JSFR reactor building is designed to form a leaktight containment boundary, the leak rate of which is 1%/day.The containment is surrounded by a confinement area, where an emergency gas treatment system is installed.Function of the confinement area is to reduce the release rate of radioactive materials through the penetrations of piping at the containment boundary.
In the conventional safety design, the containment system has been designed to withstand a significant mechanical load resulting from core disruptive accidents (CDAs) [13].Such an approach is not suitable for future reactors, which should meet the development target and at the same time should have the economic competitiveness.To significantly reduce the loads on the containment, the JSFR safety design pursues achieving in-vessel retention (IVR), which is defined as termination of CDAs within the reactor vessel, utilizing the advantageous features of SFR (i.e., the low-pressurized system and the superior cooling performance of liquid sodium).A special fuel assembly feature was suggested to eliminate a severe recriticality occurrence resulting in a mechanical load on the containment in CDAs as well as limiting the sodium void worth.For core debris retention within the reactor vessel, a multilayered structure was provided at the bottom of the reactor vessel.
In conventional SFRs, a sodium leak accident resulting in a little sodium combustion on the containment vessel was regarded as a representative DBE for the containment function.The double boundary system in the JSFR allows no significant impact on the containment due to sodium leak because of the accommodation of its consequence in the guard pipe.As an example of DBE, therefore, the break of cover-gas piping under the stop of air conditioning device operation due to the containment isolation is anticipated to confirm the containment function.Such an event is expected to give less significant impact on the containment vessel as the last barrier In the JSFR.
Although external events are out of the scope yet in the present conceptual design stage, several practical measures against external threats on the containment are being discussed.

Design Measures against Chemical Reaction of Sodium.
The JSFR is a system concept suitable for the implementation of a complete double-wall structure (i.e., inner piping and guard piping) for both the PHTS and SHTS, combined with their short and simple pipe connection, as shown in Figure 3.
The PHTS double-wall structure enables us to prevent or minimize the combustion of leaked sodium in addition to prevention against LORL.Even if a sodium leak resulting from a primary pipe failure occurs, the chemical interaction of the sodium can be prevented in the space between the primary pipe and its guard pipe, which is filled with nitrogen gas, as long as the external boundary is intact.The limitation of this space volume gives no impact on the reactor coolant level.According to safety analyses performed separately from this study, the core integrity can be ensured though the coolant leak rate through the flaw depends on the event sequence.A similar boundary structure is also applied to the SHTS, where a boundary failure does not lead to LORL, as a design measure against sodium leak caused by the inner pipe failure.In the JSFR, the SHTS guard pipe is called an enclosure.The adoption of the enclosure for the SHTS comes from the viewpoints not only of safety but also of plant availability, considering the fact that the influence of the social acceptance was fairly significant in a sodium leak accident in the SHTS of the prototype fast reactor Monju.
We expect introduction of a leak-before-break concept for high-chromium ferrite steel to contribute to minimizing the leak rate in coolant boundary failures and to eliminating the possibilities for an abrupt decrease in coolant flow in the reactor core.Although there are some R&D elements required for introduction of the leak-before-break concept, it would be feasible to accommodate sodium leak detection in the annular region between the inner and guard piping.With that in mind, a double-ended break of the inner piping should be taken into account in the DEC of the safety evaluation in order to verify the tolerance of the guard piping.
At the beginning of the FaCT project, a double-wall structure has been proposed for the heat transfer tubes in the SGs in order to suppress the probability of an SG tube leak event to an extremely unlikely level during the plant lifetime.This feature corresponds to the aim of achieving higher plant availability by excluding plant outage caused by an SG tube leak as well.Although this concept is technically feasible, the adoption of an alternative concept is also considered for the demonstration JSFR by the project judgment in the FaCT Phase-I [2].JSFRs are designed to be equipped with an SHTS and related subsystems (e.g., early leak detection, the steamwater side pressure release, rupture disks in the SHTS) that have the role of preventing core damage due to the sodiumwater reaction postulated in case of an SG tube leak.

Safety Evaluations for DBE
3.1.Event Selections for DBEs.According to the current licensing practice in Japan, two event categories were set up within the frame of DBEs, namely, abnormal transients and accidents.Abnormal transients are defined events that lead to abnormal conditions due to anticipated failure or malfunction of a single component or a single erroneous operation.Accidents are defined unlikely events that might lead to the release of radioactive materials outside the facility.The prevention systems against the events to be classified into the accident were designed so as to limit the annual occurrence frequency to the extent below 10 −2 /ry that means the frequency less than once per a reactor lifetime.
In the current stage, it is important to choose and evaluate typical events, which are critical for determining the design conditions of the major safety function.In this paper, a loss-of-flow-(LOF-) type event was described to validate the RSS design.A loss-of-offsite power event was also described to validate the DHRS design.A comprehensive evaluation for all the selected DBEs will be conducted in the FaCT Phase-II.

Safety Criteria and Conditions for DBEs.
Basic requirements for abnormal transients and accidents are the same as those of current LWRs in Japan.Namely, the requirement for abnormal transients is that recovery to normal operation is possible after the transient event is terminated.This means that fuel pin and plant damage are negligible.The requirement for accidents is that the core should be coolable without significant damage and provide no significant public exposure.
Along with these requirements, specific safety criteria for the hottest fuel pin in the core were tentatively defined in the FaCT Phase-I.The maximum temperature of fuel is limited by its melting temperature for both abnormal transients and accidents.In case of fuel melting, the radial expansion of fuel pellet induced by the internal pressure in the molten fuel cavity causes a mechanical load on the cladding tube.The failure of cladding tube could not occur under small melt fraction condition due to the lower fuel smear density of 82% [14].Nevertheless, the criteria for accidents were conservatively taken because of no experimental data for fuel pins under a high burn-up condition, being aimed in the JSFR.The maximum cladding temperature is set tentatively, based on the developed austenitic stainless steel database as well as available data for oxide dispersion-strengthened steel, which is now under development for its use in the JSFR.According to the results of transient burst tests of cladding tube, where the temperature increase rate and the hoop stress of reactor case were simulated, the failure limit temperature with 95% reliability was obtained over 900 • C. The maximum cladding temperature for accidents was determined at 900 • C. For abnormal transients, it was set at 830 • C with larger margin in order to make the damage negligible.Since the oxide dispersion-strengthened steel is expected to have higher strength comparing with austenitic steel, it is necessary to develop a database for the oxide dispersion-strengthened steel cladding tubes, especially for irradiated ones.The cumulative damage fraction of cladding, for which creep damage is taken into account, is calculated to be unity when the cladding tube failure occurs.The value for abnormal transients was provided as negligible contribution to cladding damage.For accidents, the value was obtained by subtracting the contribution of normal operation, abnormal transients, and fuel-handling from unity.The maximum temperature of coolant was limited to its boiling temperature in order to avoid both of significant cladding damage and rapid positive reactivity insertion due to coolant boiling.
The uncertainties of parameters and conditions in the evaluations were conservatively treated.A core burn-up state was selected so as to provide the most severe evaluation results, and sufficient uncertainties were considered in its reactivity coefficients.The single-failure criterion was applied to active components, of which failure provides the most severe result.Loss-of-offsite power was assumed when the mitigative systems, which require electric power for operation, were expected to activate.The effect of nonsafety grade systems was not counted in the evaluation.

Loss-of-Flow-(LOF-) Type Events.
In general, the PHTS pump seizure accident in one loop tends to produce severe consequences in DBEs compared with conventional three-or four-loop design.Because of the two-loop system, this accident would become a critical safety issue in JSFR.However, some design adjustments described in Section 2.3.2 make it possible to restrict the maximum cladding temperature within the safety criterion.Each RSS was designed so as to independently shut the core down within the cladding temperature limit.The primary RSS can be activated by signals indicating "low ratio of primary pump speed to neutron flux" and "low ratio of primary flow rate to neutron flux."These signals can be adapted to a low power operation.The backup RSS is activated by another signal with different mechanism.A plant dynamics calculation method was used for this analysis in a similar way performed in the past [12].
In the analysis, the seizure is assumed instantaneously in the failed pump, whereas the flow having time was assumed 4.5 s with 1.0 s delay of pump trip in the intact pump after the actuation of trip signal.The response times of scram signals for primary and backup RSSs are set 0.45 s and 0.55 s, respectively.Figure 4 shows calculated temperatures of fuel and cladding in the hottest pin for the primary RSS case in a fullpower operation.The activation signal was the "low ratio of primary pump speed to neutron flux" signal.The calculated temperatures of fuel and cladding are 2373 and 870 • C at maximum, respectively, which are less than the safety criteria.
The pump seizure accident has also been calculated assuming the activation of the backup RSS, as presented in Figure 5.The calculated maximum temperatures of fuel and cladding are 2375 and 893 • C, respectively.These results satisfy the safety criteria, although the safety margin is small.It should be noted that the margin to the safety criteria can be enlarged by some design adjustments, such as the PHTS pump trip sequence and the PHTS flow rate halving time.In the low power operation, the calculated maximum temperatures of fuel and cladding were lower than those in the full-power operation by approximately 200 • C.

Decay Heat Removal.
For the fully passive feature like this DHRS, the evaluation for abnormal transients is very important, especially from the viewpoint of fuel integrity during the slower transient events for the establishment of stable coolant circulation.A loss-of-offsite-power transient analysis has been done with the same calculation procedure as the pump seizure accident analysis mentioned above.In this event, the fully natural circulation capability of one-loop DRACS and two-loop PRACSs would be expected.In this calculation, the primary boundary temperature was assumed to mostly correspond to the coolant temperature at the exit of the reactor vessel.
Short-term calculated temperatures of fuel and cladding after the event initiation are shown in Figure 6.The calculated maximum temperatures of fuel and cladding are 2369 and 732 • C, respectively.Figure 7 shows long-term calculated temperatures of fuel cladding and primary coolant boundary.Following the first peak of cladding temperature just after the reactor shutdown, the second and third peaks appear around 0.036 h (2.2 min.)and 0.32 h (19 min.),respectively.The second peak is governed by the primary coolant flow rate that is determined by natural circulation capability based on a temperature difference in the PHTS before the core cooling using the DHRS is effective.After the establishment of natural circulation, the third peak is formed by the balance between the decay heat and the natural circulation capability of the DHRS itself.The calculated maximum temperatures of fuel cladding at second and third peaks are 679 and 693 • C, respectively.The calculated maximum temperature of primary coolant boundary after the establishment of natural circulation is 509 • C, which is lower than the initial reactor vessel exit temperature.After 0.7 h, the cladding temperature continuously decreases.These calculation results fulfill the safety criteria of fuel, cladding, and coolant boundary.The cumulative damage fraction is also less than the criterion for abnormal transients.
The other DBE analyses with regard to the decay heat removal also indicated that the natural circulation DHRS is effective.

Safety Evaluations for DEC
4.1.Event Selections for DECs.The DECs are additional conditions or events, where failure in fundamental prevention functions or more severe initiating-event conditions are assumed.Although the DECs are set up in a deterministic way, there should also be risk-based consideration in order to avoid too conservative design measures.The DECs of concern include classical initiators, such as ATWS.The event selection of DECs will be defined according to the progress of the design and PSA study.Along the DiD philosophy, the effectiveness of prevention and mitigation design measures against CDAs should be validated in the DEC category.Therefore, the safety evaluation should involve two categories for prevention and mitigation.In this paper, as representative DECs, we selected the ATWS, where the passive shutdown capability and mitigative measures against CDAs were evaluated.

Safety Criteria and Conditions for DECs.
For DECs, the basic containment function and postaccident core cooling shall be maintained.The release level of radioactive materials shall be below the level at which offsite response is activated.In the JSFR, the following criteria were tentatively defined for the prevention and mitigation categories.
For the prevention category, the passive shutdown capability is assessed in this paper.The safety criterion was set below the boiling point of the coolant for a core outlet coolant temperature.The boiling point at the top of the core is 1020 • C because the cover gas is slightly pressurized in the reactor vessel in the JSFR.As mentioned in Section 3.2, the failure limit of fuel cladding due to fuel melting is considerably high.The cladding failure limit for low smear density fuel is approximately 40% of areal melt fraction [14].Hence, for the fuel pellet, the maximum melt fraction was conservatively limited to less than 30%.The melting temperature of fuel pellet is ∼2740 • C in the calculated core.
For the mitigation category, no significant mechanical and thermal impacts on the primary boundary are allowed because the JSFR aims at the IVR concept without any significant internal challenges on the containment function.Detailed description of the safety criteria is given in Section 4.3.2.
The DEC evaluations were conducted on a best-estimate basis.The influence of various uncertainties will be investigated in a future PSA study.

Passive Shutdown Capability Evaluation.
The ATWS events are roughly divided to three types: LOF, transient over-power, loss-of-heat sink type.Thus far, we used to call "unprotected LOF (ULOF)" for the LOF-type ATWS.In the prevention evaluation category, however, the core can be protected by the passive shutdown feature.Such a terminology might create confusion, so we call "LOF without scram (LOFWS)" for the passive shutdown evaluation in this paper.Since the LOFWS event tends to produce the most severe consequence among three types of the ATWS events, an analytical result only for the LOFWS event is presented in this paper.
In the LOFWS analysis, a flow coastdown of all primary pumps was assumed without a reactor trip from a full-power operation.A one-dimensional plant dynamics analysis code with point kinetics and heat transfer models was applied to this event in a similar way performed in the past [10].The maximum temperatures of fuel and coolant in the core were calculated for the nominal hottest channel, which represents the hottest fuel assembly in the core.The activation temperature of the SASS was set at 660 • C, the feasibility of which was experimentally checked in selecting material components.A three-dimensional computational fluid dynamics (CFD) calculation was separately carried out to obtain a coolant transport time from the top of neighboring fuel assemblies around the backup control rod (BCR), where the SASS is installed, to the SASS temperature-sensing alloy at a nominal flow rate.Based on this CFD calculation, the transport time was set 1.3 s and only five-BCR insertion was assumed.In this event, this time becomes longer due to the reduction of flow rate.As the other parameter, the time constant of the detachment, defined as a time difference between the time when a bulk coolant temperature around the SASS reaches the detachment temperature and the time when the SASS detaches, was also calculated by the CFD approach.To enhance the time constant, some design modification was necessary.This design modification depends on the locations of individual BCRs, so that the time constants for the corecenter BCR and the four neighboring BCRs were set as 3.4 s and 1.0 s, respectively.The insertion time of the detached control rod was set as 1.5 s for 85% of the rod stroke, based on actual rod insertion test data.After the passive shutdown, although the natural circulation DHRS can be activated in the design, such a cooling mode is neglected in this analysis for simplicity.
Figure 8 shows a typical result of fuel, cladding, and coolant temperatures for the LOFWS, where the halving time of the coolant flow rate was 6.5 s.The calculated coolant temperature around the SASS armature at the four BCRs in the inner peripheral positions in the inner core reached 660 • C of the SASS detachment temperature and detached at 11.9 s after the transient onset.This first BCR insertion mitigated a steep power increase.At another core-center BCR, the SASS detached the rod at 13.3 s.The calculated maximum temperatures of fuel and coolant are 2248 and 969 • C, respectively, which are less than the safety criteria.Accordingly, the SASS averted bulk coolant boiling, so that the core cooling could be maintained.This analysis indicated the passive shutdown capability of the SASS against the typical ATWS.

CDA Evaluation.
As the passive safety features are provided against fast sequences, such as ATWS, and redundant accident managements against slow sequences, the probability of a CDA becomes negligibly small.Nevertheless, the consequences of CDAs should be mitigated based on the DiD philosophy, since a recriticality potential in the course of CDAs has been regarded as one of the major safety issues in fast reactor cores and also as a potential candidate for early large-release sequences.Enormous effort has been dedicated to the clarification of accident scenarios and the consequences of CDAs.Once coolant boiling is assumed, a significant reactivity increase is possible because a typical SFR core has positive void reactivity feedback.Over the years, therefore, the ULOF scenario has particularly been investigated from the viewpoint of mechanical design margin against super-prompt excursion during the initiating phase and against energetic recriticality during the transition phase.The thermal design margin has been also investigated to ensure IVR [15].
As stated in Section 2.3.3,design measures are taken in the JSFR safety design approach so that severe power burst events with recriticality can be eliminated and core materials can be stably cooled in the reactor vessel for the long term.In developing the CDA scenario, the core degradation sequences were conveniently divided into four phases: initiating, early discharge, material relocation, and heat removal phases.To achieve the IVR, the following safety criteria were defined for the four phases: (i) no severe power burst for the initiating phase, (ii) early fuel discharge from the core before the formation of the whole-core scale molten fuel pool for the early discharge phase, (iii) relocation of disrupted core materials to the coolable geometry under the subcritical state for the relocation phase, (iv) long-term stable cooling of disrupted core materials in the reactor vessel for the heat removal phase.
In order to avoid severe power burst during the initiating phase, the sodium void worth should be limited to a certain value.In the FaCT Phase-I, the reference value was determined as less than six dollars (6$) based on both theoretical consideration and the analytic experiences for various types of core design [16].In general, it could be achieved by shortening the core height less than 1 m in a large-scale core.It was found that a power excursion driven by positive reactivity insertion due to sodium voiding in a ULOF sequence could be limited by negative Doppler reactivity insertion due to rapid fuel temperature increase and would be finally cancelled by negative reactivity insertion due to rapid fuel dispersal [17].Before the FaCT Phase-I, ULOF initiating phase calculations were carried out for various core designs using the SAS4A code.In case of taller core height with larger-diameter fuel pins, the effect of negative fuel dispersal was slightly delayed.This was due to its lower fuel-power density and smaller axial fuel worth gradient.Therefore, additional reference values were created for an average fuel-specific heat and core height in the core design.These values are 40 kW/kg-fuel and 1 m, respectively.These design conditions were implemented into the current core design [18].A fuel smear density is 82% theoretical density in the JSFR design, so a high failure threshold is expected.This pin condition would allow a high axial level of fuel pin failure resulting in negative fuel motion reactivity just after the failure [19].The SAS4A analysis showed mild power burst so as not to reach a prompt criticality during the initiating phase, as presented in Figure 9. Severe power burst has never been obtained even in parametric calculations [16].These average core fuel enthalpies were less than the solidus temperature of oxide fuel.In these calculations, sodium voiding and its reactivity effect inside the inner duct were not taken into account because a separate calculation indicated that the sodium boiling inside the duct occurred in the early discharge phase; thus it does not affect the peak power level of initiating phase.
In the past, it was reported using the SIMMER-III computer code that an energetic recriticality occurred only by radial whole-core scale fuel motion [20].To avoid such a recriticality, Japanese researchers have struggled to create measures enhancing axial fuel discharge, which is the most effective in reactivity decrease, before enlarging the molten region [21].As one of measures, special fuel assemblies have been proposed to enhance the molten fuel discharge.The Fuel Assembly with Inner DUct Structure (FAIDUS) is a concept in which a steel duct is installed as a fuel escape path in every fuel assembly [21].Considering both the superior fuel discharge capability of FAIDUS and its impact on other aspects, we additionally proposed a modified concept of FAIDUS, as shown in Figure 10.In this concept, a smallerdiameter inner duct with an opening at the upper end was installed [22].In the modified FAIDUS design, the fuel escape path is shorter and hotter compared to that of conventional FAIDUS; therefore, the hydraulic diameter of the inner duct can be smaller.This is advantageous for limiting the impact of the safety feature on core performance.For the conventional FAIDUS, the development of a new grid spacer is required in order mainly to keep a clearance between the fuel pin bundle and the inner duct locating at the center of the fuel assembly.On the other hand, the conventional wire-spacer technique can be applied to the modified FAIDUS design because the inner duct is attached at a corner of the wrapper tube; hence, the fuel fabrication of this concept becomes more feasible with less R&D efforts.It should be noted that certain thermal hydraulic problems caused by the asymmetric arrangement of the modified FAIDUS must be resolved through some minor R&D.
The event sequence after termination of the initiating phase power transient in a relatively higher-power fuel assembly is explained as follows.The inner duct wall failed by the contact of hot liquid fuel/steel mixture.The fuel/steel mixture is ejected into the inner duct driven by the pressure build-up in the pin-bundle side due to fission gas released from melting fuel.Sodium voiding and its upward expansion inside the duct occur due to interaction between ejected fuel/steel and liquid sodium.The molten fuel is discharged upward through the voided duct driven by the gas pressure.The discharged fuel is dispersed into the upper sodium plenum of the reactor vessel.The dispersed fuel is relocated mainly on the intermediate isolation plate (top level of the core).The above key phenomena have been confirmed by experimental study [23].
Figure 9 shows the fuel discharge capability for the modified FAIDUS design during the early discharge phase, which was evaluated by the SIMMER-III code.In this calculation, the geometry of a single fuel assembly was used to investigate the phenomena in detail.The fuel assemblies in the core were divided into several groups depending on the power level, and fuel discharge phenomena in each representative fuel assembly were separately analyzed using a similar power history but different power level corresponding to each fuel assembly group.Although the power time history was given as the input obtained from the SAS4A result, the reactivity feedback due to fuel discharge was taken into account by means of an iterative calculation procedure.In each calculation of the representative fuel assembly, almost all the molten fuel in the assembly was discharged upward through the inner duct while the immobile solid fuel remained in the core region of the assembly.The total amount of fuel discharged from the core, estimated as the summation of the discharged fuel from all the fuel assemblies in each group, was about 19% of the initial fuel inventory, and the core reached a subcritical condition.
Just after the early discharge of molten fuel, solid fuel without mobility would remain in the core in the decay heat level.The event sequence during this phase is explained as follows.Frozen fuel and remaining solid fuel around the upper part of the core fell and accumulated in the lower part of the core.Upper core structures inside the fuel assembly, such as axial fuel blanket, are collapsed as well as the intact fuel in the most-inner outer core.Based on a preliminary evaluation, the remaining fuel in the core region starts to melt by the decay heat at 150 to 200 s after the early fuel discharge phase.From a phenomenological point of view, it is expected that this molten fuel would move downward locally through the space in the primary control rod guide tube (CRGT) failed by the contact of materials molten by the decay heat.It should be noted that absorber-rod insertion could be assumed in backup CRGTs just at the beginning of the material relocation phase because the temperature of materials of the SASS would reach high enough to lose its magnetic property by contacting with molten fuel and sodium vapor generated during the early fuel discharge phase.
Based on the above event sequence, the reactivity change was evaluated by a series of static neutronic calculations.As a result, a significant reactivity insertion would be avoided by the enhancement of fuel discharge through the primary CRGTs; therefore the subcritical state would be ensured during the relocation phase.
Because the advanced loop concept has a relatively small reactor vessel compared with a large fuel inventory, a multilayer debris tray is basically required to hold the full inventory of core fuel without dryout and recriticality.Proper quenching and distribution as well as coolant convection are crucial points in this concept.A thermal hydraulic calculation was conducted for the coolability of fuel debris [24].In this calculation, all of the fuel was uniformly relocated on the multilayer debris tray.The DHRS consisting of one DRACS and two PRACSs was available in a fully natural circulation mode.The calculation result showed that the decay heat balanced the removed heat around 30 min.after the start of the transient.The maximum coolant temperature in the debris bed was less than 900 • C and steadily decreased after the peak temperature, so that sufficient cooling capability is provided for a long-term stable retention in the reactor vessel.

Probabilistic Safety Evaluation
It is required to implement the PSA in order to check whether the requirements of CDF and CFF are satisfied.At the early stage of drawing the design concept, it is also required to construct a well-balanced safe system so as to eliminate any weak points and/or remarkable cliff edge effects that can appear in the risk curve from the risk point of view.Therefore, our study aimed at comprehending systematically the safety characteristics of the system with respect to a risk potential and at making design improvement effectively in such a way as to appropriately control and minimize the risk using the PSA technique.
The PSA activity is continued reflecting up-to-date plant design.A seismic PSA is also implemented because it is important for the seismic isolation system design in the JSFR.According to the preliminary result, the building and components in the JSFR have a sufficient safety margin even considering a current seismic design condition [25].

Conclusions
In the present study, the safety design concept for the JSFR has been established to fulfill the development target that would ensure a safety level comparable to future LWRs.Based on the DiD safety philosophy with the complementary use of the risk-informed approach, the JSFR adopts highly reliable systems that rarely cause abnormal conditions and specific design measures both for accident prevention and mitigation.In designing the JSFR, considering the superior safety characteristics of SFRs, three fundamental safety requirements were systematically investigated.The subsequent consideration provided as appropriate safety design measures: the SASS as the passive feature in addition to the two independent RSSs, the fully natural circulation DHRS that can remove the decay heat without the SHTS, the introduction of double-wall piping against sodium leaks, a core design limiting the sodium void worth, devisal of the special fuel assembly for attaining IVR under ATWS, and the leak-tight containment.Such passive and static measures that need not depend on operator actions can encompass high safety and reliability as well as being preferable from the physical protection point of view.The safety analyses and PSA revealed that the JSFR design fulfilled the safety criteria.Although some of them necessitate further R&D for their deployment in future commercialized reactors, we believe all are within reach.In the next phase, further design study will be steadily performed along with the several R&D efforts.

Figure 2 :
Figure 2: Schematic diagram of the SASS concept.

Figure 3 :
Figure 3: Schematic diagram of the double-wall structure.

Figure 4 :
Figure 4: Primary pump seizure accident with primary RSS.

Figure 8 :
Figure 8: Loss-of-flow without scram accident with passive shutdown.

Figure 9 :Figure 10 :
Figure 9: Initiating and early fuel discharge phases of unprotected loss-of-flow accident.

AcronymsATWS:
Anticipated transient without scram BCR: Backup control rod CDA: Core disruptive accident CDF: Core damage frequency CFD: Computational fluid dynamics CFF: Containment failure frequency CRGT: Control rod guide tube DBE: Design-basis event DEC: Design extension condition

Table 1 :
Safety-related development target and design requirements in the FaCT project.