The concept of inherent safety of generation V nuclear power plants*

Elimination of significant risks in nuclear power production is at the present stage a necessity and goal-setting that determines its development in the near future. Of particular importance is the problem of maximum credibility and convincingly substantiated stability of nuclear power plants against severe accidents. The lack of clear logic, transparency and guarantees in the reliability of the announced nuclear safety significantly hinders its development, unnecessarily overcomplicating expensive technical solutions, thereby weakening the competitiveness of nuclear power. The originally proposed Concept of Inherent Safety set the task of solving the above problems; however, its specific content has not been explicitly presented so far, which allows many competitors to use its terminology to promote projects that are not directly related to the ‘spirit and letter’ of Inherent Safety. This paper is intended to fill this gap. The authors also discuss the conditions for the generation and development of new self-protection means for innovative nuclear reactors as well as the phenomenological and technical aspects for their implementation based on the deterministic formalism.


Introduction
A radical reduction in the risks of severe accidents is an indispensable component of the Concept of Inherent Safety (Adamov et al. 2016), which can and should be ensured through the use of existing and additional purposefully selected phenomenological (semantic) qualities (properties) of nuclear energy production. This implies the selection of suitable types of nuclear reactors and fuel cycles, detailed development of theoretical and practical foundations for enhancing their self-protection, targeted search and verification of the obtained qualities designed to radically enhance the stability against severe accidents.
The elaboration and updating of the Concept of Inherent Safety is based on the following fundamental considerations, which take into account the accumulated experience in the development of science and technology.
(especially because of the threat of rapid catastrophic destructive events) that it requires maximum reliability and convincing substantiation of its safety, and hence the support of 'strong' science. • Natural and technical sciences, with their subject area of instrumentally measurable phenomena, are 'strong' in an adequate understanding of nature exactly where the share of justified determinism is the largest possible. • The dominance of probabilistic scenarios of severe accidents of internal origin (at least in public discussions) is still necessary in the nuclear power industry but in fact is unacceptable due to significant uncertainties arising in assessing the consequences of severe accidents and their damage. • The maximum development of self-protection and an emphasis on the deterministic stability of the main protective barriers against accident initiating events can become a support (Adamov et al. 2016, Goldberg 2006, Shenfield 1975 in increasing confidence in the safety level.

On the development of the concept of inherent safety
According to the International Nuclear and Radiological Event Scale (INES) introduced in 1990 by the International Atomic Energy Agency (IAEA), severe accidents mean unacceptable accidents at nuclear power plants that lead to the destruction of the reactor with global (significant) socio-economic damage and the need for measures to protect personnel (evacuation of the population).
Post-accident damage from such accidents as a consequence of the use of the defense-in-depth principle is determined by the measure of destruction of protective barriers and is assessed by the INES in the range from Level 7 (the Chernobyl and Fukushima disasters) to Level 5 (the Three Mile Island accident). As a rule, a nuclear power plant inevitably contains many active and passive components of varying reliability, and the active components are recognized by the scientific and technical community as knowingly less reliable (IAEA-TECDOC-626 1999). It is not only difficult but practically impossible to quantitatively express with a reasonable degree of certainty the reliability of the entire set of the active components as well as the role of the human factor. This is what causes the main uncertainty in the results of safety analysis against the background of potentially huge accidental damage. A logical way out of this situation (taking into account the impossibility of controlling a nuclear power plant without active components and personnel with their intentional or accidental errors) is the a priori assumption of the most unfavorable failures of the least reliable and often provocative active components and human actions with the obligatory compensation for the possibility of such failures by endowing the reactor with sufficiently more reliable properties (qualities) of natural self-protection.
To break the conceptual deadlock, as previously noted, is only possible by radically changing the logic of increasing the stability against severe accidents. The developed logic of Inherent Security (Adamov et al. 2016) is as follows: Instead of 'evolutionary' attempts to increase the confidence reliability of active components of a nuclear power plant and the predictability of the human factor, it is advisable to recognize all the components of questionable reliability (internal devices of a nuclear power plant) as a priori unreliable (provocative), and then passive means (devices) of protection of the highest category (the reliability of which is extremely high (IAEA-TECDOC-626 1999) and is available for a priori verification during the completion of their passport characteristics) is destined to serve as responsible means in achieving the stability against severe accidents.
However, as a rule, the use of only passive means turns out to be insufficient, and then it becomes necessary to develop new failure-free properties (means) of self-protection.
This strategy provides a 'technically sound determinism' of the stability of a nuclear power plant against severe accidents.
The development of Inherent Safety for Generation V NPPs implies an approach in the following direction: The dominant of the Concept of Inherent Safety should be the further strengthening of self-protection means to such a high degree as to ensure the stability of the nuclear power plant against severe accidents even with postulated failures of active components.

On credible stability of a nuclear power plant against sever accidents
As already mentioned, in contrast to previous generations of nuclear power plants, the trend towards a radical increase in 'natural immunity' should ensure the achievement of credible stability against severe accidents. Then expensive financial insurance against severe accidents can be considered an unnecessary rudiment.

The principle of in-depth protection and the method of ranking NPPs in terms of Natural Safety
The compositional construction of the entire system of stability against severe accidents in the current nuclear power industry (according to the IAEA) is based on strict adherence to the principle of deep separation ('in-depth protection') and is formally represented as a system of successively 'nested' components (devices, elements) surrounded by passive protective barriers: fuel matrix, fuel element claddings, cooling circuits, reactor vessel, safety vessel, etc., depending on the design of the nuclear power plant, as well as a set of necessary measures to prevent emergencies.
In general, this important principle of building anti-accidental protection for the nuclear power industry remains in force also for the Concept of Inherent Safety; however, the emphasis is shifted to the deterministic preservation of protective barriers during an accident even without regard for possible assistance from the operating protective means, since their reliability is the most questionable.
Within the framework of the Concept of Inherent Safety, it is possible to assess safety by ranks determined by the 'individual' deterministic stability of each protective barrier. At the same time, it is proposed to establish a 'basic' rank corresponding to the preservation of the anti-accidental stability of at least one of the protective barriers, and the 'highest (zero)' rank corresponding to the preservation of all the main protective barriers. The rest of the digital ranks can be assigned depending on the number of the senior protective barrier remaining after an accident.

Anti-accidental stability structure
The new approaches presented above within the framework of the Concept of Inherent Safety can seem universal, but they are not realistic for all the types of nuclear power plants.
First of all, their implementation requires the initial minimization of basic potential threats, such as, for example, the danger of accumulated non-nuclear power -increased pressure of the media, the proximity of operating modes to the destructive possibilities of exothermic chemical reactions, to the coolant boiling, as well as the indispensable selection of at least all the passive NPP components (including the main protective barriers) that meet the deterministic passport characteristics, ensuring maximum stability (Wade 1986;Wigeland and Cahalan 2009;Adamov et al. 2016).

Criterial selection of the border between traditional and inherent safety. Examples of innovative means
When determining the inherent safety niche in the variety of approaches to its support, it is important to identify the qualitative features of the differences between inherent safety and the prevailing concept of ways to ensure the reactor stability against severe accidents (Gordon 2014). These differences are formed from the notions about 'transparent substantiation' of the phenomenological rea-sons for the most dangerous scenarios as well as about the ways to achieve this quality.

On choosing the boundary criterion of Inherent Safety
The above arguments form a separate niche for developing NPPs with an innovative approach to safety. This requires the following three steps: • Defining the 'digital boundary' separating traditional and innovative approaches to ensuring stability against severe accidents. Taking into account the variety of possible emergencies, the choice of the boundary should reflect the fundamental ability to eliminate, first of all, the most dangerous (in terms of damage) severe accident, moving away from private engineering solutions and their details -only in terms of the phenomenological conceptual properties of a nuclear power plant. This is a Level-7 'major' accident according to the INES scale. The condition of 'phenomenological' exclusion of the most dangerous accelerations of prompt reactor power is important not only for an assessment of the potential damage but also for an adequate psychological perception of the fundamental possibility of eliminating the global danger of nuclear power production.
• Assessing barrier post-accident stability, which consists in a deterministic assignment of the achievable rank of Inherent Safety, taking into account the principles of extreme conservatism. • Providing convincing simplicity of substantiation of stability against severe accidents.

An example of a new way to enhance self-protection. On the nature of the digital boundary criterion
The condition of the phenomenologically credible absence of prompt neutron-induced power accelerations, which makes it possible to eliminate the destructive thermal shock on the structure and the first protective barriers of a nuclear power plant, can be obtained from the approximate reactor kinetics equation (Bukrinsky 2010) (with a certain fraction of delayed neutrons emerging from fission fragments) for the neutron flux density n(t), which is integrated in terms of space and power. Taking into account the prospect of using recently proposed innovative means of increasing the self-protection of innovative fast reactors, this condition provides for the possibility of implementing original methods for slowing down the kinetics (Slesarev 2007;Slesarev 2013;Kulikov et al. 2014;Shmelev and Kulikov 2015) (for example, spatial diffusion of a significant fraction of neutrons escaping from the core, 'wandering' in the reflectors and freed from the need to participate in excessive fuel breeding (Adamov et al. 2016)).
In the generalized case, a suitable approximate equation for the point kinetics of a reactor with a reflector and six groups of delayed neutrons is written as where l is the average lifetime of all the neutrons in the initially critical reactor (before the emergency insertion of reactivity ρ).
In system (1), the concentration of delayed neutron emitters from fission products, the rate of their decay, and the average lifetime of neutrons in the core are denoted as λ, l * , and β * introduced into the critical reactor is the fraction of neutrons appearing with a delay as a result of 'recurrent' diffusion into the core of these 'wandering' neutrons of the reflector, respectively. The possibility of this unique slowing down of the kinetics in fast reactors is taken into account in system (1) by introducing additional terms indicated by the lower right subscript ( * ).
If we differentiate between 'hazard factors' and 'factors deterring the emergency power acceleration rate', then from kinetics equations (1) and in-hour equations, taking into account fast feedbacks, reserves for ensuring the operability of the reactor and technological (calculated) errors, we will obtain the limitation on the permissible total reactivity margin ρ max in the form of the following approximate expression: which defines the digital phenomenological boundary of fundamentally different safety classes in relation to reactivity accidents.

Pathways to Inherent Safety with digitized ranks
The above formal transition to the area of Inherent Safety across the digital boundary in accordance with relation (2) is required to ensure the basic requirements and to obtain attractive qualities of Inherent Safety, but in itself does not yet guarantee the goal-setting preservation of protective barriers, only representing a necessary condition for a credible substantiation of such guaranty. The movement from this boundary towards an increase in anti-accidental stability is ensured both by the growth of β * (neutron leakage from the core to the reflector, which is determined by the quality of the fuel neutronics) and the growth of l * (i.e., the kinetics deceleration level).
It is obvious that an insufficient reduction in the power change rate from the 'prompt neutron-induced acceleration', as well as the absence of a timely passive emergency insertion of compensating reactivity, can also lead to a severe accident.
It should be borne in mind that the behavior of only the emergency integral power does not always determine the stability of protective barriers -here the deterministic reference points are the maximum temperature rise rate of the reactor components, the excess of the maximum permissible 'passport' temperatures of the protective barriers and thermal hydraulics, and the strength characteristics of the structures. Consequently, the possibility of a reliable substantiation of stability to severe accidents has yet to be proved.

Confidentiality. Principles for deterministic assessment of emergency events in nuclear reactors with inherent safety
DA Principle 1 for the NPP self-protection properties that contain an accident.
Self-protection properties are recognized as confidentially reliable under the established engineering-physical conditions (including emergency ones) of their manifestation as the laws of nature.
DA Principle 2 for the properties of passive elements (devices, systems) that contain an accident.
Passive components of the highest reliability categories are recognized as acceptably reliable.
Reliance on the passport characteristics of the components of a nuclear power plant is an important equivalent to the practical use of scientific knowledge and accumulated technical experience (with reliability close to the laws of Nature). DA Principle 3 for initial level accident initiators. The operability of active components (devices, systems) of a nuclear power plant and passive components (devices, systems) of the lowest reliability categories is conservatively recognized as minimally reliable.
In the limit, all the active means are postulated as capable of failure in emergency scenarios, and their technical provocative 'initiativity' is assumed to be maximally fast.
The accident initiating events (when all the main protective barriers are not yet cardinally damaged) can potentially be followed by a 'concomitant' cascade of destruction of many protective barriers, which greatly complicates the analysis, since it leads to a significant expansion of the list of initiators.
To evaluate these initiators, properties and devices, the following principle is provided (DA-4).
DA Principle 4 for 'concomitant' accident initiators, properties and devices.
Events with the emergence of subsequent levels of provocateurs-initiators, which follow the destruction of protective barriers and (or) lead to a change in the aggregate states of the components of the nuclear power plant, affecting its reactivity and thermal hydraulics (after confirming these by modeling the accident initiating events and the dynamics of emergency processes), are recognized as unreliably predictable and, taking into account the necessary conservatism, are postulated according to the most dangerous scenarios.
The DA Principles 1-4 set the range of the most dangerous initiating scenarios and, at the same time, provide conservative scientific and technical transparency in substantiating stability against severe accidents, thereby bypassing the laborious and opaque problem of verifying probabilistic assessments simultaneously for the entire detailed structure of the 'fault tree'.
As already emphasized, this strict introduction of the principles of assessing Inherent Safety makes it possible to credibly prove stability against severe accidents not for all reactors, but, perhaps, only for innovative ones with an objectively high initial self-protection margin (Goldberg 2006).

Transparency of stability against severe accidents: from the traditional fault tree analysis to phenomenological integral initial events
Shifting the priority to enhancing natural immunity will allow implementing the following strategy for the transparency in substantiating anti-accidental stability, available for 'assessed' nuclear power plants with Inherent Safety: • To postulate failures of active components (means) of a nuclear power plant and its protection (or groups of similar means) according to the most dangerous scenarios; • To enlarge failures of active independent devices to the level of conservative-phenomenological ones (Spiewak and Weinberg 1985) (e.g., instead of failures of active components (parts) of the circulation pump, postulate the failure of the entire pump according to the worst scenario, say, in the form of its fastest possible failure); • To include in the anti-accidental stability analysis real simultaneous failures of independent devices containing active 'provocative' components (for example, failures of all the pumps for a common cause); and • To increase attention to the provision and verification of passive protective systems and barriers under the influence of phenomenological zero-level initiating events caused by direct failures of the active devices in the reactor vessel and the influence of the human factor.
Therefore, when identifying possible scenarios of severe accidents, it is necessary to give priority to maximizing the enlargement of the 'tree' of initial pre-emergency events (failures) and the formation of a list of so-called 'phenomenological integral initial events' (PIIE) responsible for the physical nature of emergency processes (Adamov et al. 2016, Spiewak andWeinberg 1985).
In order to maximize the simplicity and, therefore, increase conservatism in ensuring the transparency of safety proofs, we recommend the following list of zero-level anticipated transient without scram (ATWS) (Spiewak and Weinberg 1985) not protected by active means, which is adapted to the current understanding of safety issues for innovative fast reactors.

Mathematical logic and criterial conditions for achieving inherent safety
Within this system of constructing mathematically rigorous proofs, the criterial (necessary and sufficient) requirements (Nelson 1985) for achieving assessed Inherent Safety of Rank Z in a nuclear power plant should be, • as a necessary condition, the fulfillment of digital criterion (2) according to the phenomenological impossibility of prompt neutron-induced reactor power accelerations -the fastest and most destructive emergency events -for example, due to the generation of 'wandering' neutrons with an average lifetime significantly exceeding that of prompt neutrons; and • as a sufficient condition, the preservation of the operability of Barrier Z of the NPP protection in accordance with the outlined DA principles under any technically possible phenomenological integral accident initiating events (PIAIE).
Within the limits of the indicated mathematical formalism, the construction of a confidentially reliable and transparent proof of stability against severe accidents for a certain composition of a nuclear power plant claiming to have anti-accidental stability of the 'assessed Inherent Safety' class, is reduced to: • Purposeful strengthening of natural 'immunity' to severe accidents; • Compliance with the principles of deterministic assessment (DA) principles; and • Verification of compliance with the 'passport' confidence limits for protective barriers in all the PIIE.
A reactor plant, built and verified according to the proposed algorithm, can be recognized as inherently and technically stable against severe accidents of internal origin.

Conclusion
The presented strategy for achieving Inherent Safety against severe accidents in a nuclear power plant is based on enhancing anti-accidental natural immunity to such a high degree that will make it possible to neutralize the 'emergency provocativeness' of the active components of the reactor and the human factor as well as to substantiate anti-accidental stability even without the help of active emergency protective equipment.
It overturns the 'pyramid' of the traditional NPP safety structure, i.e., instead of the obviously unfeasible PSA-based proof of the acceptable reliability of active protective means, it recognizes the possibility of complete failures of all the active reactor components that do not lead to severe accidents.
In the case of the implementation of Inherent Safety, the expected advantages (in contrast to nuclear power plants of previous generations) in terms of nuclear power safety for the foreseeable future are important and numerous. These benefits include as follows: • Phenomenological impossibility of prompt neutron-induced power acceleration (Level 7 on the INES scale, the most dangerous category of severe accidents) that eliminates a destructive accidental thermal shock to the reactor structure; • No doubts about the acceptability of the achieved anti-accidental stability; and • Removal of the problems in managing severe accidents and the need for emergency measures to evacuate the population.
Moreover, the initially selected high reactor safety potential and measures for its purposeful enhancement make it possible to acquire such innovative qualities of safety of nuclear energy production as: • Credibility (provided by the laws of Nature -nuclear physics, thermal physics and hydraulics -and recognized mathematical logic); • Confidentiality (through the proposed deterministic assessment principles according to Laplace: "everything that is important, but questionable in terms of reliability, happens; everything that is important and reliable works as long as possible"); and • Transparency (based on the calculating apparatus of phenomenological dynamics to prove the demanded stability of a nuclear power plant against severe accidents of internal origin: "initial emergency events are integrated according to the most dangerous scenarios").