design basis and design features of wwer-440 model 213 nuclear power … · 2006. 8. 7. ·...

IAEA-TECDOC-742

Design basis anddesign features of

WWER-440 model 213nuclear power plants

Reference plant: Bohunice V2 (Slovakia)

Report of the IAEA Technical Co-operation Project RER/9/004 onEvaluation of Safety Aspects of

WWER-440 Model 213 Nuclear Power Plants

INTERNATIONAL ATOMIC ENERGY AGENCY

The IAEA does not normally maintain stocks of reports in this series.However, microfiche copies of these reports can be obtained from

iNIS ClearinghouseInternational Atomic Energy AgencyWagramerstrasse 5P.O. Box 100A-1400 Vienna, Austria

Orders should be accompanied by prepayment of Austrian Schillings 100,-in the form of a cheque or in the form of IAEA microfiche service couponswhich may be ordered separately from the INIS Clearinghouse.

The originating Section of this document in the IAEA was

Engineering Safety SectionInternational Atomic Energy Agency

Wagramerstrasse 5PO Box 100

A-1400 Vienna, Austria

DESIGN BASIS AND DESIGN FEATURES OFWWER-440 MODEL 213 NUCLEAR POWER PLANTS

IAEA, VIENNA, 1994IAEA-TECDOC-742ISSN 1011-4289

Printed by the IAEA in AustriaMay 1994

PLEASE BE AWARE THATALL OF THE MISSING PAGES IN THIS DOCUMENT

WERE ORIGINALLY BLANK

FOREWORD

Several studies have been undertaken by the International Atomic Energy Agency and many MemberStates to enhance the safety of nuclear power plants of older designs, among them NPPs wilh WWER-440type reactors.

In 1991 the former Czech and Slovak Federal Republic (CSFR) Atomic Energy Commission (AEC)requested that an evaluation of the safety aspects of the WWER-440 model 213 NPP be undertaken underthe IAEA Technical Co-operation (TC) Project RER/9/004. Bohunice NPP V2 (units 3 and 4) wasproposed to be the reference plant. The request was discussed with the Hungarian Atomic EnergyCommission and an agreement was reached that the units at Paks would also be covered by the evaluationstudy. Owing to the high degree of design standardization, the results would also be generally applicable tothe units at Dukovany (Czech Republic) and Mohovce (Slovakia) as well as to the Ukrainian units at Rovno.

The request for this study was a logical progression from activities related to the accident analysis ofWWER type reactors originated under the TC Regional Programme in 1985 and carried out until 1990 withthe participation of Bulgaria, the former Czech and Slovak Federal Republic, Hungary, Poland and theformer USSR.

The request was not only the result of increased attention given to the safe operation of the Sovietdesigned WWER-440 model 213 reactors but also reflected worldwide trends and practices by applyingprobabilistic techniques and accident analysis. It was founded on significant knowledge gained over manyyears of nuclear safety research, highly advanced methodologies verified by large and small scale integratedexperiments, and accumulated analytical and operational experience and its feedback into this study.

Independently, comprehensive national programmes related to WWER-440/213 units have beenlaunched in the Czech Republic, Hungary, Slovakia and Ukraine in order to develop new, or updated, safetyanalysis reports (SARs) compatible with internationally accepted practices and methodology.

The prime objective of the IAEA Technical Co-operation Project on Evaluation of Safety Aspects ofWWER-440 model 213 NPPs is to co-ordinate and to integrate assistance to national organizations instudying selected aspects of safety for the same type of reactors. Consequently, the study integrated theresults generated by national activities carried out in the Czech Republic, Hungary, Slovakia and Ukraineand co-ordinated through the IAEA. Valuable assistance in carrying out the tasks was also provided byBulgaria and Poland.

A set of publications is being prepared to present the results of the project. The publications areintended to facilitate the review and utilization of the results of the project. They are also providingassistance in further refinement and/or extension of plant specific safety evaluation of model 213 NPPs. ThisTechnical Document addressing the design basis and safety related design features of WWER-440 model 213plants is the first of the series to be published.

It is hoped that this document will be useful to anyone working in the field of WWER safety, and inparticular to experts planning, executing or reviewing studies related to the subject.

The IAEA wishes to thank all those who took part in the preparation of this document, particularlyM. Kulig of the National Inspectorate for Radiation and Nuclear Safety, Poland (currently IAEA staffmember), for his important contribution to the drafting of the document and incorporating final commentsinto the project report.

EDITORIAL NOTE

In preparing this document for press, staff of the IAEA have made up the pages from theoriginal manuscript(s). The views expressed do not necessarily reflect those of the governments of thenominating Member States or of the nominating organizations.

Throughout the text names of Member States are retained as they were when the text wascompiled.

The use of particular designations of countries or territories does not imply any judgement bythe publisher, the IAEA, as to the legal status of such countries or territories, of their authorities andinstitutions or of the delimitation of their boundaries.

The mention of names of specific companies or products (whether or not indicated as registered)does not imply any intention to infringe proprietary rights, nor should it be construed as anendorsement or recommendation on the part of the IAEA.

CONTENTS

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.1. Objective and purpose of the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.2. Scope of the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.3. Outline of the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2. DESIGN BASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.1. The defence in depth concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.2. General basis for design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.3. Design safety objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.4. Postulated initiating events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.5. General design principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.5.1. Single failure criterion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.5.2. Combination of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.5.3. Operator actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.6. Design basis accidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.7. Acceptance criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.7.1. Engineering rules for plant and system design . . . . . . . . . . . . . . . . . . . . . . . . . 182.7.2. Criteria for design basis accident analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.7.3. Criteria used in strength analysis of NPP equipment and piping . . . . . . . . . . . . . . . 33

3. DESCRIPTION OF THE PLANT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.1. Historical background and general description of the WWER-440 NPP . . . . . . . . . . . . . . . 353.2. Safety related plant features and systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.2.1. Normal operation equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363.2.2. Safety systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.3. System design highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413.3.1. Reactor system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413.3.2. Reactor coolant system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493.3.3. Chemical and volume control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.3.4. Primary circuit purification system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553.3.5. Primary pressure control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573.3.6. Power conversion system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593.3.7. Secondary decay heat removal system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613.3.8. Plant control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633.3.9. Protection system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643.3.10. Emergency core cooling system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723.3.11. Emergency/auxiliary feedwater system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773.3.12. Secondary side pressure control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783.3.13. Containment system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803.3.14. Electrical power supply system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833.3.15. Service water system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863.3.16. Intermediate component cooling system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873.3.17. ECCS compartment cooling system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893.3.18. Fuel handling, storage and transportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

3.4. Structural materials used in WWER-440 NPPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

4. DESIGN RELATED SAFETY FEATURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

4.1. Normal operational systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974.1.1. Safety merits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974.1.2. Safety concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4.2. Safety related systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994.2.1. Safety merits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994.2.2. Safety concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

4.3. Instrumentation and control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044.4. Electrical power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1054.5. Protection of equipment from external hazards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

4.5.1. Fire protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064.5.2. Aircraft impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

5. CLASSIFICATION OF PLANT STATES CONSIDERED IN THE DESIGN . . . . . . . . . . . . . . 108

5.1. Normal operational states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085.2. Anticipated operational occurrences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085.3. Accident conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085.4. Severe accidents beyond design basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ill

6. OPERATION OF MULTIPLE UNITS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

6.1. Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136.2. Disadvantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

ANNEX I. COMPARISON OF SOVIET SAFETY REGULATIONS WITH UNITED STATESGENERAL DESIGN CRITERIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

ANNEX II. DESIGN BASIS ACCIDENTS PROPOSED FOR CONSIDERATIONIN THE PROJECT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

ANNEX III. REQUIREMENTS IN STRENGTH ANALYSIS OF NPP EQUIPMENT ANDPIPING - COMPARISON OF SOVIET AND UNITED STATES PRACTICE . . . . . 129

ANNEX IV. TECHNICAL DATA ON MAIN STRUCTURAL MATERIALS USED FORMANUFACTURE OF EQUIPMENT AND PIPING IN WWER NPPs . . . . . . . . . . . 139

ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

SYMBOLS USED IN PIPING AND ELECTRICAL DIAGRAMS . . . . . . . . . . . . . . . . . . . . . . 155

1. INTRODUCTION

1.1. OBJECTIVE AND PURPOSE OF THE REPORT

The report provides basic information essential for the safety evaluation of a plant, both qualitative andquantitative. Logically the material is divided into two parts - the first is dedicated to the definition of designbasis and the second provides basic information concerning design features of a plant with a WWER-440/213 type reactor.

Engineering and normative basis used in the design process is highlighted with some references toaccepted international safety philosophy. Where appropriate the differences are pointed out. The materialpresented in the report supports qualitative comparison of design basis as used by the vendor with currentinternational practice. It also sets up the logical framework for safety analysis performed within the project -this subject is discussed in detail in other project documents.

The information on design features of WWER-440/213 plants, with particular attention given toBohunice NPP, serves two purposes. The first is to provide a comprehensive description of the plant for thereader who is not well informed about WWER NPPs. This material is intended to back up more detailedsafety assessment that is covered by other documents of the project.

The second purpose is to give a qualitative evaluation of the design in the areas that are not necessarilyfurther developed within the project.

1.2. SCOPE OF THE REPORT

The material related to design basis includes a brief presentation of major elements of engineering andnormative rules applied in the design of the plant by the vendor. These requirements are consistent withdeterministic design basis framework.

Information provided in the report is based on general safety standards used in the former Soviet Unionin the 1970s. Lower level technical requirements used at this time by design organizations are also discussedin the report.

In addition to general design principles information is provided on the selection of design basis accidentsbeing considered in the project.

The main emphasis is on acceptance criteria used in the design for proving compliance of the plantdesign with safety objectives. Various types of acceptance criteria are described, ranging from generalconditions related to overall plant safety, to very specific ones, concerning a particular type of plantequipment, as well as criteria for design basis accident analysis.

In the latter group criteria are given for various classes of initiating events concerning process variablesand system parameters, initial conditions, boundary conditions, as well as required computer code capabilitiesand modelling aspects.

This material presents both criteria used by the vendor and those proposed for use in the project byindividual participants.

Description of the plant provided in the report is limited to basic information, essential to properunderstanding of safety analyses performed within the project. System design highlights are given only for

safety significant systems. For each system functional description as well as the numerical characteristics andgeometrical data are given. Simplified system diagrams and drawings of main components are also includedwhere it has been found to be convenient for clear presentation of the material.

In addition to system highlights some evaluation of design features is given, addressing both safetyconcerns and safety merits. However, this discussion is limited, since no systematic design review was carriedout within the frame of the project. Identification of the most relevant safety issues and evaluation of theirsafety significance are based mainly on engineering judgment and to a large extent on various safetyassessment studies recently conducted for WWER-440 NPPs as well as other existing information gainedfrom operational practice.

In addition to design related material the report provides some information on classification of plantstates considered in the design. This classification of plant states is made depending on their probabilitiesof occurrence and their consequences as available at the date of preparation of this report.

1.3. OUTLINE OF THE REPORT

Section 2 presents design basis applied in the design process by the vendor and the design basisproposed to be used in safety assessment carried out in the project. All logic elements of the design basisare discussed including specifications for selecting postulated initiating events, basic rules and assumptionsused in the definition of plant conditions considered in the design, and acceptance criteria for provingcompliance of the plant design with safety objectives.

Section 3 provides basic information related to WWER-440 model 213 units. It includes the historicalbackground of the WWER technology and a general description of the plant. Some rational explanation isgiven on which systems are significant for plant safety, thus providing limits for the scope of plant systemdescriptions. Then detailed description of all relevant systems is given.

Section 4 concludes with basic information on Bohunice plant design, pointing out the safety merits andshortcomings of the plant design. The material presented in this section addresses both the general featuresof the plant and those related to individual systems.

Section 5 provides information on classification of plant states used in the design of WWERs.

Section 6 discusses some design related safety issues specific to multiple units, highlighting bothadvantages and disadvantages of multiple units arrangements.

Annexes I -IV include additional detailed information. Annex I compares the general safety standardsapplied by the Soviet vendor with those used by the US NRC. Annex II provides a detailed selection ofdesign basis accidents to be considered in the project as proposed by the participants. Annex III comparesthe technical requirements used by the Soviet vendor in strength analysis with those applied in the USA.More detailed information on the main structural materials used for manufacture of equipment and pipingin WWER NPPs is given in Annex IV.

2. DESIGN BASIS

2.1. THE DEFENCE IN DEPTH CONCEPT

"Defence in depth" is a fundamental principle underlying the safely philosophy of nuclear power. Itconsiders all safety activities - organizational, behavioural or equipment related - as a hierarchically orderedset of different independent levels of protection. Protection measures include successive barriers whichshould in principle never be lost, and which must be violated in turn before harm can occur to people or theenvironment. The barriers are physical, providing for the confinement of radioactive material at successivelocations.

The first three physical barriers are the fuel matrix, the fuel cladding and the boundary of the primarycoolant system. These barriers serve both operational and safety purposes. The containment is a fourthphysical barrier which has the main purpose of confining the radioactive material.

"Defence in depth" includes protection of the barriers by averting damage to the plant and to thebarriers themselves. The reliability of the physical barriers is enhanced by applying the concept of defencein depth to them in turn, protecting each of them by a series of various measures.

There are many modes of protection against the possibility and the effects of accidents at nuclear powerplants. Defence measures may be categorized using various logical criteria.

One way of categorization is to arrange possible defenses in order of progression of a nuclear projectfrom its beginning to plant operation (siting, design, manufacture and construction, commissioning andoperation).

The modes of protection can be classified according to the severity of the threat to plant safety. Thisseverity is in turn measured in terms of extraordinary demands on equipment and staff performance or interms of any resultant plant damage. This latter classification is illustrated in Fig. 1 compiled from theINSAG-3 report [1].

Figure 1 shows events challenging the safety of the plant ordered with severity increasing from left toright. Plant actions required to cope with occurrences (labelled "control") are displayed, arranged accordingto type of the plant challenge. The diagram shows how strategy, procedures, systems and the integrity ofbarriers would depend on the class of events and their severity (labels -"procedures", "response", "conditionsof barrier", respectively). The figure also introduces two broader categories of defence strategies - accidentmitigation and accident prevention. The first measures of preventing accidents depend on high quality indesign and good operational practices, quality assurance, surveillance during operation, and other steps ofpreventing small plant deviation to develop into a more serious situation. The accident mitigation provisionsinclude accident management, engineered safety features and off-site countermeasures.

A second complementary presentation of defence in depth is provided in terms of "defence levels".

The first level of protection in defence in depth is the prevention of deviations from normal operationalconditions. Mitigation of "normal" releases and preventing incidents are the prime safety objectives. Theyare achieved by a combination of conservative design, quality assurance, surveillance activities and a generalsafety culture.

The second level of defence in depth is control of operation, including response to abnormal operationor to any indication of system failure. The prime safely objectives are mitigation of incidents and preventionof accidents. This level of protection is provided to ensure the continued integrity of the first three barriers.

Strategy

Events

Control

Procedures

Response

Conditionsof barriers

Accident prevention \

Normal operation

Normal operatingactivities

Anticipatedoperationaloccurences

Normal operatingProcedures

Design basisand complexoperating events

Control of \accidents indesign basis

Emergency \operating \procedures N

Normal operating systems \ Engineered\ safety\ features

Area of specified Fiacceptable fuel design limit faii

el Severeure fuel

damage

Accident mitigation

Severe accidentsbeyond the

design basis

. Accident management

Ultimate part ofemergency operating

procedures

\ Special \ Off-site\ design \ emergency\ features / preparation

Fuel Uncontrolledmelt , , ,,fuel melt

1 1

1Loss of

confinement

1FIG. 1. Overwiew of defence in depth.

The third level of defence in depth is the prevention of evolution of failures of equipment and personnelinto design basis accidents, and of design basis accidents into severe accidents, and also to retain radioactivematerials within the confinement. This level of protection is afforded by engineered safety systems andprotective systems.

The fourth level of protection comprises measures that include accident management, directed topreserving the integrity of the confinement. The prime safety objectives are mitigation of on-siteconsequences and prevention of off-site consequences.

The fifth level is that of off-site emergency response, aimed at mitigating the effects of the release ofradioactive materials to the external environment.

The defence in depth concept has been refined and strengthened through years of application. Whenproperly applied, it ensures that no single human or mechanical failure would lead to injury to the public,and even combination of failures that are very unlikely would lead to little or no injury.

The defence in depth concept provides an overall strategy and a very broad perspective for evaluationof safety measures and safety features of nuclear power plant. Therefore, this concept is systematicallyreferred to in this project to provide a logical framework guiding the presentation and discussion of thematerial included in the report.

In general, most of the components of defence in depth are implemented in WWER-440 model 213plants. Respective sections of this report provide detailed discussion and evaluation of organizational,behavioural and design related measures used at successive levels of protection. Sections 2.2 - 2.7 addressthe general basis for design and Section 3 general design features of the plant.

10

The safety design principle incorporates ail four physical barriers providing confinement of theradioactive material. To a large extent the design of the plant is based on engineering practice proven in pastuse.

Safety objectives and principles used in plant design are in general compliant with current internationalsafety thinking. The plant is designed to cope with a set of events including normal conditions, anticipatedoperational occurrences and accident conditions. Conservative rules and criteria incorporating safety marginsare used in design. The plant has also distinct inherent safety characteristics.

Plant process control systems and engineered safety systems are included in the plant design. Safetysystems make use of redundancy of design and the physical separation of parallel components, whereappropriate. Safely related components, systems and structures are designed and constructed to allow forinspection and testing.

A containment structure is designed to withstand the conditions resulting from the design basis accident.No explicit provisions have been made in the design for protection against severe accidents.

A detailed discussion of design issues related to the defence in depth concept is provided in Sections3 and 4 of this report.

2.2. GENERAL BASIS FOR DESIGN

The deterministic approach, basically comparable to the approach used in current international practice,was applied in the design process.

The plant design takes into account that the challenges to all echelons of defence may occur andprovides appropriate design measures to ensure that the safety functions are accomplished and the safetyobjectives are met. The plant is designed to cope with a specified set of plant states. These plant states stemfrom events that lead to deviations from normal operation or to accident conditions. These events (furthercalled postulated initiating events) range from single events, such as an equipment failure, human errors,man induced or natural events, to complex combinations of individual events and their failure effects.Conservative rules and criteria incorporating safety margins are used to define plant conditions created bythese events that are taken into account in the design process. Appropriate acceptance criteria are appliedfor each of the plant states to prove compliance with selected safety objectives.

The engineering and normative basis, used in this design concept for establishing necessary capabilitiesof the plant, is further called design basis. The design bas?s includes all logic elements mentioned above- specifications for selecting postulated initiating events that the plant has to accommodate, basic rules andassumptions used in the definition of plant conditions considered in the design and acceptance criteria forproving compliance of the plant design with safety objectives.

In general, the design concept described above is compliant with the Soviet standards "GeneralProvisions for Assuring Safety at Nuclear Power Plants during Design, Construction and Operation" -OPB-82 [2] and "Nuclear Safety Regulations for Nuclear Power Plants" - PBYa-04-74 [3].

The first document specifies some general safety criteria providing mandatory guidance in the designingof the facilities. It also contains some technical, procedural and managerial requirements. The documentdescribes the top level rules and regulations analogous to the United States General Design Criteria forNuclear Power Plants from 10 CFR 50. Annex I provides a more detailed comparison of these twodocumeiits. The second document contains certain qualitative and quantitative requirements in regard to

11

safety, addressing methods for achieving safety. An additional document related to the design basis concept- "Standard Content for Technical Substantiation of the Safety of a Nuclear Power Plant" (TOB) - includesmore detailed requirements concerning the minimum set of initiating events taken into account in the designprocess.

The above mentioned documents constitute the basic normative framework that reflects the design basisphilosophy of the vendor applicable to the design of Bohunice Units 3 and 4. OPB-82 is not referenced inany Bohunice design documentation, since the plant was in a well advanced phase of construction at the timeof issue of the standard (commissioning date was 1984). However, taking into account the relatively longperiod of time usually needed for issuing such standards, it should be assumed that the document reflectsthe safety design philosophy applied in the design practice much earlier. The draft of the OPB-82 must havebeen at the designers' disposal since most of the model 213 improvements in comparison to the older model230 are in accordance with the OPB-82.

Recent revisions of the documents OPB (issued in 1988 as OPB-88 [4]) and PBYa (issued in 1989 asPBYa-RUAES-89 [5]) introduce some changes and/or additional requirements; however, the generalconcept has not been altered. A full package of new normative documents that has been developed veryrecently, in addition to general documents OPB and PBYa, includes several lower level standards andtechnical guides, such as:

Norms for Strength Analyses of the Nuclear Power Plant Equipment and Pipelines (PNAE-G-7-002-86);Rules for Arrangement and Safe Operation of the Nuclear Power Plant Equipment and Pipelines (PU)(PNAE-G-7-008-89);Equipment and Pipelines for Nuclear Power Plants (PU) (PNAE-G-7-009-89);Equipment and Pipelines for Nuclear Power Plants. Weld Joints and Welds-on. Control Rules (PK)(PNAE-G-7-010-89);Equipment and Pipelines for Nuclear Power Plants. Welding, Weld-on. Main Provisions (OP)(PNAE-G-7-009-89).

In comparison to existing norms and standards those recently adopted introduce several significantchanges that reflect current international philosophy in NPP safety. Consideration is given to accidents ofvery low likelihood, but more severe than design basis accidents. Some elements of probabilistic safetyassessment are introduced to provide the appropriate framework for the treatment of severe accidents.Several probabilistic safety requirements were introduced, such as limiting value for a probability of severecore damage (less than 10"5 per reactor year), limits for radioactivity release under severe accident conditions(3 x 104 Ci for 1-131 for accident scenarios with estimated probability higher than 10"7 per reactor year),probability limit for reactor pressure vessel damage (10~7 per reactor year).

More attention is given in the design to quality assurance. Introducing safety classes for equipment andpipi'T^es an provides appropriate basis for corresponding requirements of quality control. More strictrequirements are used for vessels and pipelines of the secondary circuit.

Quality control of the welding process is improved by introducing stricter requirements concerningpersonnel qualification, as well as better technical means and increased scope of weld joints control.

Treatment of brittle fracture is improved by using strength intensity coefficients (temperaturedependent) instead of applying brittle fracture critical temperature alone. The permissible number of cycleswas increased in calculating the fatigue strength (from 106 to 1012).

12

2.3. DESIGN SAFETY OBJECTIVES

The general safety objective for nuclear power plants is to protect individuals, society and theenvironment by establishing and maintaining an effecti%'e defence against radiological hazards. This generalobjective is usually expressed more specifically in the form of two complementary objectives - radiationprotection and technical safety.

The first objective is to ensure during operational states that radiation exposure of site personnel andthe public remains below prescribed limits and is kept as low as reasonably achievable (ALARA), and toensure mitigation of the radiation exposures from accidents.

The second objective is to prevent with high confidence accidents in nuclear plants; to ensure that, forall accidents taken into account in the design of the plant, even those of very low probability, radiologicalconsequences are small; and to ensure that the likelihood of severe accidents with serious radiologicalconsequences is extremely small.

Soviet standards OPB-82, PBYa-04-74 with related Radiation Safety Standards SP-AES-79, addressexplicitly the radiation protection objective defining the system of dose limitation.

The ALARA principle is not expressed directly in these standards. Such safety objectives are includedexplicitly in IAEA Safety Series No. 50-C-D (Rev.l) [6J and in 75-INSAG-3 [1], US NRC Code of FederalRegulations 10 CFR 50 and other safety standards currently in use in other countries.

These safety objectives are achieved by implementing various defence in depth measures. In additionto rigorous application of conservative engineering practice used in setting design bases, some general safetyprinciples and criteria, directed to strengthening defence in depth provisions, are in fact included in Sovietstandards, although not all levels of defence are addressed with equal attention.

Consideration currently given in the IAEA Safety Series No. 50-C-D (Rev.l) and INSAG-3 to accidentsof very low likelihood, but more severe than those taken into account explicitly in the design (accidentsbeyond design basis), is not directly incorporated in the design concept of the WWER-440 plants.

In the current safety philosophy severe accidents are considered in a limited way. Considerationsusually include the following elements:

Identification of event sequences that lead to severe accidents;Consideration of existing plant capabilities, including the possible use of some systems beyond theiroriginally intended function, to return the plant to a controlled state and to mitigate the consequencesof the severe accident;Evaluation of potential design changes which could cither reduce the likelihood of these events or wouldmitigate the consequences;Establishing accident management procedures, based on representative and dominant severe accidents.

This type of analysis was lacking in the design process of WWER-440 plants. Some elements of thisapproach are intended to be included in this project.

2.4. POSTULATED INITIATING EVENTS

The selection of postulated initiating events (PIEs) for their use in the design basis should ensure thatall credible events with potential for serious consequences and significant probability have been anticipated

13

and can be accommodated by the design of the plant. There are no firm criteria to govern the selection.Compilation of the list of PIEs is usually based on engineering judgement and experience from previousnuclear plant design and operation. Some guidance may be provided on a probabilistic basis.

Initiating events can be equipment failures that directly or indirectly affect the safety of the plant,human errors or other internal events like fires, floods of internal origin, etc. External natural or maninduced events that are credible at a given site should have been taken into account in the design basis.OPB-82 includes explicit requirement concerning natural external events to be considered as design basisinitiating events.

In the current safety philosophy the treatment of PIEs depends on their probabilities of occurrence andtheir consequences.

Events classified as normal operating events, or for which there is a reasonable expectation ofoccurrence during the life of the plant, are required to be accommodated without any damage to the plant.Events of much lower probability that cause significant damage to items important to safety, or lead toaccident conditions, should have acceptable consequences.

Events of the latter class are the most essential element of the design basis, since the plant conditionscreated by these events tax the features of the safety systems. Safety systems are included in the plant designto protect against the possibility of occurrence of accidents that would otherwise contribute significantly torisk, or to mitigate the consequences of such accidents. Any engineered safety system is designed to preventor to mitigate a specific spectrum of accidents. The accidents in this spectrum that determine the featuresof the safety system are termed the design basis accidents for that system. Design provisions introducedto cope with this class of events are considered as the third level of defence in depth strategy (see Section2.1).

An important class of plant conditions included in the design basis covers operational processesdeviating from normal operation, which are expected to occur once or several times during the operating lifeof the plant. These plant conditions are initiated by malfunctions or faults of individual items of normallyrunning plant; they are termed anticipated operational occurrences. These initiating events are consideredin the design basis, since they often determine plant process control system characteristics. When combinedwith other human or mechanical failure they may lead to accident conditions. Appiopriate design provisionsand plant feedback features are to be incorporated and verified, based on plant conditions imposed by thoseinitiating events. Related design features protect plant against significant damage and prevent incidents todevelop into accidents. They are considered as the second level of defence in depth strategy (seeSection 2.1).

Normal operational conditions (including shutdown, power operation, shutting down, starting,maintenance, testing and refuelling) are taken into account in the design in establishing a set ofrequirements and limitations for operation. They include constraints on process variables and parameters,safety systems settings, requirements for maintenance, testing and inspections, etc. These requirements andlimitations provide a basis for the establishment of "Operational Limits and Conditions" for plant operation.

2.5. GENERAL DESIGN PRINCIPLES

Some general conservative rules are applied in the design that are related to the definition of plantconditions created by postulated initiating events, to be taken into account in the design basis. These rules

14

may be considered as design measures that are used within the deterministic design approach to achieverequired high reliability of systems for the performance of safety functions.

2.5.1. Single failure criterion

The single failure criterion is the fundamental principle used in the design of nuclear power plants.This principle is also explicitly referred to in the general safety requirements OPB-82 to be applied in thedesign of WWER-440 plants, including the Bohunice NPP.

The single failure criterion requires that a system under consideration is able to meet its intendedfunction despite a single random failure, assumed to occur in any element of the system, not dependent onthe initiating event. This rule is applied to either an active or passive element having mechanical movingparts. Multiple failures resulting from a single occurrence are considered to be a single failure.

The faults to be considered within the single failure criterion include also a single human error. Humanerrors may range from faulty or incomplete maintenance operation or incorrect setting of control equipmentlimits to wrong operator actions.

According to OPB-82 undetected failure of elements of safety systems not monitored during operation,that could affect the performance of safety functions, should be taken into account in addition to a singlefailure of one of the types mentioned above. In some cases when a high level of reliability of the aboveelements or systems in which they are included is indicated or when the element is taken out for operationfor a short time for maintenance, their failure may not be taken into account.

Usually, the single failure criterion is applied to each safety group incorporated in the plant design. Thesafety group is that assembly of equipment which responds to a particular postulated initiating event in orderthat the limits specified in the design basis for that event are not exceeded [6].

There are special cases where compliance with the single failure criterion is required for a specificsafety system. For example, OPB-82 contains such explicit requirement concerning emergency protectionsystem.

Under the current design practice implemented in the design of WWER-440 NPPs the single failurecriterion was interpreted selectively, depending on the initiating event, and its use involved some subjectivejudgement.

For safety groups associated with LOCA within the containment, single failures were assumed to occursimultaneously in each of the systems responding to the initiating event, including the reactor protectionsystem, active part of the ECCS ( both the high pressure injection and the low pressure injection systems)and passive part of the ECCS ( the core flooding system).

The single failure criterion was not applied in the case of LOCAs within the steam generator. In thiscase credibility was given to a single valve (primary loop isolation valve) for isolation of the faulty SG fromthe reactor. PWR plants of non-Soviet design are not provided with primary loop isolation valves and forthis reason more attention was given to this type of accidents (concerning both technical and proceduralmeasures). It should be noted that consequential application of the single failure criterion for a WWER-440/213 steam generator LOCA would not require any modification of the plant since the existing plantequipment is judged to be sufficient to cope with this accident, provided that appropriate emergencyprocedures are implemented for this initiating event. In this case the safety of the plant would be better thanthat of the plant without loop isolation valves.

15

2.5.2. Combination of events

The possibility of a combination of events in the definition of postulated initiating events and selectionof candidates for single failure criterion is normally restricted by some general rules.

Normally, independent events are not considered to occur simultaneously. However, where combinationof randomly occurring individual events could credibly lead to anticipated operational occurrences or accidentconditions, they should be considered as a basis for design [6].

Events which may occur during a long term period before the initiating event with expected probabilityof occurrence relatively high should be considered as the part of the original initiating event if properprovisions for their identification do not exist or if the time needed for the corrective action is long [6].

For a relatively long period of post-event recovery additional events may need to be taken into account,depending upon the length of the recovery period and the expected probability of events. In this case it maybe realistic to assume that the severity of an event which has to be taken in a combination is not as high asis required to be assumed for the same kind of event considered over a time span corresponding to thewhole life of the plant. For example, in the recovery period following a LOCA, if a random combinationwith an earthquake is required to be considered, the earthquake severity could be taken as less than theseverity of the design basis earthquake of the plant.

Certain events should be considered to be part of the original initiating event, if there is relatively highlikelihood that they are consequences of the initiating event. An example of such consequential effects isa flood following an earthquake. Another combination of this type is loss of off-site power following aLOCA. This combination is typical for the design of the WWER-440 plants, due to certain plant featuresincorporated in the design. This event combination is taken into account in the design of the WWER-440.However, other combinations are in general not considered.

2.53. Operator actions

Normally, operator actions appropriate for mitigation of a particular initiating event may be taken intoaccount in the definition of the design basis conditions. Operator actions to be considered are limited tothose that are properly supported by sufficient information indicating the current status of the plant and arecovered explicitly by existing operational procedures.

Some realistic constraints should be applied with regard to the time margin available for the operatorto take a decision and to perform appropriate actions. Operator interventions are only acceptable where thedesigner can demonstrate that the operator has sufficient time to decide and to act, that the necessaryinformation is clearly and unambiguously presented, and that the physical environment following the accidentis acceptable.

The standards OPB-82 do not include explicit requirements concerning this issue. According to a recentedition of OFB-88, operator actions taken within the first period of 10-30 minutes following the initiatingevent are not to be considered in the design.

2.6. DESIGN BASIS ACCIDENTS

Design basis accidents adopted in the design of Bohunice Units 3 and 4 are developed according to ageneral concept described in Sections 2.2 - 2.5.

16

Soviet standards OPB-82 do not provide detailed guidance related to design basis accidents. However,this document introduces so called maximum design basis accident (MDBA). This accident is initiated byinstantaneous, double-ended guillotine rupture of the primary coolant system pipe during operation of thereactor at nominal power (with regard to possible excess of nominal power due to errors and tolerances ofthe monitoring and control system).

The accident created by this initiating event is in a certain sense "maximal", since it determines thedesign capabilities of several important safety systems, such as containment system, core flooding system andlow pressure injection system. No equivalent definition of maximum DBA is used in the IAEA guidelines,the US NRC 10 CFR 50 nor any regulations used in the USA and in western Europe.

In addition to MDBA, a relatively large number of postulated initiating events was included in thedesign, based on international practice and experience accumulated by design organizations and plantoperators. The list of PIEs includes both anticipated operational occurrences and accidents, as discussed inSection 2.4. Plant conditions considered in the design basis are defined by application of conservative rulesdiscussed in Section 2.5. More detailed information concerning initial conditions and boundary conditionsof the plant is provided in Section 2.7.2.

Design basis accidents, originally taken into account by the Soviet vendor, did not include anticipatedtransients without scram (ATWS). The current safety practice, applied in the USA and in western Europe,requires that ATWS should be considered in the safety analysis. The argument used is not that reactorprotection and reactor shutdown systems are unreliable, but that, because of the relatively high rate at whichthey are challenged by anticipated transients, an extraordinary high reliability is required. The requirementsregarding ATWS treatment were included to assure appropriate safety margins, since the needed reactorshutdown reliability was difficult to verify.

Detailed information on design basis accidents as adopted by the vendor, is given in Section 5. A listof design basis accidents selected for this study is provided in Annex II.

2.7. ACCEPTANCE CRITERIA

Acceptance criteria are included in the design basis to be used in showing compliance of the plantdesign with the design safety objectives. Both quantitative and qualitative conditions are applied for thispurpose. These conditions are consistent with the deterministic design basis framework and the safetyphilosophy based on the defence in depth concept. Various types of acceptance criteria are used on differentlevels of the design process. They range from very general conditions, related to overall plant safety, to veryspecific conditions concerning a particular type of plant equipment.

Two very broad classes of acceptance criteria may be distinguished depending upon their applicationwithin the design basis framework. One class of acceptance criteria is used for system and componentdesign. These criteria have the form of engineering design rules, based on engineering practice proven bypast application, research, testing and dependable analysis. Criteria of this type have the simultaneousobjective of reliability and safety. Their use is intended to assure balanced plant design with all levels ofdefence in depth well protected.

Another class includes criteria applied in the analysis of the design basis accidents to show that for eachof the plant states considered in the design basis appropriate safety objectives are fulfilled. These criteriaare established in the form of limiting conditions for certain process variables and important parameters ofthe plant. The criteria of this type are, in some cases, supplemented by detailed specifications concerninga particular method of analysis.

17

2.7.1. Engineering rules for plant and system design

Acceptance criteria in the form of engineering design rules are used for system and equipment design.Both very general and specific requirements are provided for this purpose in OPB-82 and PBYa-04-74.

Engineering rules for use in the design of systems and devices important to safety included in OPB-82and PBYa-04 74 are briefly presented in this report addressing various groups of safety related systems andequipment. System classification and corresponding definitions given in the NUSS programme (Code on theSafety of Nuclear Power Plants: Design, Safety Series No. 50-C-D (Rev.l)) [6], slightly different from thoseused in Soviet standards, are followed in this report1.

When appropriate, some comments are provided concerning the most important differences betweenthe Soviet safety principles and those used in other countries (in particular, the lack of certain generallyaccepted safety requirements is pointed out).

2.7.1. L General criteria

(a) Radiation protection

Nuclear power plants should be designed to ensure compliance with existing radiation protectionstandards. Radiological acceptance criteria are established related to maximum permissible doses forpersonnel, the dose range for the population and the limits on the content of radioactive products in theenvironment during normal operation and planned emergencies. Specific criteria used in the design basisaccidents analysis are discussed in Section 2.7.2.

(b) Safety functions

In order to ensure a acceptable level of plant safety, appropriate safety systems should be incorporatedin the plant to perform the following safety functions:

shut down the reactor and maintain it in the safe shutdown conditions in operational states and inaccident conditions;remove residual heat from the core after reactor shutdown, including accident conditions;confine radioactive products within established limits during operational states and during accidentconditions.

(c) Quality of the plant

A programme to ensure quality of construction and operation of the plant should be establishedaddressing the activities of organizations involved in the design, fabrication, construction, erection, testingand operation. Inspection and acceptance by the appropriate organizations should be provided in all stagesof the plant life. Appropriate records of the design, fabrication, erection and testing of structures, systemsand components important to safety shall be maintained by the plant licensee throughout the life of the unit.

1 Systems important to safety are defined to include "safety related systems/equipment" and "safety systems". The latter groupincludes protection system (in Soviet standards referred to as "safety control systems"), safety actuation systems (in Soviet standardsthis group of systems is divided into "safety protective systems" and "accident localization systems") and safety system support features(Soviet term: "safety support systems").

18

Current international safety practice requires that structures, systems and components are classified onthe basis of their importance to safety. No such requirements were included in OPB-82 nor in PBYa-04-74(they are included in OPB-88).

(d) Provisior for in-service testing and maintenance

Structures, systems and components important to safety should be designed to be periodically tested,maintained and inspected throughout the entire service life of the nuclear power plant with respect to theirfunctional capability. Direct and complete check for conformity to the design characteristics should be madefor systems and components important to safety. If such check cannot be made, an indirect or partial testsshould be ensured and corresponding methods and devices for this established. In-service tests andmaintenance should not lead to a reduction of the safety level.

(e) Design for optimized operator performance

Appropriate provisions should be made in the design to eliminate or attenuate, if possible, the effectsof erroneous actions of personnel which may lead to aggravation of the consequences of equipment failures.

(f) Design for system reliability

Quantitative reliability analysis is required for systems important to safety. However, no reliabilitytargets are assigned to safety systems or functions. No explicit requirements are included with regard todesign features of the plant that determine the high level of reliability, such as diversity, independence,fail-safe design, etc.

(g) Fire protection

The only requirement concerning fire protection explicitly included in OPB-82 is that capability foractuating safety systems and gathering adequate information on plant status should be maintained during fireconditions by the use of a stand-by control room. More specific acceptance criteria related to fire protectionare used, based on general standards applicable to thermal power engineering and industrial safety.

(h) Effects associated with equipment failures

The systems and components important to safety should be designed, manufactured and installed withregard to possible mechanical, thermal, chemical and miscellaneous effects that arise as a result of accidentsincluded in the design basis. This requirement has been found not always consequently considered in thedesign of the WWER-440.

(i) Sharing of structures, systems and components

Structures, systems and components important to safety should generally not be shared between twoor more units. Nevertheless, if such structures, systems and components are shared, it should bedemonstrated in the design that integration of functions does not lead to violation of safety requirements.

2.7.1.2. System specific criteria

(a) Reactor core

The reactor core and associated coolant, control and protection systems are required to be designedwith appropriate margins to assure that fuel damage limits and the related levels of primary coolant activity

19

should not be exceeded during the entire calculated service life under normal operating conditions. Thisrequirement is extended also for certain deviations from normal operation (provided that safety systems areoperable), as specified in OPB-82:

malfunctions of the reactor control and monitoring system;loss of power supply of the primary coolant pumps;switching off turbine generators and heat sinks;complete loss of external power supply;leaks in the primary coolant system within the capability of normal make-up system.

The rated maximum damage of fuel elements during normal operation is specified as 1% of the fuelelements with defects of the gas leak type and 0.1% of fuel elements for which direct contact of the coolantand fuel material occurs.

The total power coefficient of reactivity usually should not be positive under any operational conditionsof the plant, If the total power coefficient in any operating condition is positive, nuclear safety of the reactormust be assured and specially demonstrated in the design and operation.

The reactor core must be designed so as to exclude the possibility of displacement of core componentsleading to increase of reactivity.

The characteristics of the fuel, the design of the reactor core, the primary circuit and other systemsshould exclude the possibility of critical condition of the core during any accident (including those that leadto failure of the core or meltdown of the fuel). If this condition cannot be fulfilled, it should bedemonstrated in the design that accidents leading to criticality of the core are beyond design basis accidents.

(b) Reactivity control systems

The means for shutting down the reactor should consist of at least two diverse systems (eitherindependent devices or independent groups of devices). At least two of these systems should be, on theirown, capable of rendering the reactor subcriticality by an adequate margin from any operating conditions(without exceeding the allowable limits of fuel element damage) and maintaining it in a subcritical state atoperational temperature of the coolant.

At least one of the envisaged two systems must be capable of bringing the reactor into a subcritical stateand maintaining it in that state under normal and accident conditions, assuming single failure in the systemand failure of control element with the highest reactivity worth.

The reactivity control system must be capable to cope with a single disturbance in the monitoring andcontrol system without allowing the increase of the reactor power, which could lead to exceeding theallowable limits of fuel element damage.The maximum efficiency of the reactivity control elements and themaximum possible rate of reactivity increase, in the case of erroneous actions of personnel or of a singledisturbance in any system of the plant, should be limited so that the effect of a subsequent power increasedoes not lead to the excess of maximum permissible pressure in the primary coolant system, non-permissibledeterioration of core cooling or meltdown of the fuel element.

(c) Reactor coolant system

The reactor coolant system and its associated auxiliary systems should be designed in such a way as towithstand the static and dynamic loads and temperature effects anticipated during unintentional transientscaused by:

20

ejection of the control element with the highest reactivity worth;discharge of cold coolant into the core;a sharp reduction of primary coolant flow rate or disruption of heat removal from the primary coolantsystem.

No direct requirements are included in OPB-82 nor in PBYa-04-74 concerning the selection of materialfor the pressure vessel and the primary piping, related design standards, inspectability and fabrication of theprimary circuit equipment. No provisions are explicitly required in the above mentioned standards for thematerial surveillance programme for the reactor vessel and other important components appropriate fordetermining the effects of irradiation and ageing of structural material. In the case of Bohunice V-2 theabove mentioned requirements are specified by the individual QA programme.

(d) Instrumentation and control system

A control room should be provided from which the reactor and other systems of the nuclear powerplant are monitored and controlled in all its operational states and during accident conditions.

An instrumentation and control system should be provided for monitoring and recording processvariables over their possible ranges and automatic or remote control of normal operating systems in allmodes of operation. The monitoring and recording equipment should be adequate to ensure that essentialinformation is available for following the course of accident conditions and for planning the appropriatepersonnel actions.

Means of monitoring and control of the nuclear fuel fission process should be provided in all modesof operation and under all conditions of the core (including refuelling), when conversion to a critical stateis possible.

Indicators of the position of the reactivity control elements, monitoring of the concentration of dissolvedabsorbents and indicators of the state of all other reactivity control devices should be provided. Designdocumentation should contain analysis of possible hazardous response of the control systems that lead toviolation of safe operating limits in the case of system malfunctions (such as short circuits, loss of insulation,decrease of voltage, etc.). The systems should be checked for possible dangerous and spurious reactionsbefore the reactor is started up.

The capability of detecting leaks in the primary coolant system should be assured.

The radioactivity level of the coolant and the radioactive waste should be monitored.

(e) Protection system

A protection system which encompasses all electrical and mechanical devices and circuitry (from sensorsto actuation device input terminals) involved in generating signals for initiation and controlling operation ofsafety actuation systems and safety system support features, should be provided. The protection systemthrough safety actuation systems should prevent or eliminate conditions that lead to damage of the fuelelements above the rated limits.

Response of reactivity control elements should not depend on external power supply.

Failure in the protection system should result in operations directed toward ensuring safety (fail-safebehaviour).

21

The system should be designed for high reliability by following strict requirements on the quality offabrication, checking and testing during operation, providing non-interruptible power supply and applicationof multichannel structure of the system. Independence of redundant channels should assure that no singlefailure (including common cause failures) affects system operability.

The protection system should be separated from the monitoring and control system to excludeinterference of these systems. Failure of any element or channel of the monitoring or control system shouldnot affect the capability of the protection system to perform the intended safety function.

The capability of manual actuation of the safety systems should be provided. Failure in the automaticinitiation loop should not prevent manual initiation and performance of the appropriate safety function.Acting on a single element (key or button) should be sufficient foi manual control.

The system should be designed so that the initiated action provides completion of the function. Returnto initial state should require sequential operations of the operator. Possibility of false response should bereduced to a minimum.

The protection system should be designed to permit periodic testing of individual channels and theentire system when the reactor is in operation. If some part of the system is inoperable, then the appropriateinformation should be displayed in the control room.

The capability of actuating the safety systems and of monitoring their operation from a stand-by controlpanel should be provided if for some reason this cannot be done from the main control room.

(f) Protective safety systems

Protective safety systems should perform safety functions required for mitigation of any postulatedinitiating event upon a single failure not dependent on an initiating event.

Protective safety systems should include an emergency core cooling system, composed of severalindependent channels (trains), that ensures the required capability, assuming a failure independent of theinitiating event, of any one channel of this system.

Cooling systems (channels) designed for normal operation may be used as emergency core coolingsystems if they meet the requirements applicable for safety systems. Measures preventing criticality of thereactor caused by the operation of emergency core cooling systems should be provided in the design.

Operation of protective safety systems should not lead to damage of the equipment of normal operatingsystems. The number of responses of safety systems permissible during the service life of the plant (includingspurious responses) should be substantiated in the design with regard to the effect on the operating life ofequipment.

(g) Containment systems

Containment systems should be provided to confine radioactive materials that have escaped from thereactor installation during an accident considered in the design basis.

The primary coolant system should be located in the leaktight building, either entirely or partially, sothat in the case of design basis accidents localization of released radioactive material within the leaktightcompartments is ensured. Controlled release of radioactivity into the environment is permissible in individualcases, if it is substantiated in the design that the plant safety is ensured with this release.

22

Containment systems should fully perform their intended functions for all plant conditions consideredin the design basis.

In case of multi-unit plants individual localization systems should be provided for each unit. Systemequipment may be shared if it is proven in the design that accidents cannot spread from one unit to the otherunits.

Containment systems should perform their functions during accidental leaks of coolant from the primarycoolant system with regard to the consequential mechanical, thermal and chemical effects.

In those cases when active heat removal is provided to prevent increase of pressure in the containment,there should be several redundant channels that ensure system operability, assuming a single failure.

Each line that penetrates the containment, which should be closed in the event of accident conditionsto prevent discharge of radioactive materials to the outside of the containment, should be fitted with at leaf ttwo adequate containment isolation valves arranged in series, one outside and the other inside thecontainment.

Each line that penetrates the containment and is neither part of the reactor coolant pressure boundarynor connected directly to the containment atmosphere, is permitted to have a single containment isolationvalve located outside the containment.

The accepted permissible rate of leakage of the containment boundary should be substantiated in thedesign and methods of achieving the given level of leaktightness should be indicated. Conformity of achievedleakage rate of the containment with the design value should be confirmed after completion of installationwork and should be checked regularly through the plant service life. Containment test before plant operationshould be performed at the containment design pressure and subsequent tests are permitted at reducedpressure. The equipment located inside the containment should tolerate pressure tests without damage.

OPB-82 does not include explicit requirements concerning containment atmosphere cleanup. A recentversion of OPB-88 requires that appropriate measures, necessary to control the concentration of explosivegases in the containment atmosphere, are included in the design.

(h) Safety system support features

Support systems that supply safety systems with working media and energy during accidents consideredin the design basis should be provided.

Support systems should have suitable redundancy to perform their functions for all initiating eventsconsidered in the design basis, assuming a single failure.

No specific requirements are provided in OPB-82 and PBYa-04-74 concerning emergency power supplysystems. Such requirements are included explicitly in the IAEA Safety Series 50-C-D (Rev.l) and US NRCstandards 10 CFR 50.

(i) Fuel handling and radioactive waste storage systems

Fresh or spent fuel storage systems should be designed to prevent criticality by physical means orprocesses, primarily by the use of geometrically safe configuration.

23

A reliable residual heat removal system should be provided in spent fuel storage. Correspondingchemical composition of the heat removal medium should prevent damage to the fuel, as a result of whichthe radioactive material may enter the nuclear power plant buildings or the environment.

Analysis of the composition and the amount of solid, liquid and gaseous radioactive wastes, both duringnormal operation and during accidents, should be included in the safety documentation of the plant.

Means of reprocessing, locations and methods of temporary and long-term storage of wastes,requirements concerning the purification process prior to discharge of air into the atmosphere and of waterinto natural reservoirs, methods of transporting wastes within the plant and to long term storage should bedetermined.

2.7.2. Criteria for design basis accident analysis

Acceptance criteria used for the design basis accident analysis define initial and boundary conditionsas well as limiting conditions for certain process variables or important parameters of the plant (includingdamage to fuel elements). Some requirements are also provided with regard to modelling aspects andcomputer codes features.

Acceptance criteria used by the vendor in the design process of the WWER-440 are specified both inthe existing normative documents OPB-82, PBYa-04-74 (or their more recent revisions OPB-88,PBYa-RUAES-89) and in technical guidelines/engineering rules developed and implemented by the designorganizations.

The following technical guidelines are reported to be applied in the design of the WWER-440.Generally, initial conditions are established to take into account all possible deviations of process variablesdue to measurement errors and quality of control devices according to plant design specifications. Spatialpower distribution is established to assure the most conservative conditions for each accident scenario.Pessimistic conditions are assumed also with regard to fuel burnup and associated reactivity coefficients(temperature, moderator density and Doppler effect coefficients).

The activity and the content of radioactivity in the primary and secondary systems used in the analysisof radiological consequences are treated conservatively, taking into account the increase of fission productrelease from fuel elements due to operation of the reactor protection system, changes of the primarypressure, etc.

When establishing boundary conditions, a maximum time delay of the reactor protection system isapplied, based on experiments performed in the plant under operational conditions. The first signal for thereactor scram is considered to fail. The most effective control element is assumed to stuck outside the core.

Residual heat is assumed conservatively and includes decay heat of fission products, decay heat fromU-238 absorption and fission from delayed neutrons.

Operator actions directed to minimization of accident consequences are assumed to be undertaken onlyafter a sufficient period of time (in most cases more than 30 min).

Acceptance criteria used in the design basis accident analysis usually depend on the accident scenario.They are selected from the following list of criteria:

(1) Primary pressure and secondary pressure should not exceed 115% of the nominal value.

24

(2) Primary and secondary pressures should not exceed the limits determined by brittle fracturecharacteristics of the vessel and mechanical strength of the fuel elements.

(3) Both short terra and long term cooling of the primary circuit should be established.(4) Maximum acceptable damage of fuel elements for normal operation is 1% for defects of the gas leak

type and 0.1% for defects with direct contact of the coolant and the nuclear fuel.(5) No boiling crisis should occur in the core (calculated with probability higher than 95% with 95%

confidence level).(6) Maximal temperature of the fuel should not exceed melting point of the fuel material during the whole

transient.(7) Fuel cladding stresses should not exceed specified limit for all operational conditions including power

transitions and departures from normal operational conditions.(8) For transients with fast reactivity increase radially averaged fuel enthalpy should not exceed 830 kJ/kg.(9) Maximum acceptable damage of fuel is limited by the following conditions: maximum cladding

temperature not exceeding 1200°C,- maximum local cladding oxidation not exceeding 18% of the initial mass of the cladding,- maximum total oxidation of Zr in the core not exceeding 1% of the total mass,- design deformations of the reactor core should not prevent sufficient coolability of fuel elements.

(10) For accidents involving dropping of spent fuel container, plant design is acceptable without checkingradiological consequences if the distance of the container drop does not exceed 9 m, and containermovement is slowed down by using special devices.

(11) Dose limits accepted for normal operation should not be exceeded.(12) Dose equivalents measured at the boundary of the exclusion area should not exceed 5% of the limits

established for accident conditions.(13) Dose equivalents measured at the boundary of the plant site should not exceed limits established for

accident conditions.

Existing normative documents related to the definition of design basis for WWER plants are quitegeneral, and in fact, they leave a considerable area within the judgement of the responsible organizations.It is reported that the list of criteria used in the design, as well as respective numerical values used in thedefinition of limits, are selected during the design process on a case by case basis. Criteria used in thedesign basis analysis depend on the type of accident initiator. For scenarios classified as anticipatedoperational occurrences criteria (1), (3) - (7) and (11) are usually applied. For some reactivity inducedaccidents criterion (2) is applied additionally. Criteria used by Soviet design organizations for scenariosclassified as design basis accidents are listed in Table I.

Similar criteria are being developed or have already been developed in the former CSFR, to be usedby the operators and regulatory organization in accident analysis of WWER plants. For two groups ofaccidents, namely reactivity induced accidents and loss of flow accidents, these criteria and relevantrequirements have been officially issued in national regulatory guidelines [7, 8]. Short summaries of thesetwo documents are provided in Sections 2.7.7.1 and 2.7.2.2, respectively. For the other two groups, i.e. largesecondary steam leaks and loss of reactor coolant accidents (LOCAs), a proposal for such criteria has beenelaborated and presented for utilization within this project [9, 10], but without any formalized approval bythe regulatory body. Summary reauirements for these two groups of accidents are given in Sections 2.7.2.3and 2.7.2.4, respectively.

It should be noted that criteria which have been developed so far are neither sufficiently comprehensivenor fully completed. Criteria proposed for individual accidents may also differ from practices of othercountries. Unification of these criteria seems to be very desirable.

Acceptance criteria for reactivity induced transients, loss of RCS flow accidents, large steam leaks fromthe secondary circuit, and loss of reactor coolant accidents (i.e. the criteria available in the Czech Republic

25

TABLE I. ACCEPTANCE CRITERIA USED IN DBA ANALYSIS OF WWER NPPs

Definition of initiating event/accident

Spurious opening of pressurizer of safety valve or safetyrelief valve

Spectrum of small break LOCAs caused by postulatedruptures of primary circuit piping

Control rod ejection with control rod drive head rupture

Seizure of one RCP

Rupture of SG feedwater pipeline

Spectrum of various steam lines ruptures inside and outsidethe containment (including rupture of single SG tube)

Break of the shaft of one RCP

The most unfavourable accidents during fuel manipulationsinside the containment and in the spent fuel storage

Accidents due to spent fuel container drop

Leakage from or malfunction of gaseous radioactive wastessystem

Leakage from or malfunction of liquid radioactive wastestank

Postulated release of radioactivity due to rupture of liquidwastes tank

SG collector cover rupture or several SG tubes rupture

Criteria used in the design

1, 2, 3, 5, 6, 11

1, 2, 3, 6, 9, 12

1, 2, 3, 6, 12

1, 3, 6, 8, 12

1, 6, 12

1, 2, 3, 6, 12

1, 3, 6, 12

11

10, 11

12

12

13

1, 2, 3, 6, 9, 13

and Slovakia until now) are presented in the following sections together with additional requirementsconcerning modeling aspects and computer code capabilities. Some of these requirements, mainly thoserelated to computer code capabilities, may be considered as not fully relevant since considerable progresshas been made in development of the best estimate codes. These criteria are proposed to be used in thedesign basis analysis of the project.

2.7.2.1. Reactivity induced transients

Initiating events considered in this group include: uncontrolled withdrawal of group of control elementsduring startup (a) and during power operation (b), various inoperabilities of control element (c),inadvertent connection of cold loop to the reactor (d), uncontrolled reduction of boron concentration in thereactor coolant (e), and control element ejection (f).

26

The acceptance criteria for process variables and system parameters are as follows:

(1) No boiling crisis in the core (calculated with probability higher than 95% with 95% confidence level);(2) No fuel melting (melting point 2840°C for fresh fuel, 2670°C for burnout fuel);(3) Primary pressure lower than 13.8 MPa ( approximately 110% of the nominal value);(4) No direct steam relief from the secondary circuit to the atmosphere;(5) Sufficient time for the operator actions (30 min during refuelling, 15 min for other operational regimes);(6) Peak value of the RCS pressure lower than the pressure that would result in the stresses exceeding the

ASME Code [11], service limit C ( non-acceptable stresses);(7) Radially averaged fuel enthalpy in any point of the core lower than 840 kJ/kg (acceptable fuel damage

from the point of view of long-term coolability of the fuel elements);(8) Doses to the most exposed people at the plant surroundings not exceeding limits specified in general

radiation protection standards.

The acceptance criteria applied depend on initiating event:

- for initiating events (a) and (c) - criteria (1) and (2);- for initiating events (b) and (d) - criteria (1),(2),(3) and (4);- for initiating event (e) - criteria (1),(2),(3),(4) and (5);- for initiating event (f) - criteria (6),(7) and (8).

Radiological consequences of the accident, criterion (8), are based on the expected number of fuelelements that are damaged during the accident. The fuel element is assumed to be damaged, if:

- a boiling crisis occurred, according to acceptance criterion (1), or- radially averaged fuel enthalpy at any point of the core exceeded 710 kJ/kg.

Initial conditions at the initiating event onset are defined as follows:

- reactor power known with 2% accuracy;- most conservative combination of reactivity coefficients (moderator temperature, moderator density,

Doppler effect) and spatial power distributions;- pessimistic values of delayed neutron fractions and prompt neutron lifetime;- conservative heat transport properties of the fuel;- conservative values of the core flow rate, inlet/outlet temperatures and pressures. Pessimistic

conditions depend on initiating event and sensitivity studies are recommended for their selection.

Boundary conditions are defined as follows:

- maximum time delay of the reactor protection system and minimum efficiency of control elements;- most effective control element stuck at the top position after reactor scram;- if three-dimensional neutron calculations are not applied, conservative assumptions concerning reactivity

spatial effects;- conservative power distribution, assuming its changes during the transient;- sensitivity studies of Doppler effect coefficient, gas-gap heat transfer coefficient, and other important

parameters are required.

Required computer code capabilities:

- model combining neutronic and thermal hydraulic characteristics of the core; for some applicationssimplified model of the primary and secondary circuit should be included;

27

- all necessary feedback effects adequately included;- at least six groups of delayed neutrons taken into account;- axial nodalization of the fuel channel, radial nodalization of the fuel element, modelling of coolant flow

along the fuel channel length and control element insertion should be possible;- if space dependent kinetics is not modeled, the effect of the neutron flux distribution changes during

the transient on inserted reactivity, feedback coefficients, accumulated heat, total energy released andheat transport to the coolant should be examined.

2.7.2.2. Loss of RCS flow accidents

Initiating events considered in this group include: seizure of one RCP, coastdown of several RCPs,coastdown of all RCPs. Different number of RCPs initially in operation should be considered for eachinitiating event.

Acceptance criteria for process variables and system parameters are as follows:

(1) No boiling crisis in the core (calculated with probability higher than 95% with 95% confidence level);corresponding values of DNBR may differ considerably depending on CHF correlation (see [10]);

(2) No fuel melting (very unlikely for these lEs);(3) Primary system pressure during the early phase of the transient (RCP speed >10% of the nominal

value) should not exceed 110% of the nominal value;(4) Safe transition to natural circulation;(5) No coolant boiling at the average channel outlet (more stringent criterion used in addition to criterion

(4) to avoid unfavourable two phase flow phenomena that may disturb natural circulation or lead toearly core uncovering).


- reactor power equal to 102% of the nominal value; nominal value of the reactor power should dependon the number of operating RCPs (83.5%, 67.0%, 50% for 5, 4, 3 RCPs operating, respectively);

- inlet core coolant temperature 2 K higher than the nominal value;- coolant pressure 0.2 MPa lower than the nominal value; reactor coolant flow rate equal to 96% of the

nominal value; nominal value of the reactor coolant flow should depend on the number of operatingRCPs (88.7%, 75.3%, 59.5% for 5, 4, 3 RCPs operating, respectively; it is assumed that main gatevalves in non-operating primary loops are closed);

- conservative assumptions concerning reactivity coefficients and power distribution (from the point ofview of boiling crisis criterion);

- conservative assumption concerning core flow and by-pass flow distribution;- residual heat calculated using ANS correlation with 20% uncertainty, infinitely long fuel irradiation,

conservative assumption concerning reactor power prior to initiating event (applicable for cases withreduced number of operating RCPs).

Boundary conditions are defined as follows:

- both correct and incorrect operation of the reactor power control system should be considered;- maximum time delay of the reactor protection system, low insertion velocity and low efficiency of

control elements;- heat transfer to primary circuit components should be considered;- possible failures of the pressurizer heaters and the coolant injection should be taken into account.

28

Required computer code capabilities:

residual decay heat taken into account;parallel channels in the core modeled;non-ideal mixing in the lower plenum;thermal hydraulic model of the primary circuit and possibly simplified model of the secondary circuit;basic controllers (including reactor power control, ROM-limitation of the reactor power, pressurizerpressure and level control, feedwater flow control, turbine power control, SG safety valves and steamdump station (BRU-A) control) should be modeled.

2.7.2.3. Large secondary steam leaks

Initiating events considered in this group include: main steam header rupture, SG pipeline rupture (fullor partial), inadvertent opening of secondary steam dump facilities (SG safety valves, BRU-A, BRU-K).

Acceptance criteria for process variables and system parameters are as follows:

(1) Pressure and temperature in the primary circuit should be kept within the acceptable limits establishedwith regard to brittle as well as ductile fracture;

(2) Reactor core should not be recritical due to rapid cooling down of the primary circuit; reactorsubcriticality should be assured also during long term cooling;

(3) No boiling crisis in the core (calculated with probability higher than 95% with 95% confidence level);corresponding values of DNBR may differ considerably depending on CHF correlation (see [10]);

(4) Maximum confinement pressure/temperature and maximum confinement differential pressure shouldnot exceed design values with sufficient margins;

(5) Dose equivalents for the most endangered individuals should be less than 0.25 Sv for the whole body,1.5 Sv for the thyroid in adults, 0.75 Sv for the thyroid in children; complementary criteria forintervention levels (sheltering, iodine prophylaxis, evacuation, limited food consumption) must bechecked.


- conservative value of reactor power - either hot state-zero power or 102% of the nominal value shouldbe used in checking specific acceptance criteria (typically hot state-zero power is conservat

design basis and design features of wwer-440 model 213 nuclear power … · 2006. 8. 7. ·...

Documents