IAEA-EBP-RBMK-01

XA9744134

RBMKSHUTDOWN SYSTEMS

A PUBLICATION OF THEEXTRABUDGETARY PROGRAMME ONTHE SAFETY OF WWER AND RBMK

NUCLEAR POWER PLANTS

June 1995

2 8 H°= 1 5

INTERNATIONAL ATOMIC ENERGY AGENCY

The originating Section of this publication in the IAEA was:

Safety Assessment SectionInternational Atomic Energy Agency

Wagramerstrasse 5P.O. Box 100

A-1400 Vienna, Austria

RBMK SHUTDOWN SYSTEMSIAEA, VIENNA, 1995IAEA-EBP-RBMK-01

© IAEA, 1995

Printed by the IAEA in AustriaJune 1995

FOREWORD

The IAEA initiated in 1990 a programme to assist the countries of central and eastern Europeand the former Soviet Union in evaluating the safety of their first generation WWER-440/230 nuclearpower plants. The main objectives of the Programme were: to identify major design and operationalsafety issues; to establish international consensus on priorities for safety improvements; and to provideassistance in the review of the completeness and adequacy of safety improvement programmes.

The scope of the Programme was extended in 1992 to include RBMK, WWER-440/213 andWWER-1000 plants in operation and under construction. The Programme is complemented bynational and regional technical co-operation projects.

The Programme is pursued by means of plant specific safety review missions to assess theadequacy of design and operational practices; Assessment of Safety Significant Events Team (ASSET)reviews of operational performance; reviews of plant design, including seismic safety studies; andtopical meetings on generic safety issues. Other components are: follow-up safety missions to nuclearplants to check the status of implementation of IAEA recommendations; assessments of safetyimprovements implemented or proposed; peer reviews of safety studies, and training workshops. TheIAEA is also maintaining a database on the technical safety issues identified for each plant and thestatus of implementation of safety improvements. An additional important element is the provisionof assistance by the IAEA to strengthen regulatory authorities.

The Programme is extrabudgetary and depends on voluntary contributions from IAEA MemberStates. Steering Committees provide co-ordination and guidance to the IAEA on technical matters andserve as forums for exchange of information with the European Commission and with otherinternational and financial organizations. The general scope and results of the Programme arereviewed at Advisory Group meetings.

The Programme, which takes into account the results of other relevant national, bilateral andmultilateral activities, provides a forum to establish international consensus on the technical basis forupgrading the safety of WWER and RBMK nuclear power plants.

The IAEA further provides technical advice in the co-ordination structure established by theGroup of 24 OECD countries through the European Commission to provide technical assistance onnuclear safety matters to the countries of central and eastern Europe and the former Soviet Union.

Results, recommendations and conclusions resulting from the IAEA Programme are intendedonly to assist national decision makers who have the sole responsibilities for the regulation and safeoperation of their nuclear power plants. Moreover, they do not replace a comprehensive safetyassessment which needs to be performed in the frame of the national licensing process.

EDITORIAL NOTE

In preparing this publication for press, staff of the IAEA have made up the pages from theoriginal manuscript (s). The views expressed do not necessarily reflect those of the governments of thenominating Member States or of the nominating organizations.

Throughout the text names of Member States are retained as they were when the text wascompiled.

The use of particular designations of countries or territories does not imply any judgement bythe publisher, the IAEA, as to the legal status of such countries or territories, of their authorities andinstitutions or of the delimitation of their boundaries.

The mention of names of specific companies or products (whether or not indicated as registered)does not imply any intention to infringe proprietary rights, nor should it be construed as anendorsement or recommendation on the part of the IAEA.

CONTENTS

SUMMARY 7

1. INTRODUCTION 8

1.1. Background 8

1.2. Objective 8

2. SHUTDOWN SYSTEMS OF THE SMOLENSK NPP UNIT 3 8

3. INTERNATIONAL PRINCIPLES AND NATIONAL IMPLEMENTATIONOF SHUTDOWN SYSTEM REQUIREMENTS 133.1. Basic principles 13

3.1.1. Reactor shutdown means 133.1.2. Types of shutdown means 143.1.3. Reliability 143.1.4. Shutdown and holddown effectiveness 153.1.5. Rate of shutdown 15

3.2. Russian approach 153.3. German approach 163.4. Canadian approach 19

4. EVALUATION OF SHUTDOWN SYSTEMS OF SMOLENSK NPP UNIT 3 21

4.1. Evaluation relative to the NUSS Code and Guides 214.2. Evaluation relative to the German codes and standards 21

4.2.1. Independence 214.2.2. Diversity 224.2.3. Shutdown time 224.2.4. Holddown time 234.2.5. ATWS 234.2.6. Summary 23

4.3. Evaluation relative to the Canadian practice 25

5. CONCLUSIONS AND RECOMMENDATIONS 26

REFERENCES 27

ABBREVIATIONS 28

CONTRIBUTORS TO DRAFTING AND REVIEW 29

NEXTPAGE(S)toft BLANK

SUMMARY

In the framework of the IAEA Extrabudgetary Programme on the safety of RBMK NPPs theshutdown systems have been recognized as an important safety issue.

A topical meeting was organized by the IAEA to review the implementation of the basicprinciples of shutdown system requirements in the Smolensk 3 NPP design. The requirements onindependence, diversity, shutdown effectiveness and holddown capability were considered.

The review was based on IAEA NUSS publications, national standards presently in force in theRussian Federation, Canada and Germany and regulatory practices used in the OECD countries.

Recently introduced Russian safety requirements specify that there should be two shutdownsystems installed in RBMK reactors. While it is recognized that the RBMK was designed to earlierstandards, the Russian designers and regulators consider that the two systems meet the intent of thenew Russian regulations.

It was agreed by all participants that the two systems cannot be considered fully independentand diverse. However, Russian designers and regulators consider that the drawbacks identified by themeeting participants will not reduce the level of Smolensk 3 safety which has been reported byRussian experts in the Smolensk safety analysis report (TOB).

The intent of the Russian designers to develop and modernize the RBMK control and protectionsystem to provide a higher level of safety was strongly supported. They further indicated that thedesign shall be in strict accordance with the recommendations of IAEA Safety Standards.

1. INTRODUCTION

1.1. BACKGROUND

The shutdown requirements of RBMK reactors have been addressed for the first time within theIAEA Extrabudgetary Programme on the Safety of RBMK Nuclear Power Plants during a ConsultantsMeeting convened by the IAEA in Vienna, 27 October - 5 November 1992 on Safety Assessment ofProposed Improvements to RBMK Nuclear Power Plants [1].

During the IAEA Safety Review Mission to Smolensk Unit 3 in June 1993, it was recommendedthat a joint review of experts from OECD countries and RBMK specialists should be undertaken toevaluate the adequacy of the existing shutdown systems.

The different points of view between RBMK specialists and specialists from OECD countrieson this safety issue could also not be reconciled at the Consultants Meeting on Prioritization of SafetyImprovements of RBMK NPPs held in September 1993 in Vienna.

Therefore, it was strongly recommended by the Steering Committee that the IAEA shouldconvene a topical meeting on the RBMK shutdown requirements to understand the Russian conceptof two shutdown systems in the light of international principles and to compare it with IAEA NUSS(Nuclear Safety Standards) Code and Guides, regulatory practices and underlying safety standardsused in OECD countries.

The meeting was held at the Paul Scherrer Institute in Switzerland, from 13 to 18 December,1993. Participants from Canada, France, Germany, Switzerland, the Russian Federation and from theIAEA took part in the meeting (see Contributors to drafting and review).

1.2. OBJECTIVE

The objective of the meeting was to review implementation of the basic principles of shutdownsystem requirements in the design of the Smolensk 3 NPP shutdown systems.

The review was to be based on:

IAEA NUSS publications: Code on the Safety of Nuclear Power Plants: Design, Safety SeriesNo. 50-C-D (Rev. 1) [2] and Guide on the Design for Reactor Core Safety in Nuclear PowerPlants, Safety Series No. 50-SG-D14 [3].

National standards presently in force in Russia (PBYa-89 [4]), Canada (AECB RegulatoryDocument R-8 [5]) and Germany (KTA-Standards 3101.2, 3103, 3104 [6]).

Regulatory practices used in the OECD countries.

The purpose of the meeting was to define compatibility of the two shutdown systems identifiedfor the Smolensk 3 NPP with the requirements on independence, diversity, shutdown effectiveness,and holddown capability.

2. SHUTDOWN SYSTEMS OF THE SMOLENSK NPP UNIT 3

According to Russian RBMK specialists, the systems of RBMK reactor shutdown for the Unit3 of the Smolensk NPP consist of:

The system of fast-acting emergency protection (BAZ),The system of emergency protection (AZ-1).

The BAZ system contains 24 BAZ rods. The AZ-1 system includes 187 rods of other types (seeFigure 1).

These control rods have a variety of assignments as shown in Table I.

TABLE I. CONTROL ROD ASSIGNMENTS

Type Number Function

Fast acting scram 24 Scram rods - normally withdrawn.

Bottom rods 32 Short rods - insert from the bottom, used for axialpower shaping.

Local power regulation 9 Automatically controlled by flux monitors, one rodassigned to each of the nine local control zones.

Local protection rods 18 Two rods in each local control zone are available forinsertion in the two following cases:(a) if local power exceeds a preset local power level

by 10%;(b) if local power exceeds a preset local power level

by 2% accompanied by AZ-3 or AZ-4 modes.

Manual control rods 128 Operator controlled - used for power shaping andcontrol in normal operating conditions.

The 24 uniformly distributed fast acting scram rods have a modified drive mechanism thatallows them to be inserted into the reactor in less than 2.5 s, the actual time is about 1.8 to 2.5 s,when a fast scram BAZ is actuated. During a 'normal scram', AZ-1, these fast acting scram rods willbe inserted in about 7 s. These rods are not under operator control as such and can only be movedunder motor control to withdraw them following a scram, the route for this action is heavilyinterlocked.

The 32 bottom rods are also uniformly distributed throughout the core. These rods are shorterthan the other control rods and are inserted from the bottom of the reactor. The bottom rods willinsert into the reactor in about 8 s when either a BAZ or AZ-1 trip is actuated. The powerarrangements and mechanical brake arrangements are such that these rods do not drop out of the corein the event of loss of power. The rods are usually under manual control and are used to help controlthe axial power shape.

The nine local power control rods and the 18 local protection rods can also be controlledmanually by the operator. The rods along with the 128 manual control rods will insert into the reactorin about 12 seconds when either BAZ or an AZ-1 trip is actuated.

The main differences of BAZ drivers and control rods:

(1) There are no displacers in BAZ rods and these rods move in channels with water film. Thereare displacers in AZ rods and these rods move in channels filled with cooling water.

(2) BAZ rods have a greater length of the absorbing part.

(3) BAZ drive mechanism design is to some extent different compared with the drive mechanismdesign for other control rods, in particular, the transmission ratio of reduction gear is reducedand a number of improved design elements is used.

1 Present design2 Skirt design3 FASS rod4 and5 Cluster design (under development)

FIG. 1. RBMK - control rods design.

10

Thus, the BAZ rods insertion time into the core is reduced to 1.8-2.5 s compared with 12-14 sfor other rods.

Figure 2 shows the structure of the RBMK reactor shutdown systems.

Three subsystems are available for out-core detector monitoring:

(1) Power excursion rate protection during start-up (PERPS) provides reactor scram if there isreactor power increase within a period less than 20 s detected by 2 of 4 PERPS monitoringchannels.

(2) Power excursion rate protection in working range (PERPW) provides reactor scram if there isreactor power increase within a period less than 20 s detected by 2 of 3 PERPW monitoringchannels.

(3) Power level protection (PLP) provides reactor scram if there is reactor power increase morethan 10% detected by 2 PLP monitoring channels belonging to different monitoring groups.10% setpoint can be decreased down to 2%.

Each of these subsystems has three or four channels and forms signals for each of the threelogics channels of the BAZ system and for each of the three AZ-1 logics channels.

Subsystem of the local power level protection (LPLP) in-core detector measurement formssignals for each of the three channels but only of the AZ-1 logics.

A separate set of redundant detectors is reserved for process parameters (e.g. pressure)for BAZ.

A separate set of redundant detectors is available for process parameters (level, pressure,flowrate) for AZ-1.

Subsystem of the control rod drive contains electronic devices both for the BAZ system andother control rods. And one or two control devices for the BAZ rods is available in each of the 18cubicals of this subsystem. And the independence of the devices controlling other control rods,including those for the electromagnetic clutch organization, is provided.

Signals from measurement cubicals to logic cubicals and from logic ones to the cubicals of thecontrol rods drive power control are transferred by optoelectronic devices, which provide theconductive separation of the cubicals indicated.

Analysis of particular engineering solutions shows that in some cases the requirements forindependency and diversity of the two systems are not completely met. In particular:

Common sets of out-core detectors are used for BAZ and AZ-1 systems (Russian specialistsconsider such approach to increase the total reliability of the two systems as for each systema greater amount of detectors is used, and also a separate subsystem of in-core detectormeasurements, connected only with the AZ-1 logics, is available),

Unfavourable effect of elevated temperature simultaneously on electronic devices of the twosystems can take place,

Clutches of one and the same type are used for all rod drives.

(Note: According to RBMK specialists BAZ and AZ are used to characterize both the systems aswell as a mode of operation, see also IAEA-TECDOC-722 [7], Appendix I, Table III.)

11

Fast acting scram systemof technological parameters

Subsystem ofstart-up rangePERP monilonn/

Subsystem ofstart-up range

PERP lopic

Subsystem ofworking rangePERP monitormi

Subsystem ofworking rangePERP logic

Subsystem of>LP

monitoring

Subsystem ofPLP logic

Manual switches and keys"BAZYAZ-I"

Subsystem ofLPLP

momtonns

Subsystem ofLPLP logic

Subsystem ofAZ-3. AZ-4 logic and

non-execution AZ-3. AZ-4 logic

Emergency protection system oftechnological parameters

-rvJSubsystem ofFASS fBAZ")

logic

Subsystem ofEP-1 UZ-U

logic

Subsystem ofCPS actuator

control

ABBREVIATIONS

AZ-1, AZ-3, AZ-4 - Emergency Protection ModesBAZ - Fast ScramCPS - Control and Protection SystemEP-1 - Emergency Protection 1FASS - Fast Acting Scram System/SignalLPLP - Local PLPPERP - Power Excursion Rate ProtectionPLP Power Level Protection

FIG. 2. Structure of the emergency protections of the reactor RBMK-1500.

12

3. INTERNATIONAL PRINCIPLES AND NATIONAL IMPLEMENTATIONOF SHUTDOWN SYSTEM REQUIREMENTS

The national regulations and practices which have been developed over the years by MemberStates are based upon the types of reactors being licensed and upon the legal and cultural backgroundin those states. Standards and regulatory practices differ from state to state and are a responsibilityof each of those sovereign states. The ultimate responsibility for licensing the RBMK plants rests withthe national regulators.

This meeting therefore focussed on basic safety principles for shutdown systems. The relevantgeneral principles which have been recommended internationally for shutdown system requirementsare reported in Section 3.1 and the national practices in implementing these principles are reportedin subsequent sections.

3.1. BASIC PRINCIPLES

3.1.1. Reactor shutdown means

This section deals with the means of rendering the reactor subcritical in operational states oraccident conditions and of maintaining it in that state according to Section 4 of the Code (SafetySeries No. 50-C-D (Rev. 1)) and the details taken from Section 3.6 of the Guide (Safety Series No.50-SG-D14).

1. Means shall be provided to ensure that the reactor can be rendered subcritical and held in thisstate, assuming the most reactive core conditions when one of the shutdown devices that havethe maximum effect on core reactivity cannot be inserted into the core (one rod stuck). Foroperational states and accident conditions, specified fuel and reactor coolant system pressureboundary conditions shall not be exceeded.

2. As required by the Code, the means of shutting down the reactor shall consist of two diversesystems, each being able to perform its function assuming a single failure. At least one of thesystems shall be, on its own, capable of rendering the reactor subcritical by an adequate marginfrom operational states and accident conditions with a response such that in combination withthe performance of other systems no unacceptable fuel damage occurs.

3. At least one of these systems shall be, on its own, capable of rendering the core subcriticalfrom normal operating conditions, and shall provide adequate long term holddown followingthe reactor trip, even in the most reactive condition of the core. In meeting the long termholddown requirements, deliberate actions that increase reactivity during the shutdown state,such as absorber movement for maintenance and refuelling actions, shall be identified to ensurethat the most reactive condition is taken into account.

4. The design of the shutdown systems shall recognize the importance of reactor shutdownfollowing anticipated operational occurrences and during accident conditions. The necessaryreliability shall therefore be incorporated in the design of the equipment to effect shutdown forall postulated initiating events so as to meet the safety requirements. The design shallincorporate the necessary independence from plant process and control systems and protectionfrom the consequential effects of the postulated initiating events such that the shutdown will beperformed as required.

5. The means of shutdown shall be designed fail-safe as far as practical and shall be engineeredto the high reliability required for such safety systems. If operation of the holddown system ismanual or partly manual, the necessary prerequisites for manual operation shall be metaccording to IAEA Safety Series No. 50-SG-D3 [8] on Protection System and Related Featuresin Nuclear Power Plants, Section 7.3.2.

13

6. A portion of the shutdown means may be used for the purposes of reactivity control and fluxshaping during normal operation. Such use during normal operation shall not jeopardize thefunction of the shutdown system. For a more detailed discussion, see Section 7.8.4 of IAEASafety Series No. 5O-SG-D3.

3.1.2. Types of shutdown means

Various means of introducing negative reactivity into the reactor core are adopted for differentreactor types, including:

boron injection into moderator,gadolinium injection into moderator,nitrogen injection,moderator dump,boron and cadmium in stainless steel rods, tubes, or cruciforms,hafnium and steel rods in Zircaloy guide tubes,boron glass bead injection,liquid absorber in tubes.

Table II gives examples of shutdown means used in different reactor types, illustrating theincorporation of diversity.

TABLE II. SHUTDOWN MEANS [3]

Reactor type Primary system Secondary system

BWR B4C in steel tubes Boron solution injected into

moderator/coolantPWR Ag-In-Cd in steel tubes

or Boron injected intoB4C in steel tubes moderator/coolant

PHWR Cadmium sandwiched in steel Gadolinium injected intotubes moderator; moderator dump;

liquid absorber in tubesPHWR Hafnium and steel rods in Boron injected into moderator(pressure-vessel type) Zircaloy guide tubes

AGR Boron steel rods Nitrogen injection into coolant+ stainless steel rods within the core and boron

glass beads injection into thecore

3.1.3. Reliability

High reliability of shutdown shall be achieved by using a combination of measures such as:

(1) Adopting systems that are as simple as possible;(2) Using a fail-safe design as far as practicable;(3) Giving consideration to modes of failure and adopting redundancy and diversity in the initiating

mechanisms (e.g. sensors, actuation devices that detect and respond to the need for a reactortrip);

(4) Functionally isolating and physically separating the shutdown systems (this includes separationof control and shutdown functions) as far as practicable, to cater for credible modes of failure,including common cause;

14

(5) Ensuring easy entry of shutdown means into the core taking into account the in-coreenvironmental effects of operational states and accident conditions;

(6) Designing to facilitate maintenance, in-service inspection, and operational testing;(7) Selecting equipment of proven design and high reliability;(8) Providing means for performing comprehensive testing during manufacture, installation and

commissioning.

3.1.4. Shutdown and holddown effectiveness

The design shall ensure the capability of the shutdown and holddown systems to render and holdthe reactor subcritical by an adequate margin even in the most reactive core conditions. This shallhold for the whole range of operating conditions and core configurations that occur throughout theintended fuel cycle and for anticipated operational occurrences and accident conditions, so thatacceptable fuel cooling and radioactivity release criteria can be met. It shall be possible to demonstratethis during:

design by calculation;commissioning by appropriate neutronic and process measurements to confirm the calculationsfor start of life;reactor operation by measurements and calculations covering the existing and anticipated reactorconditions.

These analyses and measurements shall cover the most reactive core conditions, with theassumption that one shutdown device (one rod) of the highest reactivity worth cannot be inserted intothe core. In addition, holddown shall be achieved if a single random failure occurs in the shutdownsystem. However, there is considerable variation among Member States on what subcriticality marginis accepted as adequate.

3.1.5. Rate of shutdown

The rate of shutdown for at least one of the systems shall be adequate to render the reactorsufficiently subcritical in time to prevent fuel damage and to maintain the pressure boundary integrityin all anticipated operational occurrences. The shutdown system shall be designed to shut the reactordown under accident conditions so as to keep fuel and core damage to a practical minimum andprevent the failure of the reactor coolant system pressure boundary.

For the design basis the course of the postulated initiating events to be considered in detail, theresponse of the protection system and the associated safety actuation systems (shutdown means) shallbe established in defining the shutdown rate requirement. The selection of variables for the sensingof these postulated initiating events shall meet the requirements of Sections 7.7 and 7.13 of IAEASafety Series No. 50-SG-D3 [8].

The capability of the shutdown systems shall be assessed as part of the safety analysis describedin Section 3.9 of the Guide.

3.2. RUSSIAN APPROACH

Russian requirements for reactor shutdown systems are stated by the "Nuclear SafetyRequirements for Nuclear Power Plant Reactors" [4] as follows:

"2.3.1.4 The Reactor Protection detailed design should allow for at least two reactorshutdown systems, and each of these systems should be capable of providing thereactor core transfer to subcritical state irrespective of each other and maintainingit in subcritical state considering the principle of a single failure or personnelerror".

The design of these systems should be based on diversification, independence and redundancyprinciples.

15

"2.3.1.5 At least one of the reactor shutdown systems (not performing scram function) undernormal operation, violation of normal operation and design basis accidents shouldexhibit the following performance:

- efficiency sufficient to transfer the reactor core to subcritical state and maintain itssubcritical state considering possible reactivity increase;

- fast-action sufficient to transfer the reactor core to subcritical state withoutviolation of the design limits of the fuel elements failures prescribed for the designbasis accidents (considering the emergency core cooling systems actuation)".

"2.3.2.1 At least one of the reactor shutdown systems provided should perform a scramfunction".

"2.3.2.2 The RP detailed design should demonstrate that the scram working elements withouta single most effective element has the following performance:

- fast action sufficient to transfer the reactor core to subcritical state withoutviolation of the safe operation limits when the normal operation is violated;

- efficiency sufficient to transfer the reactor core to subcritical state and maintain itin this state under the violations of normal operation and design basis accidents.If the scram efficiency is insufficient to maintain the core's subcritical state for along time, provisions should be made for automatic actuation of another reactorshutdown system (systems) having the efficiency sufficient to maintain the core'ssubcritical state considering possible reactivity release".

On the basis of the comparison of the Russian Standards with the German and CanadianStandards and IAEA Safety Guide (Safety Series No. 50-SG-D14) one can conclude that the basicshutdown systems requirements are philosophically close. The differences are mostly associated withconcrete technical features of national reactor types.

3.3. GERMAN APPROACH

For German LWRs a set of BMI-criteria, RSK-guidelines and KTA standards are stipulated suchthat if these rules are complied with, the safety goal of reactor shutdown is assured. The rules coverthe shutdown systems of the LWRs as well as interrelated systems needed to achieve the safety goal,namely the reactor protection system, the relevant instrumentation, the reactor core, the reactorinternals and the pressure boundary of the primary circuit.

According to the German design rules, the shutdown system of BWRs and PWRs comprises thecontrol rods, the rod position indication system and the liquid poison system. In case of BWRs itincludes also the hydraulic scram system and the electromechanical CR drives, which in the GermanBWRs act as a second diverse shutdown system in addition to the liquid poison system. (Theelectromechanical CR insertion is triggered simultaneously with the hydraulic scram system).

In subsequent sections only the basic requirements of the German codes and standards withregard to the shutdown systems are compared with the design of the shutdown system of theSmolensk-3 NPP. (Requirements concerning the scram-part of the reactor protection system, theinstrumentation used in the reactor protection and other related components should be covered byother review groups in order to obtain a balanced view of involved systems and components).

For the shutdown systems the German codes and standards require:

The provision of two independent and diverse shutdown systems,

Each of these systems shall be capable of shutting down the reactor from a steady stateoperating condition into a subcritical condition and to hold it in this condition for a sufficientlylong time,

16

One of these shutdown systems shall be fast enough to shutdown the reactor in any operationaldesign occurrence and design accident without the reactor and the fuel exceeding acorresponding design limit,

In the event of an anticipated operational transient without reactor scram, the second shutdownsystem shall remain functional in order to achieve the permanent shutdown of the reactor.

According to the general principles set forth in the KTA standards, the shutdown systems intheir entirety shall fulfill the safety related functions (KTA 3103, Section 3 "Functions of theShutdown Systems") as given in the Table III.

Components of the shutdown systems may also be used for process related control functions.In such a case, their design and corresponding safety related conditions for operation shall assure thatthe effectiveness of these components which is required for shutdown will be preserved in any stateof operation.

In German BWRs the scram system has to be able to shut the reactor down to the cold xenon-free zero power condition on its own. The required shutdown reactivity is 1 %.

The further (diverse) shutdown system according to the standards (Table III) therefore does notneed to be a safety system. Its function is to transfer the reactor from the postulated initial stateduring specified normal operation to the subcritical state, and to assure the shutdown reactivity on along term basis. The further shutdown system usually is the standby liquid control system with manualor automatic initiation.

In PWRs the scram system has to be designed in such a way that, following a shutdown as aresult of events during normal operation and until subcriticality by the poison injection system isensured, the amount of net shutdown reactivity will not fall below 1 %. Following an incident-relatedshutdown, a temporary recriticality and temporary reincrease in power density are admissible as faras the general requirements for the fuel are met.

In case of a steam line break incident in PWRs, for instance, the scram system on its own afterreturn to criticality has to be able to keep the reactor at an acceptable power level. The furthershutdown system (the boron injection system) has to compensate for the reactivity increase caused bythe cool down of the primary system and by the xenon decay and thus provide long term subcriticalityunder cold xenon-free zero power conditions. There is ample time (20 hours) for the further shutdownsystem to become effective.

Independence

According to German licensing practice, independence of two systems is given when there areno common parts whose failure might affect the function of both systems.

In the most recent German LWR designs, independence of parallel systems is ensured byseparation into separate trains from the sensor to the final actuation device, including their respectivepower supplies. The independence of the separate systems or trains against a failure due to commoncause (e.g. fire) is ensured by separation into fire compartments or by spatial segregation.

In the context of the shutdown system a lack of separation would be acceptable if a commoncause event would not be able to prevent reactor shutdown which is achieved by the fail safe designof the reactor trip system.

The German regulations allow for the use of common components (e.g. the control rods) forthe shutdown and the control systems. In this case a failure in the control system however, shall nothave any effect on the availability of the shutdown system to perform its function (KTA 3103, 4.1(4),4.3.4(2)).

17

oo

TABLE III. SAFETY FUNCTIONS AND SYSTEMS REQUIRED FOR REACTOR SHUTDOWN ACCORDING TO GERMAN KTA 3103

Safety function: Transfer the reactor to the subcritical zero power state (KTA 3103 3.1(l)a))

For this safety function, two independent anddiverse systems shall be provided:

(1) A scram system which, on its own, shall beable to transfer the reactor sufficiently quickly,both from specified normal operation and theincidents to be considered, to a zero power andsubcritical state and to keep it in the subcriticalstate for a sufficiently long period of time.

(2) A further shutdown system which is ableto transfer the reactor to a zero powerand sub-critical state from all thespecified normal operating conditionswhich do not require a rapid change inreactivity.

Safety function: Maintain the reactor in a long-term subcritical state even in the case of the most unfavorable conditions possible under thecircumstances to be taken into account (KTA 3103 3. l(l)b))

For this safety function, the shutdown systemsshall meet the following requirements:

This safety function shall be fulfilled by theshutdown systems in their entirety duringspecified normal operation and also in the caseof the incidents to be considered.

It shall be possible to fulfill this safety functionwithout the assistance of the scram systemfrom all the specified normal operatingconditions which do not require a rapid changein reactivity.

If this safety function cannot be fulfilledby the scram system alone after theoccurrence of an incident or in abnormaloperating conditions, the boron injectionsystems provided to fulfill this safetyfunction shall be part of the safetysystem.

Diversity

The principle of diversity, as required by the German regulations, is intended to minimize therisk of common mode failures.

According to the German licensing practice, diversity is achieved by applying a differentphysical principle precluding identical failure modes in the redundant systems.

Diversity of the two independent shutdown systems, as required by the regulations, is ensuredby the KTA standards stipulating that the scram system shall be based on the use of neutron absorbingcontrol elements. Whereas the additional shutdown system shall be based on soluble boron compoundsas its reactivity binding agent (KTA 3103, 3.2, 3.3).

Holddown time

According to the German codes and standards, the fast shutdown system shall be able toshutdown and to holddown the reactor in a subcritical, zero power condition for a time periodsufficiently long (KTA 3103, 3.1 (2)). After operational occurrences, sufficient subcriticality shall beensured until the second shutdown system becomes effective (KTA 3101.2, 5.2.2(1)). The shutdownmargin during this time period (if evaluated by calculations) is required to be not less than 1 % (KTA3101.2, 5.2.2(2)).

Shutdown time

The German regulations for LWRs require that one of the shutdown systems (i.e. the scramsystem) shall be able to transfer the reactor sufficiently fast, both from normal operating conditionand from incidents to be considered, to a zero power, subcritical state and to keep it in the subcriticalstate for a sufficiently long period of time (KTA 3103, 3.1 (2)).

However, the scram system shall be able (fast enough) to preclude in all operational occurrences(design transients) the exceeding of specified limits and to preclude in design accidents in combinationwith other systems, a damage to the reactor core and to the pressure boundary(Reaktorsicherheitskommission, RSK Guidelines, 3.1.2 (3)).

3.4. CANADIAN APPROACH

The requirements for shutdown systems for CANDU Nuclear Power Plants in Canada are givenin detail in the Atomic Energy Control Board Regulatory Document R-8. The following briefsummary covers the Canadian implementation of the safety principles referenced in Section 3.1 above.In this brief discussion the term shutdown system refers to the totality of the sensors, processing logicand mechanisms for terminating the chain reaction in the reactor.

Independence

The Canadian regulations require that there be two fully independent and diverse shutdownsystems, each of which on its own can fully cope with the entire spectrum of accidents considered inthe safety analysis. The first shutdown system, referred to as SDS-1, consists of a system of sensors,processing logic and mechanical absorbing rods which employ cadmium as the absorbing medium.The sensors and processing logic are grouped into three protective channels and the absorbing rodsare inserted if two out of three protective channels sense signals above the present initiation level. Thesecond system, SDS-2, consists of sensors, processing logic and a liquid poison injection systememploying a gadolinium nitrate solution as the absorbing medium. Again, the sensors and logic aregrouped into three protective channels and poison injection is initiated on two out of three protectivechannels exceeding their preset limit.

19

A further requirement in Canada is for segregation of the control system from both of the abovereferenced shutdown systems. Within this control system, which uses sensors and processing logicindependent from both shutdown systems, there are limited protective features designed to cope withminor plant transients. In the safety assessment for the plant, no beneficial features of the controlsystem are credited and it must be demonstrated that both these features and the normal operation ofthe control system, do not impede operation or effectiveness of either of the shutdown systems inmeeting their appropriate safety targets.

Diversity

As described above SDS-1 and SDS-2 use diverse means of terminating the fission reaction -SDS-1 using cadmium absorbing rods and SDS-2 using gadolinium nitrate to achieve this functions.In addition to using different absorbing media to achieve diversity, the following practices areadhered to:

physical separation of the systems - SDS-1 injects rods vertically into the core whereas theliquid poison is inserted horizontally into the reactor,different designers are used in the design of each system,instrumentation and processing logic for each system are physically separated,different manufacturers are used to the maximum extent practical to provide different electronicand mechanical components,different station personnel are used for maintenance and calibration of each shutdown system.

Speed of operation

The maximum rate of negative reactivity insertion required from each shutdown system isdetermined by the safety analysis. Positive reactivity addition following large break loss-of-coolant-accidents sets the requirement for both systems. It must be shown by the analysis that the time ofnegative reactivity insertion by each shutdown system following the break, including appropriate timedelays for electronic processing and reactivity mechanism operation (e.g. clutch delays, valveopening), is fast enough to ensure that the safety limits are not exceeded.

In order to demonstrate compliance with this requirement, commissioning tests measure thepower rundown rate achieved and routine on power testing of shutoff rods by measuring the timerequired for a predetermined drop, demonstrate continuing ability to meet their initial timingrequirements. Poison injection valves are also tested for SDS-2 but poison is not injected into thecore. Each system must be demonstrated by testing to be unavailable for not more than10"3 years/year.

Depth of shutdown

Each shutdown system is required to render the reactor subcritical on its own and to hold it ina subcritical state. The depth of the shutoff rods required is determined by safety analysis assumingthe accident occurs in the most reactive reactor condition (an accident shortly after startup with axenon free reactor core). In performing this analysis, the two most effective shutoff rods are assumednot to operate and any consequential damage to shutoff rods during the accident must be taken intoaccount.

Uniform distribution of the gadolinium nitrate solution throughout the core can readily be shownto provide adequate shutdown margin for all potential accidents scenarios even assuming no poisoninjection from two out of eight poison tanks in the system.

20

4. EVALUATION OF SHUTDOWN SYSTEMS OF SMOLENSK NPP UNIT 3

4.1. EVALUATION RELATIVE TO THE NUSS CODE AND GUIDES

The RBMK comprises two groups of control rods, i.e. the FASS rods, referred to as ShutdownSystem 1 (SDS-1 or BAZ), and the complement of all other control rods, referred to as ShutdownSystem 2 (SDS-2 or AZ-1).

The entirety of these two shutdown systems has the capability to shut the reactor down froma steady state operating condition and from accidents to be considered into a subcritical condition andto hold it in this condition.

According to RBMK experts, SDS-1 on its own is fast enough to shutdown the reactor fromany design occurrence and design accident without exceeding the corresponding limits. In the eventof an anticipated transient without activation of SDS-1, the second shutdown system remainsfunctional in order to achieve permanent reactor shutdown.

With regard to independence and diversity of these shutdown systems relative to the IAEANUSS Code and Guides requirements, they cannot be considered as fully independent and diverse.

This statement is based on the following:

(1) The two systems SDS-1 and SDS-2 cannot be considered as fully diverse.

(2) The sensors and processing logic are partially common to SDS-1 and SDS-2.

(3) Considering the effectiveness of the SDS-1, an additional analysis of the CPS-LOCA appearsto be necessary to further demonstrate that such an accident can be accommodated by the SDS-1shutdown system.

(4) According to the IAEA NUSS Safety Guide No-50-SG-D3 [8], Section 7.8.4, interconnectionof the protection and control systems should generally be avoided. In Smolensk Unit 3, SDS-2control rods are used during normal operation, both for control and shutdown. It is necessaryto further demonstrate that despite this finding, all safety requirements of Section 7 of the Codeare met.

Additional considerations related to independence and diversity are included in Sections 4.2.1and 4.2.2.

4.2. EVALUATION RELATIVE TO THE GERMAN CODES AND STANDARDS1

The subsequent sections compare the required characters of independence, diversity, shutdowntime and holddown time with the corresponding characteristics of the RBMK.

4.2.1. Independence

The criterion of independence of the two shutdown systems of the RBMK is obviously observedas far as the mechanical part of the complete chain of the participating components from sensor tocontrol rod is concerned. Each control rod is equipped with an individual drive system which ensuresindependence. There are no common components.

1 Evaluations relative to the German codes and standards and to the Canadian practices reflect the opinionof the experts from OECD countries and not necessarily that of the RBMK specialists who state that there wasno detailed discussion of these issues during the meeting.

21

The independence of the shutdown function from a possible use of the shutdown system forcontrol purposes as required by the German codes and standards is achieved due to the fail-safecharacteristics of the electro-mechanical clutch which disengages when the power to the solenoid isinterrupted, resulting in a drop of the corresponding control rods.

Independence as required for the reactor protection is achieved by the overall structure of theprotection system of the RBMK providing for segregation into separate protection channels. In caseswhere signals are interchanged between parallel channels in order to perform the 2 out of 3 voting,the signals are galvanically decoupled (fibre optics).

Certain shortcomings have been observed with regard to the requirement to use different sensorsfor both of the shutdown systems.

Also with regard to spatial segregation of the channels supplying the two systems there areshortcomings because the corresponding electronic cabinets are located in the same room and aretherefore subject to common-mode events. One of the problems identified in this regard is a drift inthe trip setpoints which may be caused by excessive temperatures in the electronics room.

According to the RBMK experts, this shortcoming in future however will be compensated bythe planned installation of a new trip setpoint being derived from a corresponding temperature signal.The design of the reactor protection system however is based on the fail-safe principle which ensuresreactor trip in any failure of power supply.

4.2.2. Diversity

The diversity of the RBMK scram system(s) SDS-1 and SDS-2 is limited to the followingfeatures:

liquid or film cooling (by the same cooling circuit),

no displacers on SDS-1 rods,

operational mode:

SDS-1: Fully withdrawn during normal operation used for shutdown only,SDS-2: Partially inserted during normal operation used for control and shutdown.

[This degree of diversity is in strong contradiction to the German requirement.]

The reliability of shutting down the reactor by releasing the SDS-1 and SDS-2 rods bydeenergizing the magnetic clutches is a very limiting factor. The clutches are "similar" and nottestable at power.

Being components in a "standby mode" they are vulnerable to a common cause failure. Thereis no diversity in the release mechanism.

4.2.3. Shutdown time

According to RBMK experts, the limiting case for the rod insertion time is the loss-of-coolant-accident in the fuel channels for which the analysis has shown that the limits on the fuel claddingstipulated in the Russian codes and standards will not be exceeded.

RBMK experts pointed out that there is no separate limit for the integrity of the pressureboundary since pressure loss given in the design base LOCA precludes a situation with high pressureand simultaneous high temperature in the fuel channels. They consider the shutdown time of theSDS-1 to be adequate.

22

Due to the sensitivity of the LOCA transient to the rate and effectiveness of shutdown,analytical verification is required. This analysis has to cover also voiding of the control and protectionsystem (CPS)-channels (LOCA or pump failure etc.), since the reactivity ramp induced by thedraining of the CPS-channels in Smolensk 3 seems to be steeper and the net reactivity insertiongreater than in the case of the LOCA in the fuel channels.

4.2.4. Holddown time

According to RBMK experts, subcriticality may be established by either one of the shutdownsystems in all transients and accidents for a time-period of 23 hours with the exception of the loss-of-coolant-accident in the CPS-channels.

In this case the SDS-1 on its own is not capable of maintaining the required subcriticality (1 %according to KTA 3101.2) for more than a few seconds.

Approximately 20 s after scramming the reactor by SDS-1 following a CPS-LOCA, the corewould become critical again and experience a super prompt critical power excursion.

It is the opinion of the experts from OECD countries that the holddown characteristics of SDS-1are inadequate (The statement of Russian specialists is given in Section in 4.2.6 below).

According to the RBMK experts, the SDS-2 which is always tripped simultaneously with theSDS-1 will provide the required shutdown characteristics. There is no mode of reactor shutdownwhere the SDS-1 on its own would be used to shut the reactor down.

RBMK experts point out that a failure of the second shutdown system to insert in the case ofthe CPS-LOCA would be considered as a "beyond-design"-case.

This categorization can be seen in agreement with practice used in OECD countries because thefailure of both shutdown systems is not covered in any design accident.

4.2.5. ATWS

German licensing practice request that in an anticipated transient without scram (ATWS), thesecond shutdown system shall be activated manually or automatically and become effective fastenough before design limits of the fuel and the pressure boundary are exceeded.

According to Russian experts the second shutdown system in the RBMK is triggeredautomatically and simultaneously with the fast acting system which ensures its effectiveness withinthe required time.

4.2.6. Summary

In summary it is the opinion of the German experts that the Smolensk 3 shutdown system doesnot comply with the intention of the German safety standards and licensing practice for LWRs, whichrequire two fully independent and diverse systems based on different physical principles, e.g. liquidpoison vs. control rods. The Canadian requirements are even more stringent requiring twoindependent and diverse fast shutdown systems.

In agreement with previous descriptions given by the Russian experts, it is the conclusion ofthe reviewers from OECD countries that there is only one shutdown system available in RBMKreactors. This system provides for two different modes of operation, the BAZ mode and the AZ-1mode. In both modes the entirety of the available control rods (211 in Smolensk 3) is being used forreactor shutdown. In the BAZ mode the FASS rods are being inserted within 2 seconds, in the AZ-1mode in 7 seconds.

23

A mode of reactor shutdown where the FASS rods only would be used does not exist. Moreoverthe reactivity insertion rate of the FASS rods is almost identical with the one of the rest of the rods.This is due to the fact that the insertion time of the FASS rods is much smaller.

The Russian experts consider that Smolensk 3 has a scram system and a second shutdownsystem. German experts consider, based on their national codes, that there is only one shutdownsystem based on 211 rods, 24 of which move faster into the core than the rest.

Since the scram system and the second shutdown system are also initiated by the same signalsand at the same time it is not a priori evident, why the FASS system should be given preference overthe second shutdown system in terms of which one of the two systems would have to be assumed tofail in an ATWS situation. From the small shutdown reactivity of the FASS-rods (AS = -2/3) it isevident that these rods would not comply with the required capabilities of a second shutdown system.

Transient analyses show that the fast acting scram system on its own cannot cope with a LOCAin the cooling circuit of the control and protection system (CPS - LOCA). Within a few seconds aftershutdown by the FASS rods, the core becomes critical again and experiences a super prompt criticalpower excursion. This is partly because of the inadequate shutdown reactivity provided by the FASSrods ( = - 2/3) and partly because of the strong positive void effect caused by draining of the CPScoolant channels ( = 4 to 5/3) which is still in the order of the original Chernobyl core void effect.

"Russian specialists draw the attention of the specialists from OECD countries to the fact thatthe above mentioned regime at CPS LOCA is beyond design basis, because the following eventsare postulated for its realization:

- failure ofAZ-1 to react on signal at water level drop in the tank of the coolant circuit of theCPS;

- failure ofAZ-1 to react on signal of low water flow rate in the coolant circuit of CPS;

- failure of complete system of the 9 zone local control system (LAR), based on independentin-core detectors;

- failure of complete system of local protection (LAZ), which is also actuated from in-coredetectors;

- failure of AZ-1 to react on signal of exceeding the set point power;

- failure of AZ-1 to react on signal of reactor period decrease.

Besides this, duration of CPS LOCA is longer than two minutes leading to appearance of a lotof different emergency signals on the control panel. Therefore, such scenario also assumes thatthe operator fails to press the AZ button.

Taking into account all above-mentioned points it can be considered that probability of such anaccident is ultimately low. Russian specialists for accident analysis take into account additionalfailure of one (most effective) rod of BAZ and two rods of AZ-1; however, the probability ofsuch an accident is already lower than 70"*".

Measures to be taken to improve the shutdown capability of the RBMK shutdown systems there-fore have to address both the shutdown systems and the reduction of the void effect in the CPScooling system (the latter was already addressed in recommendations 12 and 13 of Section 2, CoreMonitoring and Control, in IAEA-TECDOC-722 [7]).

24

The discussed properties of the scram systems of the RBMKs are all related to the reliableperformance of shutdown. The deterministic criteria of "independence" and "diversity" aim to preventfailures to be transferred from one to another system. The diversity principle counteracts to commoncause failures.

The aspects of quick or long term system performance related to subcriticality are aspects whichcan directly be treated in numerical analyses.

It is recommended to perform:

nuclear analyses of shutdown systems with regard to reactivity,combined nuclear/thermohydraulic analyses with regard to damage parameters,reliability analyses, tending to assess, on the basis of RBMK or generic operational experiences,the failure modes and probabilities of the shutdown functions. It should be not the aim to shootfor absolute reliability values but to an assessment of the importance of the claimed weakpoints. These analyses render the basis for improvements or backfitting measures within today'ssystem structure,feasibility studies to reduce the void effect in the CPS-channels,in parallel the feasibility of implementation of a completely new, independent and diversesecond shutdown system should be evaluated.

The evaluation of such system should be given highest priority since the success of measuresto improve independence, diversity and holddown capability of the fast acting rods to an acceptabledegree is highly questionable. A completely new independent second shutdown system based on liquidcontrol would meet the standards used in the OECD countries.

A practical solution to the problem seems to be the implementation of a system similar to thestandby liquid control systems. Since the issue of safe shutdown is generic to all RBMK reactors itappears that all of them have to be backfitted.

4.3. EVALUATION RELATIVE TO THE CANADIAN PRACTICE2

Relative to the requirements and practices followed in Canada, the shutdown systems forSmolensk Unit 3 do not meet the requirements for independence, diversity and shutdown depth. Thisstatement is based on the following:

(1) The two systems defined by RBMK experts as SDS-1 (24 FASS rods) and SDS-2 (theremaining control and protection rods) do not have separate sensors or processing logic.

(2) The depth of shutdown produced by the 24 FASS rods alone (SDS-1) is sufficient to providelong-term subcriticality for most accidents - the notable exception being the voiding of the CPSsystem.

(3) The two systems, while containing several elements of diversity (different rod design, differentinsertion rates) do not fully meet the expectations of diverse shutdown mechanisms (e.g.mechanical absorbers and liquid poison injection).

(4) The rate of shutdown from SDS-1 (the 24 FASS rods) is believed to be sufficient for allaccidents and it is reported that the other system (remainder of 24 rods) is capable of copingwith all LOCA scenarios. More definitive statements regarding this aspect of SDS-2 must awaitindependent confirmation from OECD countries as reported in IAEA-TECDOC-722 [7].

2 Evaluations relative to the German codes and standards and to the Canadian practices reflect the opinion ofthe experts from OECD countries and not necessarily that of the RBMK specialists who state that there was nodetailed discussion of these issues during the meeting.

25

5. CONCLUSIONS AND RECOMMENDATIONS

(1) Following the Chernobyl accident, safety system enhancements have been implemented in allRBMK reactors. In regard to shutdown system improvements, the following modifications havebeen made:

- New shutdown system consisting of 24 FASS rods (insertion time: 2.0 s, total reactivity:2.5/3) have been designed and installed.

- The control rod design has been modified.- Insertion speed of the control rods has been increased.- Additional short absorbers (from bottom of the core) have been installed, and their insertion

has been automated following a scram signal (except in case of a loss of power).- The void coefficient has been reduced, etc.

Recently introduced Russian safety requirements [4] specify that there should be two shutdownsystems installed in RBMK reactors. While it is recognized that the RBMK was designed toearlier standards, the Russian designers and regulators consider that the two systems, SDS-1and SDS-2, meet the intent of the new Russian regulations.

(2) During this meeting, the Russian designers, regulators and OECD countries experts agreed thatthe systems SDS-1 and SDS-2 cannot be considered as fully independent and diverse shutdownsystems even though the rod designs and rod cooling are different, there are no displacers onthe fast rods, and the speed of insertion is different.

However, Russian designers and regulators consider that the drawbacks identified by themeeting participants will not reduce the level of Smolensk 3 safety which has been reported byRussian experts in the Smolensk TOB.

The intent of the Russian designers to develop and modernize the RBMK CPS to provide ahigher safety level is strongly supported by the experts from OECD countries. They further indicatedthat the design shall be in strict accordance with the recommendations of IAEA Safety Standards,specifically Safety Series No. 50-C-D (Rev. 1), Code on the Safety of Nuclear Power Plants:Design [2], Sections 407-414.

26

REFERENCES

[1] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment of ProposedImprovements to RBMK Nuclear Power Plants, IAEA-TECDOC-694, Vienna (1993).

[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Code on the Safety of Nuclear PowerPlants: Design, Safety Series No. 50-C-D (Rev. 1), IAEA, Vienna (1988).

[3] INTERNATIONAL ATOMIC ENERGY AGENCY, Design for Reactor Core Safety in NuclearPower Plants, Safety Series No. 50-SG-D14, IAEA, Vienna (1986).

[4] PBYa-89, Nuclear Safety Requirements for Nuclear Power Plant Reactors, Sections concerningthe reactor plant monitoring, control and protection system (1989).

[5] A REGULATORY POLICY STATEMENT R-8, Requirements for Shutdown Systems forCANDU Nuclear Power Plants, Canada (1991).

[6] GESELLSCH AFT FUR REAKTORSICHERHEIT (GRS) mbH, Safety Standards of the NuclearSafety Standards Commission (KTA): Design of Reactor Cores of Pressurized Water andBoiling Water Reactors, Part 2: Neutron-Physical Requirements for Design and Operation ofthe Reactor Core and Adjacent Systems, KTA 3101.2, Bundesamt fur Strahlenschutz, Salzgitter(1987); Shutdown Systems for Light Water Reactors, KTA 3103, GRS, Cologne (1984);Determination of the Shutdown Reactivity, KTA 3104, GRS, Cologne (1979) .

[7] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment of Design Solutions andProposed Improvements to Smolensk Unit 3 RBMK Nuclear Power Plant, IAEA-TECDOC-722,Vienna (1993).

[8] INTERNATIONAL ATOMIC ENERGY AGENCY, Protection System and Related Featuresin Nuclear Power Plants, Safety Series No. 50-SG-D3, IAEA, Vienna (1980).

27

ABBREVIATIONS

AGR advanced gas cooled reactorASSET Assessment of Safety Significant Events Team (IAEA)ATWS anticipated transient without scramAZ system of emergency protectionBAZ system of fast acting emergency protectionBWR boiling water reactorCPS control and protection systemCR control rodEBP Extrabudgetary Programme (IAEA)FASS fast acting scram systemKTA Kerntechnischer Ausschuss (Nuclear Safety Standards Commission)LAR local control systemLAZ local protection systemLOCA loss of coolant accidentLPLP local power level protectionLWR light water reactorNPP nuclear power plantNUSS Nuclear Safety Standards (Safety Series of the IAEA)OECD Organisation for Economic Co-operation and DevelopmentPBYa Nuclear Safety Regulations for nuclear power stations' reactors plantsPERPS power excursion rate protection during start-upPERPW power excursion rate protection in working rangePHWR pressurized heavy water reactorPLP power level protectionPWR pressurized water reactorRBMK light boiling water cooled graphite moderated pressure tube type reactorRP reactor protectionSDS shutdown systemTOB safety analysis report, Russian FederationWWER water cooled, water moderated energy reactor

28

Brown, R.A.

Cherkashov.Y.

Hintermaier, M.

Hohn, J.

Knoglinger, E.

Koutchinov, V.

Lederman, L.

Lenain, R.

Mikhailov, M.N.

Miroshnitchenko, M.

Podlazov, L.N.

Schafer, H.

Stenbock, I.A.

Vincent, F.

CONTRIBUTORS TO DRAFTING AND REVIEW

Atomic Energy of Canada Ltd, Canada

Research and Development Institute of Power Engineering, Russian Federation

Colenco Power Consulting AG, Switzerland

International Atomic Energy Agency

Paul Scherrer Institute, Switzerland

International Atomic Energy Agency

International Atomic Energy Agency

Commissariat a l'energie atomique, France

Research and Development Institute of Power Engineering,Russian Federation

Gosatomnadzor, Russian Federation

Research and Development Institute of Power Engineering,Russian Federation

Gesellschaft fur Anlagen-und Reaktorsicherheit, Germany

Research and Development Institute of Power Engineering,Russian Federation

International Atomic Energy Agency

Consultants Meeting

Paul Scherrer Institute, Switzerland, 13-18 December 1993

29