RUSENGNSR-04-74  

duel.JPG

There is a touch of surrealism about the way how meticulously the RBMK-1000 has been studied with regard to its compliance, back in 1986, with the then Nuclear Safety Regulations (NSR-74) and the General Safety Provisions (GSP-82). This approach to the investigation and analysis of the Chernobyl accident was dictated from the very beginning by the authors of the RBMK and applied only to analyze performance of the operating staff (they violated the operating regulations and, as a result, exploded the reactor). However, 5 years later, as soon as there was a chance, [Gosatomnadzor] turned back the time, and similar claims were made against the Chief Designer. And everyone became so much involved in this game (violation/ no violation), that they still cannot stop playing it.
The above does not mean an appeal to belittle the regulatory documents and to allow everyone violating them at will. On the contrary, the idea is to treat the regulations as seriously as possible in order to understand why a simple violation of the regulations may cause such horrible consequences, and what kind of the documents they are if everyone may read them the way they want to, and what one person has read will be opposite to what the other will. We have already spoken at length about the operating regulations here and here, now the time has come for the "Nuclear Safety Regulations for nuclear power plants NSR-04-74", which were effective at that time (the general guidelines GSP-73 on the basis of which the reactor was designed, and the GSP-82 that were then effective already, have little to add to the above Rules).

The worst thing that may happen to a nuclear reactor is what happened at the ChNPP, i.e., uncontrolled power acceleration on prompt neutrons, or, in plain English, a nuclear explosion. The Regulations do not mention that, probably, because the idea was as follows: such a thing would never happen in case all the Rules were complied with. And what exactly are the primary provisions of the NSR that make uncontrolled acceleration impossible?
This is doubtless the requirement that "full power coefficient of reactivity shouldnít be positive in any operation mode of the NPP". Very good, but, firstly, this basic requirement is include into some rank-and-file paragraph 3.2.2 in one of the sections of the Rules, among many other paragraphs that contain requirements to design and parameters of the core. And secondly, this is not a requirement at all, but only a request:" Designers of the reactor should try to make sure thatÖ" (after that, see the above). In order not to make this paragraph 3.2.2 look so absurd, it is finished with the following phrase: "If full power coefficient of reactivity becomes positive under certain operating conditions, the design should provide and expressly prove nuclear safety of the reactor when it works in stationary, transitory and emergency modes".
And thatís it, there is not a single other word in the NSR regarding this issue which is of primary importance for nuclear safety: the Regulations do not specify either how to prove that the reactivity coefficient will be negative in all operation modes (if it will), or how to provide nuclear safety (if it wonít), and how exactly this safety should be proven. Everything is up to the Chief Designer. He should himself volunteer to admit that in certain operation his reactor has a positive power coefficient, and in this case he should also himself contrive what he will prove, and how. No one in his position would go to that length. It is so much easier to decide there will be no modes with positive coefficient, and in that case, there is no need to prove anything to anyone. That was exactly what the Chief Designer did, and created the explosive reactor. But tell me, please, did he violate anything, any written document? He "didnít know" did he (before the accident) that the power coefficient could be positive! All right, suppose there was something the Chief Designer didnít know, and the Scientific Supervisor had no idea about, and anything could happen to the reactor.But it is particularly for such cases that all reactors are provided with the emergency protection, which carries out "fast suppression of chain reaction and maintains the reactor in undercritical condition" (para. 3.3.1. NSR-04-74), Note that the protection should do that "under any normal and emergency conditions" (para. 3.3.5. NSR-04-74), and should, among other things, "scram the reactor automatically in case of emergency" (para. 3.3.21. NSR-04-74).
The NSR says a lot more about the emergency protection, except that it never mentions directly the principal thing that should go without saying. Namely, it never mentions that all the above it achieved by introducing a high negative reactivity, and that whenever the emergency protection is triggered, it should never, under any circumstances, introduce a positive reactivity.
But the Chief Designer of the RBMK-1000(86) has provided such an emergency protection, which, under certain conditions, would do just that. And in this case (unlike in the case with power coefficient of reactivity), the Chief Designer cannot say that he didnít know that. Of course he did, since he, together with the Scientific Supervisor, made so much fuss over the ORM (operating reactivity margin) and claimed it to be almost the main criterion for "deviation from the limits and conditions of a safe nuclear unit at the NPP" (quoted from the definition of the nuclear hazardous mode in para. 2.14. of the NSR-04-74). Indeed, it is only with low ORM that the emergency protection turns into its opposite and brings about the positive reactivity instead of the negative one, and it is the low ORM as one of the principal violations of the regulations causing the accident that the operating staff are blamed of. It means that the Chief Designer did know how dangerous the low ORM was when he prepared the operating regulations. And the only way in which the low ORM is dangerous how it affects the emergency protection functions.
All this fuss about the low ORM, however, was made only after the accident; until then, everyone had been quiet. There is not a single word about the ORM either in paragraph 2.14. of the NSR that defines the nuclear hazardous mode, or in paragraph 2.3.26 that lists deviations from safe operation conditions under which the emergency protection should be triggered, and, generally speaking the NSR-04-74 never mentions such a notion as the ORM (even in paragraph 2.15 that defines the meaning of "maximum reactivity margin"). There is (i.e., there was) no alarm related to this parameter indicating deviations from its safe limits, and, moreover, there were no provisions for continuous automatic monitoring of the ORM on any consoles and boards of the CRU.

And thatís when the surrealism is in full swing. The Chief Designer has provided the emergency protection system that is absolutely unnatural and runs contrary to common sense. It should not, and has no right to exist, and, naturally such a protection is not envisaged by any regulatory documents. And all of us, led by [Gosatomnadzor] are now bending over backwards trying to find what are the paragraphs of the Nuclear Safety Regulations that this fantastic emergency protection does not meet, and in what way?
The fuss made about the ORM looks even more surrealistic. This parameter is regarded as the principal one influencing the reactor safety, and it is now in dead earnest analyzed along with emergency power growth, reserve before crisis, and God knows what else. However, the ORM has become a safety related parameter only because this kind of emergency protection is provided at the RBMK (86), and even that happened after the accident. Such a wonder is not to be found at any other reactors.
But since everyone is playing dumb, we have to join in.

Well, according to the normal human logic, there are two mutually exclusive situations only one of which is possible.
Situation 1: The Chief Designer did not know that his emergency protection could, under certain conditions, introduce the positive reactivity instead of the negative one. In other words, he was quite positive that the protection system fully complied with its design parameters, and thus did not violate any requirements of the NSR either in terms of reliability or rate of response, and would damp the reactor in any normal and emergency situations. And if it post factum turned out to be different, and if the NSR requirements (as stated in [Gosatomnadzorís] report after the accident [GP]) appeared to have been violated in many respects Ė well, the Chief Designer was not blame, it just happened that way.
But in this case, the operating staff had no way of knowing about the tricky nature of the emergency protection and about the fatal role of the low ORM. Violation of the operating regulations is a different story (and it is still a question who contributed more to that Ė the operating staff, or the regulations themselves); however, it is both unjust and immoral to blame the staff only for the Chernobyl disaster.

Situation 2: The Chief Designer knew (and everyone must have known) that with low ORM the protection could bring about the positive reactivity, or, at least, could be inoperative; in that case, a curse on the operating staff that worked with the low ORM.
But in that case, the Chief Designer (just like everyone else) should have understood that the emergency protection (and the reactor control system) did not meet the NSR-04-74 requirements in many respects, and, therefore, he intentionally violated them. All these requirements were studied, and the violations were studied in detail in the report of Gospromatomnadzor (SCSSINP) [GP, pages 34 Ė 50]; below is a brief list:
1) The alarm system has no provisions for monitoring such an important safety related parameter as the ORM (there are no alarm or warning signals, and no display of current status), paragraph 3.1.8.
2) The emergency protection is not triggered if the ORM exceeds safe limits, paragraph 3.3.26.
3) Requirements are violated regarding rate of response and reliability of the emergency protection, paragraphs 3.3.1, 3.3.21, 3.3.28
4) Paragraph 3.3.5 is violated regarding performance of the emergency protection under any normal and emergency conditions.
5) Paragraph 3.3.28 is violated regarding prevention of local critical mass formation. Moreover, the protection system itself may facilitate such local critical mass formation
6) According to paragraph 3.1.6, the NPP engineering design should specify in a special section "any present deviations from the requirements of the Rules. Such deviations should be substantiated and agreed with ĎGosatomnadzorí of the USSR". Naturally, nothing of the kind was done, and all the operating manuals for the NPP were prepared without taking into consideration the tricky (to put it mildly) nature of the emergency protection.

All right, did the Chief Designer know about the "tricks" of his emergency protection, or didnítí he? The same report by the SCSSINP contains valid proof that he did. But he was silent. Even if the SCSSINP information is disregarded, it would seem logical to choose one option out of the two (either he knew, or he didnít). However, the Chief Designer as well as everyone who shared his views seemed to have a different kind of logic. He took the first half only from the two mutually exclusive situations, disregarded the rest, and the result turned out to be an absolute nonsense (from the logical point of view). In other words, he appears to have known nothing, and the operating staff knew everything; thatís why they are fully to blame, and the Chief Designer is innocent, and stigmatizes the staff.

In all that absurdity there are two issues worthy of serious consideration, and they should be discussed separately. One of them has already been mention before Ė this is paragraph 3.1.6 of the NSR-04-74. The fact that it was not followed (as was not followed paragraph 3.2.2 regarding positive power effect) is attributed not so much to the Chief Designer as to [Gosatomnadzor]. It was this agency that was supposed to decide if the RBMK-1000 design contained any deviation from the NSR requirements, and what grounds had to be provided for such deviations. It would make no sense waiting for the creators of the reactor to take such a decision; this is, as a matter of fact, an example of collective irresponsibility, when it is impossible to find who is to blame.
If the Chief Designer had been requested in due time to substantiate the deviations from the NSR requirements, we would not have to guess now whether or not he knew about that notorious scram effect. And in that case, the ORM, an apparently innocent parameter (very changeable and dependent on many factors) would not have laid in ambush waiting for the Chernobyl accident to expose its beastly nature. And the operating regulations would not have been a hybrid between an instruction manual telling what to do, when and how, and a scientific report with vague recommendations. In a word, a lot of things would have been different. And there would have been no Chernobyl accident.

The second issue is compliance/non-compliance with paragraph 3.3.29 of the NSR-04-74 "The emergency protection should be designed in such a way that any protective action, once started, would be completed. .ÖÖÖ. The design should substantiate any cases when it possible to terminate operation of protections after the alarm that triggered the protection has disappeared." It appears impossible to determine unambiguously whether or not the Chief Designer has met the requirement of this paragraph. Firstly, as we can see again, this (see the first part of the paragraph) is not a requirement, but a recommendation. Secondly, it is not clear (see the second part) what kind of substantiation is required.
Simply put, the following is meant. If, after receiving a certain alarm, emergency protection rods have started down the core, they should go all the way down, no matter if the alarm goes on, or is reset (terminated). It is necessary to provide the so-called automatic switching of the alarm, which is standard for designing the reactor emergency protection systems. In our case, it might be as follows: the [AZ-5] button is pushed Ė the alarm is generated; after depressing the button in 2-3 seconds Ė no more alarm. But the rods must keep on moving to damp the reactor as much as they can Ė up to ≈ -20β. But since the Chief Designer neglected the recommendation of paragraph 3.3.29, no such provision was in the RBMK 1000 (86), in after such manipulations with the [AZ-5] at the 4th unit of the ChNPP, the rods would have gone down the core for about 1 meter, and would have stopped, and would have continued accelerating the reactor instead of damping it.
There is one version of the accident according to which thatís the way it actually happened, but even if it did not, it might have. In other words, the design solution adopted by the Chief Designer that allowed using the emergency protection not only to damp the reactor, but also to control power, made the protection system even more hazardous.
Well, and what about compliance with the requirements (so to speak) of paragraph 3.3.29 as a whole? Did the Chief Designer meet them, or didnít? He believes he did, but [Gosatomnadzor] (SCSSINP) in its report (1991 „) states he did not. And both of them are right. As V.I.Lenin said 100 years ago: "correct in form, but mockery in fact". As a matter of fact, the question is: did the Chief Designer substantiate his refusal from the traditional approach to the Control and Protection System (CPS) with regard to the emergency protection (as recommended by the first part of paragraph 3.3.29)? Yes, he did, and here it is: the explanatory note to the engineering design of the Control and Protection System (CPS) of the RBMK contains two paragraphs, a few lines each (of advertizing nature), with the following content, almost word for word "owing to the operating conditions of the RNMK in power grids, it is necessary to work in a new way, and the classical principles of the CPS design become unacceptable".
We donít know if such a text is regarded as substantiation by the authors of the NSR-04-74, but in the SCSSINP report, it was. And this is the conclusion: "The above said shows that the reactor designers substantiated the emergency protection algorithm from the standpoint of the NPP efficiency within a power grid, but not from the standpoint of providing nuclear safety, which, actually, is the purpose of such emergency protection.
The board believes that the RBMK-1000 design did not meet the requirements of Article 3.3.29.of the NSR-04-74
"
In other words, the substantiation is present, but we (the SCSSINP) do not accept it, and do not approve the CPS design. There just one small problem: this bold conclusion appears 30 years too late.
--------------------------------------------------------------------------