Rundown of the Turbine Generator in Chernobyl' accident

Rundown of the Turbine Generator

The idea of using mechanical inertia of rotating TG runner in order to continue power generation is very simple, and it has come into existence long before the rundown experiments at the Chernobyl NPP. This inertia is quite high (at the NPP with RBMK-1000, kinetic energy of the TG rotor amounts to about 3,000 MJ). This energy is enough to maintain heat carrier circulation in the cooling loop of the nuclear reactor during two or three minutes, until natural circulation starts, or unit some outer independent power source is activated (at the NPP with the RBMK, such a source is a diesel generator).
The proposal to use rundown as an additional safety measure was made by the Chief Designer of reactor in 1976, in connection of designing and building second stages of the NPP with RBMK-1000 (Letter of the NIKIET, ref. No.040-9253 dated November 24, 76). This proposal was substantiated by the need to guarantee forced circulation in the reactor cooling loop, which was required to relieve residual energy release.
The concept of rundown application was recognized by all the agencies involved in the NPP construction, including the General Designer of NPP, which also issued a letter (Letter from the [Gidrorpoyekt] R&D Institute dated February 12’82 No.11.РЗ-70-1292). No one wanted to raise any objections against extra safety provisions in order not to become a scapegoat afterwards.
Scientists were also enthusiastic about application of rundown. A theory was developed for joint rundown of auxiliary mechanisms (the MCP and feed pumps (FP)), with their own high inertia, and of the turbine generator. A new section called «Application of turbine generator rundown for emergency cooling of the NPP reactors» was added to textbooks dedicated to power plant electrics.

But if we turn from theory to practical aspects, the first question will be, when may the rundown mode be needed for emergency reactor cooling? Obviously, this may only make sense in case of complete power outage of the NPP, when emergency auxiliary power is not available from any source, neither from any adjacent generating unit, nor from the mains, from one of reserve transformers. But the mains mean at least two power lines or more. In order to make this power source unavailable, the whole power grid must be destroyed (or all the automatic protections of both generating units and the grid must fail completely). Such an event is highly unlikely, but still, you never know, don’t you? After all, it was with this in mind that diesel generators were provided.
The high enthusiasm expressed during discussion and promotion of the rundown concept turned into just as high nihilism during implementation. The rundown mode was included into the NPP design, into the volume dedicated to safety engineering (safety engineering for the 2nd stage of the Smolensk NPP). And the Chief Designer included this mode into the standard operation regulations, but in such a way that he should not have done it at all. The regulations only mention rundown once in Chapter 10 "Procedures to be followed by the staff in case parameters deviate from rated values".
"10.1 In all cases of parameter deviation from the normal values, when reactor power capacity is reduced below 700 MW(thermal) (~22% Nnom) proceed as follow:
– immediately reduce flow rate of the MCP’s in use down to 6500 ÷ 7000 m³ at each MCP;
– without cutting off power, with activated generator switches, switch auxiliary power supply of decelerated turbine generators to the reserve transformer (except in case turbine rundown is used)".
Since nothing else is said about rundown in the regulations, apparently, it should be interpreted as follows: the rundown mode comes into existence all by itself, and nothing has to be done about it, and the operators only need to understand (either using their sixth sense, or by means of philosophical reflections) whether it exists already or not, and depending on that, either switch the reserve power supply or not.

The rundown description in the NPP design looks even better. Here’s a quote from the safety engineering section of the second stage of the Smolensk NPP:
"...In case of MDA during which auxiliary power supply of the unit is cut off, cooling water is supplied to the emergency side by pumps powered by the turbine generator rundown."
Well, now it is clear at least when this rundown mode emerges (again, all by itself). It is not clear, though, what the MDA has to do with it, and why it is not enough to only cut off power, and why rundown is needed more in case of the MDA than without any MDA. Is there any reasonable explanation of such a design solution? People with some time to think have two explanations, one is simple, another – more complicated.
The complicated explanation. Imagine: a design basis accident has occurred (and that means complete rupture of the 900 mm wide pressure header), hot water is splashing all around, there is steam everywhere, circuits are shorted, etc. Who is there to guarantee that the automatic protections under such conditions will not change all switching in such a way that no power from anywhere will reach auxiliary power (AP) bus? That is why the emergency is described that way: MDA plus complete power outage.
The simple explanation.A MDA is as rare as complete power outage of the NPP. Thanks Lord, no one has ever seen either of these phenomena, and, most likely, no one ever will. So why bother about that rundown? There are specific design solutions for the MDA and for AP outage. So let’s just add to them the rundown springs into existence all by itself (and, therefore, does not require any specific design solutions).

It is as clear as daylight that neither the Chief Designer of reactor nor the General Designer of NPP were going to treat the rundown issue seriously. They just made a mention of it so that afterwards, in case anything should happen, no one could tell them they had not made all safety provisions for the NPP and had ignored the rundown.
This approach also automatically indicated the whipping boy in this situation – it was the operations department, which had only two ways out: 1) Copy the standard regulations to the letter and request (i.e., humbly beg) the Chief Designer to describe the rundown properly in the regulations and in all the other operation related documents. 2) Omit the rundown issue when copying the standard regulations, and then pretend it has always been like this, and have these regulations approved by everyone concerned.
The Chernobyl NPP (apparently, being the most advanced one) chose the first way, and all the others (seeing who they had to deal with) went the second way.

Well, what’s the next step, and is it necessary to check whether or not the rundown mode emerges (all by itself, according to the design and the regulations)? Of course it is. Whose is to blame that this is not done when each new Power Generating Unit (PGU) is commissioned? Of course it is the operations department. But if your regulations do not mention such a mode, why worry? You can tell anyone bothering you with such questions to jump in the lake. But it’s a different story if (as at the ChNPP) the regulations do have such a provision; in that case, you have to think twice. That’s why the ChNPP allowed being convinced to hold the rundown test at the 3rd PGU in 1982. And it turned out that the test made sense: this mode was not that simple so as to emerge all by itself. It turned out the generator excitation control unit was not intended for maintaining generator rundown with auxiliary load. Very well: modify the excitation unit at once! That was done, and in 1984 the test was repeated, this time at the 4th PGU of the ChNPP, and with the new excitation unit, but again unsuccessfully. It turned out "suddenly", that there were a lot of automatic devices involved in cutting off AP, and, unless these devices were properly set up, they would not allow any rundown. Such settings were arranged and documented as a special rundown unit, which, pursuant to the decision of the NPP Chief Engineer, was adopted for trial operation. In 1985, another test was held, and, in order to have no more surprises, the equipment configuration was as close as possible to reality (two running down MCP’s per each side of the reactor). But even this time the rundown mode failed to be activated by the MDA alarm.

The 1986 experiment was an exact repetition of the one held in 1986. However, it was carried out with critical deviations from the test program, and the main one of them was the fact that the reactor remained under load. When shutoff valves of the turbine were closed, the reactor was to be damped automatically by the emergency protection system (in accordance with deactivation alarm of 2 TG’s); however, triggering of the protection system by this alarm had been suppressed, and the reactor kept on working. And the experiment (which, actually, was successfully completed) suddenly appeared to be the focal point of the events that took place then.
And although nobody knows what would have happened if the protection had not been suppressed, and had triggered (most probably, the reactor would have exploded just the same, but 36 seconds earlier), it was the experiment that was fully blamed for the Chernobyl accident.

to the sitemap