1-4.7. Actions of the Chernobyl plant personnel.

The officially published documents on the causes of the Chernobyl accident set the blame mainly on the actions taken by the plant personnel. For this reason, the Commission feels obliged to present its own evaluation of the personnel's actions,

70

with two aspects in mind. Firstly, it is necessary to establish as full a list as possible of all the violations of the Operating Procedures [40] and other mandatory operating documentation. Secondly, an attempt must be made, using the available data, to assess retrospectively the effect of the violations on the causes and scale of the accident.
The Commission would like to stress that its evaluations should in no way be regarded as condoning the violations of the regulatory documents committed by the personnel and designers.

4.7.1.

During the decrease in power of Unit 4 on 25 April 1986 (at around 03:00) at a reactor power of about 2000 MW, the ORM fell to less than 26 manual control rods. The Operating Procedures for Units 3 and 4 (Section 9, Ref. [40]) allowed the units to be operated with an ORM of less than 26 manual control rods only after authorization by the Chief Engineer of the plant.
During the further power reduction (at about 07:00 on 25 April), when the reactor power was 1500 MW, the ORM fell to 15 manual control rods. In such cases, according to the requirements of Section 9 of the Operating Procedures, the reactor should be shut down. The personnel did not abide by this requirement. The Commission assumes that the personnel deliberately violated this requirement. The PRIZMA calculation code was found to be unreliable at this time, because it did not take into account the position of the rods of automatic regulators Nos 1, 2 and 3 (a total of 12 rods). There is a note to this effect in the senior reactor control engineer's operating log. The Operating Procedures and other operating documentation did not prescribe the actions to be taken by personnel under such circumstances (in the event of unreliable calculation) and similar circumstances (for example, in the event of complete failure of the PRIZMA code to determine the ORM). Nevertheless, in allowing the reactor to operate at 1500 MW with an ORM of less than 15 manual control rods, from about 07:00 to 13.30 on 25 April, the plant personnel, including senior staff, violated the requirements of Section 9 of the Operating Procedures, although this violation was not die cause of the accident and did not affect its consequences.

Notes:

Section 12 of the Operating Procedures, concerning the planned shutdown and cooling of the reactor, did not contain any requirements regarding the monitoring and maintenance of the ORM.
Section 12 states, in particular, that a power reduction must be carried out "using the set point adjusters of the automatic regulators to 160 MW(th) (5% of nominal power), and then the automatic power control system or the EPS-5 button."

71

In this connection it is important to make the following points.
Firstly, Section 8.9.1 (a) of the Operating Procedures refers to reactivity as one of the important operating parameters which have to be controlled at all power levels. The ORM is not included in the list of important parameters.
Secondly, there was no provision in the design of the RBMK reactor for a device to measure the ORM in terms of effective manual control rods. The operator either had to determine the depth of insertion of rods in the intermediate position from the measuring instruments, correct for the non-linearity of the graduation scale and sum up the results, or instruct the plant computer to make the calculation and wait a few minutes for the result. In both cases, it seems unreasonable to expect the personnel to treat this parameter as a directly controllable one, particularly since the accuracy with which it can be determined depends on the power density field profile. Thirdly, the Operating Procedures did not draw the attention of the personnel to the importance of the ORM as an essential parameter for ensuring the effectiveness of the emergency protection system.
In fact, post-accident calculation studies have shown that full withdrawal of the manual control rods from the core, which is not prohibited in other reactors, such as WWER reactors, was unacceptable for the RBMK reactor, owing to the design of the manual control rods. Withdrawal of more than a certain number of RCPS rods from the core resulted in the concentration of too much positive reactivity in the lower part of the core in terms of displaceable water columns.

4.7.2.

At 14:00 on 25 April the personnel, in accordance with Section 2.15 of the testing programme [41], closed the manual isolating slide valves of the ECCS, thereby disconnecting it from the MFCC, in order to avoid penetration of water into the MFCC in all three ECCS subsystems. Section 2.10.5 of the Operating Procedures states that during heating of the MFCC after a scheduled preventive maintenance outage, when the temperatures exceed 100°C, "the ECCS must be brought to a state of readiness." At the same time Section 2 of the Procedures for Reswitching Keys and Straps of the Engineered Protection and Blocking Systems [42] authorized the Chief Engineer of the plant to switch off automatic actuation of the ECCS. This is tantamount to switching off the fast acting part of the system and, therefore, the whole ECCS. The Commission notes, firstly, that taking the ECCS out of operation is a violation of Section 2.10.5 of the Operating Procedures and, secondly, that switching off the ECCS did not affect the initiation and development of the accident, since the chronology of basic events before and during the course of the accident showed that no signals for the automatic switching on of the ECCS were recorded. Under the specific conditions on 26 April 1986, it is therefore not true to state that

72

an opportunity of reducing the severity of the accident was lost [30] because the ECCS was switched off..

4.7.3.

At 00:28 on 26 April (according to the operating logs), the personnel failed to control the reactor and, as a result, there was an unforeseen reduction in the thermal power of the reactor to 30 MW. On the basis of the incomplete information available it is very difficult to make an unambiguous analysis of the reasons for the power reduction. The senior reactor control engineer noted in the operating log at 00:28: "The working range emergency power increase rate protection system is switched on. The automatic regulator set point has been reduced by the 'fast power reduction' button. Automatic regulator No. 1 is switched on. The unacceptable imbalance with respect to automatic regulator No. 2 has been eliminated. Automatic regulator No. 2 is on standby." Having analysed this note and the data recorded by the DREG program and the RCPS operating algorithm, the Commission presumes that the following events happened during that period:
— For some unknown reason (possibly owing to a perturbation associated with the MFCC: either a variation in the feedwater flow rate or steam pressure in the steam separator drums) the local automatic regulator was switched off and automatic regulator No. 1 came into an automatic regime and, in responding to the negative imbalance, moved to the upper limit stop switch.
— Automatic regulator No. 2, in response to the positioning of the automatic regulator No. 1 at the upper limit stop switch, did not come into automatic mode owing to an unacceptable imbalance in its measuring circuit.
— When all the regulators came out of automatic regime, the working range emergency power increase rate protection system was put on standby and an illuminated indicator 'working range emergency power increase rate protection system is on' appeared on the board of the senior reactor control engineer.
— As a result of the continued 'poisoning', the reactor power started to fall; the unacceptable imbalances in the measuring circuits of automatic regulators Nos 1 and 2 increased; 'failure in measuring circuit of automatic regulator No. 1' and 'failure in measuring circuit of automatic regulator No. 2' signals actuated and the corresponding illuminated indicators were displayed on the board of the senior reactor control engineer and were recorded by the DREG program;
— the senior reactor control engineer probably reduced the set points of the power regulators using the 'fast power reduction button' at a rate of 2 % per second, managed to compensate for the imbalance in the measuring circuit of automatic regulator No. 1 and put it into automatic operating mode. br> — Then, by manipulating the set points of automatic regulator No. 1, the senior reactor control engineer began to restore power to create the conditions for carrying out the tests.

73

Note:

Additional comments on the event that occurred at 00:28 are necessary.
The recording device of the physical power density distribution control system (PPDDCS) did not record the reduction in thermal power below 30 MW. During this time for about 5 min the neutron power recorder recorded zero power, after which the neutron power curve reached a level corresponding to 30-40 MW on the PPDDCS recorder. The low power level and correspondingly low accuracy with which it was determined by the built-in control devices mean that the reactor power actually fell to the minimum controllable level. According to Section 6.1 of the Operating Procedures, a power reduction to any level, but not below the minimum controllable power level, was regarded as a partial unit power reduction. The same section of the Operating Procedures authorized the power then to be restored to the rated value.
Here it is worth drawing attention to the contradictory nature of the instructionsin the operating documentation. Section 6.1 of the Operating Procedures defined a short term shutdown as "a reactor power reduction to zero without cooling of the MFCC." However, it does not indicate what type of power is meant. If neutron power is meant, then the personnel violated the Operating Procedures; if thermal power is meant, there was no violation (according to the indications on the tapes of the recording instruments). The Commission notes that the regulations and operating documentation in force at that time did not contain clear definitions of minimum controllable power level' and 'shutdown reactor' as applied to the power manoeuvre that took place.
The authors of this report believe that the drop in reactor power at 00:28 and subsequent power increase were largely to blame for the tragic consequences of the accident. The change in reactor operating conditions between 00:28 and 00:33 gave rise to a new xenon reshaping of the power density fields which the personnel were unable to control (see section 3.4 of this report [Section 1-3.4]). No calculational studies have been made of the power density field dynamics from this time until the time of the accident.

It is impossible to draw a final conclusion on whether or not the personnel actions were correct under these specific circumstances because of the aforementioned contradictory nature of the requirements in the Operating Procedures, and the inadequacy and contradictory nature of the data recorded by the instruments. No calculational analysis of this situation has been made so far.

4.7.4.

The drop in reactor power was accompanied by a reduction in the water level and steam pressure in the steam separator drums. The water level in the steam separators

74

fell below the emergency set point of -600 mm without triggering the EPS-5 signal to actuate the RCPS. The Commission notes that during the reactor power reduction personnel did not switch from EPS-1 with a set point of -1100 mm to EPS-5 with a set point of —600 mm in response to the low water level in the steam separators. There are no notes on this in the operating logs. These personnel actions were in violation of Section 9 of the Procedures for Reswitching Keys and Straps of the Engineered Protection and Blocking Systems [42]. However, the Commission notes that another protection system against water level reduction in the steam separator drums below the -1100 mm level existed and was brought into operation. The set point of this protection system did not depend on the power. The statement made in Ref. [1] that "all the thermal parameter reactor protection systems were switched off is therefore not true.

Note: The reasons for transferring the functions of the EPS to the personnel owing to the lack of appropriate engineered safety features can be seen from the example of the reactor protection system against water level reduction in the steam separator drums. The designers made it clear in Ref. [43] that: "Automatic reswitching of the set points of EPS-1 and EPS-5 during emergency fluctuations of the water level in the steam separator drums is not permitted, since during operation of any of the emergency protection systems 1, 2 and 3 the water level falls to the —600 mm set point on the instrument which has a range of -1-400 to -1200 mm. This, in turn, will result in actuation of EPS-5 and complete shutdown of the reactor." They found an extremely simple way out of this: ' 'Instead of automatic reswitching of the set points and automatic actuation (deactuation) of EPS-5 in response to a reduction in the feedwater flow rate the operator should reswitch them manually using the general key when alarm signals appear..." It is not for us to demonstrate the feasibility of solving this problem using engineered safety features (this is feasible), but rather to demonstrate that in cases where there was a choice between complying with the safety requirements and shutting down the unit, or giving priority to economic considerations and keeping the unit in operation, the choice used to be made in favour of the second alternative, with the functions of the emergency protection system being transferred to the operator with a deep faith in the operator's complete reliability as a component of the safety system.

At 00:36:24 the personnel changed the set point for switching off the turbine of the protection system to guard against reduction in steam pressure in the steam separator drums from 55 kgf/cm2 to 50 kgf/cm2. These personnel actions were in accordance with requirements of the operating documentation since, according to Section 12 of the Procedures for Reswitching Keys and Straps of the Engineered Protection and Blocking Systems [42], personnel were entitled to select this set point. Contrary to what is stated in official documents, the Commission does not consider

75

that personnel should be held to blame for having blocked the steam pressure protection system of the steam separators.

Note: It should be stressed that the protection system to guard against a reduction in steam pressure in the steam separators was designed to stop the turbine and was not "a thermal parameter reactor protection system", as described in Ref. [1]. In the interests of objectivity, the authors of Ref. [1] should have pointed out that the design was such that at a turbine power of less than 100 MW(e) the reactor was left without any protection system to guard against pressure reduction. At the actual af it might have resulted in a reactor runaway even at the regulatory ORM (for example, in the event of the opening or non-closing of the main pressure relief valves, or the valves of the fast acting steam dump system, pipe rupture, etc.).

4.7.5.

At 00:41 (according to operating logs of the plant shift supervisor, the unit shift supervisor, the electrical workshop shift supervisor and the senior turbine control engineer) turbogenerator No. 8 was disconnected from the system to determine the turbine vibration characteristics during rundown. This procedure was not envisaged in the turbogenerator No. 8 rundown test programme. Measurements of the vibrations of turbogenerators Nos 7 and 8 at different loads were planned in a different programme, which had already been partially implemented by the personnel on 25 April during alternate redistribution of the turbine generator loads at a constant thermal reactor power of 1500-1600 MW. The disconnection of turbogenerator No. 8 from the system, together with the disconnection of the other turbogenerator (turbogenerator No. 7 was stopped at 13:05 on 25 April) without shutting down the reactor meant that the EPS-5 system to protect the reactor in the event of the shutdown of two turbogenerators had to be disabled. The personnel did this in accordance with Section 1 of the Procedures for Reswitching Keys and Straps of the Engineered Protection and Blocking Systems [42], which provided for the disabling of this protection system in the event of a turbogenerator load of less than 100 MW(e). The Commission believes that the personnel cannot be blamed for disabling the reactor protection system which shuts down the reactor in the event of the closure of the emergency stop valves of both turbines.

4.7.6.

By 01:00 on 26 April, the power increase had ceased and the reactor power was stabilized at about 200 MW(th). The decision to carry out the turbogenerator No. 8 rundown tests at a reactor power of about 200 MW was a departure from the testing programme. However, neither the design documentation, the regulatory documentation nor the operating documentation prohibited operation of the unit at that power.

76

Before the Chernobyl accident there were no safe operating limits interms of minimum permissible thermal reactor power. In none of the documents studied by the Commission relating to the analysis of the operating conditions of the RBMK-1000 reactor do the reactor designers raise the question of the need to limit reactor operation at power levels below a certain level. Moreover, Section 11.4 of the Operating Procedures required personnel to reduce the reactor power to the level corresponding to the unit's internal consumption (200-300 MW(th)) following automatic power reduction in the EPS-3 design mode, or remotely in the event of abnormalities in the power supply system (frequency variations). There was no limitation on the period during which the reactor could operate at the minimum controllable power level.

Note: The Operating Procedures permitted operating conditions similar to those prevailing at Chernobyl Unit 4 on 26 April 1986 and they might have occurred without any intervention on the part of the personnel. We only need to assume a perfectly possible situation in which triggering of EPS-3 occurs when the reactor is operating initially at rated power with an ORM of 26 manual control rods. Under these conditions, approximately one hour after triggering of EPS-3 the ORM could have fallen to less than 15 manual control rods at a reactor power of 200-300 MW(th), and any further action, whether automatic or remote, to shut down the reactor could have led to a similar repetition of the events of 26 April 1986.

The Commission considers that the personnel cannot be held to blame for operating the unit at a power of less than 700 MW.

4.7.7.

At 01:03 and 01:07, in accordance with Section 2.12 of the testing programme [41], one MCP from each side (MCP Nos 12 and 22) was also switched on "to cool down the reactor during the test." Before 26 April 1986 no document, including the Operating Procedures, prohibited connection of all eight MCPs to the reactor at any power level. In the Commission's view, the personnel committed no violations by these actions. At the same time, at low power levels when the feedwater flow rate is less than 500 t/h, the Operating Procedures limited the capacity of each MCP to 6500-7000 m3/h in order to prevent cavitation. On 26 April 1986 the flow rates of certain MCPs actually exceeded the limit (violation of Section 5.8 of the Operating Procedures), but did not cause cavitation of the pumps, as is evident from the DREG program printout and is confirmed by the studies carried out by the Mechanical Engineering Experimental Design Office and other organizations. Reference [31] points out that "both the pumps being run down and those not being run down maintained a steady water supply, even during the runaway and destruction of the reactor."

77

4.7.8.

The Commission's analysis of the actions of personnel during the preparations for and implementation of the tests shows that the personnel committed the following violations of the requirements of the operating and regulatory documentation:
— Reactor operation with an ORM of 15 manual control rods or less from 07:00 until 13:30 on 25 April and from approximately 13:00 on 26 April until the time of the accident (violation of Section 9 of the Operating Procedures);
— Complete disconnection of the ECCS (violation of Section 2.10.5 of the Operating Procedures);
— Change in the set point of the reactor protection system to guard against reduction in water level in the steam separator drums from -600 mm to — 1100 mm (violation of Section 9 of the Procedures for Reswitching Keys and Straps of the Engineered Protection and Blocking Systems [42]);
— Increase in flow rates of certain MCPs to 7500 m3/h (violation of Section 5.8 of the Operating Procedures).
In addition, the personnel made certain deviations from the testing programme (see sections 4.7.5 and 4.7.6 of this report [Sections 1-4.7.5 and 1-4.7.6]). Conclusions about the personnel actions after the drop in power (Section 4.7.3 of this report [Section 1-4.7.3]) can only be drawn after further studies have been carried out.

4.7.9.

To conclude this section, the Commission thinks it necessary to summarize "the most serious violations of the operating documentation committed by the personnel at Unit 4 of the Chernobyl nuclear power plant" [30] in terms of their impact on the causes and the consequences of the accident.
In the Commission's view, the switching off of the ECCS did not affect the initiation and scale of the accident.
It would appear that the connection of eight instead of the usual six MCPs to the reactors if anything hindered the reactor runaway, which was initiated and developed independently of the operating conditions of the pumping group and the temporarily increased coolant flow rates through certain MCPs. Additional theoretical analysis in this area is required.
The changes made to the set points and deactivation of the engineered protection and blocking systems were not the causes of the accident and did not affect its scale. These actions were not in any way related to the emergency protection systems of the reactor itself (relating to power level, power increase rate), which the personnel did not deactivate. The change in the initial reactor power before the tests and subsequent continued power reduction made it necessary for actions to be taken to control the unit which were not foreseen in the test programme. This increased the risk of incorrect

78

actions, as demonstrated by the unauthorized reduction ofreactor power to the minimum controllable level followed by its increase, which had an extremely negative effect on the subsequent behaviour of the reactor.
The low reactor power level increased the likelihood of the positive reactivity effect which manifested itself at a maximum not only as a result of local power density increases, but also for some other reasons (for example, coolant leakage). The choice of power level therefore affected the scale of the accident. No matter how paradoxical it may seem, low power levels proved to be the most dangerous ones and the safety of the reactor at these levels had not been studied or analysed in the design documentation.
Had the tests been carried out at a power level of 700 MW(th), as was initially planned, the accident might not have happened. However, this theory needs to be tested by studies which have not yet been carried out.

79