Design basis and design features of WWER-440 model 213 nuclear

IAEA-TECDOC-742

Design basis anddesign features of

WWER-440 model 213nuclear power plants

Reference plant: Bohunice V2 (Slovakia)

Report of the IAEA Technical Co-operation Project RER/9/004 onEvaluation of Safety Aspects of

WWER-440 Model 213 Nuclear Power Plants

INTERNATIONAL ATOMIC ENERGY AGENCY

The IAEA does not normally maintain stocks of reports in this series.However, microfiche copies of these reports can be obtained from

iNIS ClearinghouseInternational Atomic Energy AgencyWagramerstrasse 5P.O. Box 100A-1400 Vienna, Austria

Orders should be accompanied by prepayment of Austrian Schillings 100,-in the form of a cheque or in the form of IAEA microfiche service couponswhich may be ordered separately from the INIS Clearinghouse.

The originating Section of this document in the IAEA was

Engineering Safety SectionInternational Atomic Energy Agency

Wagramerstrasse 5PO Box 100

A-1400 Vienna, Austria

DESIGN BASIS AND DESIGN FEATURES OFWWER-440 MODEL 213 NUCLEAR POWER PLANTS

IAEA, VIENNA, 1994IAEA-TECDOC-742ISSN 1011-4289

Printed by the IAEA in AustriaMay 1994

PLEASE BE AWARE THATALL OF THE MISSING PAGES IN THIS DOCUMENT

WERE ORIGINALLY BLANK

FOREWORD

Several studies have been undertaken by the International Atomic Energy Agency and many MemberStates to enhance the safety of nuclear power plants of older designs, among them NPPs wilh WWER-440type reactors.

In 1991 the former Czech and Slovak Federal Republic (CSFR) Atomic Energy Commission (AEC)requested that an evaluation of the safety aspects of the WWER-440 model 213 NPP be undertaken underthe IAEA Technical Co-operation (TC) Project RER/9/004. Bohunice NPP V2 (units 3 and 4) wasproposed to be the reference plant. The request was discussed with the Hungarian Atomic EnergyCommission and an agreement was reached that the units at Paks would also be covered by the evaluationstudy. Owing to the high degree of design standardization, the results would also be generally applicable tothe units at Dukovany (Czech Republic) and Mohovce (Slovakia) as well as to the Ukrainian units at Rovno.

The request for this study was a logical progression from activities related to the accident analysis ofWWER type reactors originated under the TC Regional Programme in 1985 and carried out until 1990 withthe participation of Bulgaria, the former Czech and Slovak Federal Republic, Hungary, Poland and theformer USSR.

The request was not only the result of increased attention given to the safe operation of the Sovietdesigned WWER-440 model 213 reactors but also reflected worldwide trends and practices by applyingprobabilistic techniques and accident analysis. It was founded on significant knowledge gained over manyyears of nuclear safety research, highly advanced methodologies verified by large and small scale integratedexperiments, and accumulated analytical and operational experience and its feedback into this study.

Independently, comprehensive national programmes related to WWER-440/213 units have beenlaunched in the Czech Republic, Hungary, Slovakia and Ukraine in order to develop new, or updated, safetyanalysis reports (SARs) compatible with internationally accepted practices and methodology.

The prime objective of the IAEA Technical Co-operation Project on Evaluation of Safety Aspects ofWWER-440 model 213 NPPs is to co-ordinate and to integrate assistance to national organizations instudying selected aspects of safety for the same type of reactors. Consequently, the study integrated theresults generated by national activities carried out in the Czech Republic, Hungary, Slovakia and Ukraineand co-ordinated through the IAEA. Valuable assistance in carrying out the tasks was also provided byBulgaria and Poland.

A set of publications is being prepared to present the results of the project. The publications areintended to facilitate the review and utilization of the results of the project. They are also providingassistance in further refinement and/or extension of plant specific safety evaluation of model 213 NPPs. ThisTechnical Document addressing the design basis and safety related design features of WWER-440 model 213plants is the first of the series to be published.

It is hoped that this document will be useful to anyone working in the field of WWER safety, and inparticular to experts planning, executing or reviewing studies related to the subject.

The IAEA wishes to thank all those who took part in the preparation of this document, particularlyM. Kulig of the National Inspectorate for Radiation and Nuclear Safety, Poland (currently IAEA staffmember), for his important contribution to the drafting of the document and incorporating final commentsinto the project report.

EDITORIAL NOTE

In preparing this document for press, staff of the IAEA have made up the pages from theoriginal manuscript(s). The views expressed do not necessarily reflect those of the governments of thenominating Member States or of the nominating organizations.

Throughout the text names of Member States are retained as they were when the text wascompiled.

The use of particular designations of countries or territories does not imply any judgement bythe publisher, the IAEA, as to the legal status of such countries or territories, of their authorities andinstitutions or of the delimitation of their boundaries.

The mention of names of specific companies or products (whether or not indicated as registered)does not imply any intention to infringe proprietary rights, nor should it be construed as anendorsement or recommendation on the part of the IAEA.

CONTENTS

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.1. Objective and purpose of the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.2. Scope of the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.3. Outline of the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2. DESIGN BASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.1. The defence in depth concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.2. General basis for design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.3. Design safety objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.4. Postulated initiating events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.5. General design principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.5.1. Single failure criterion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.5.2. Combination of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.5.3. Operator actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.6. Design basis accidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.7. Acceptance criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.7.1. Engineering rules for plant and system design . . . . . . . . . . . . . . . . . . . . . . . . . 182.7.2. Criteria for design basis accident analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.7.3. Criteria used in strength analysis of NPP equipment and piping . . . . . . . . . . . . . . . 33

3. DESCRIPTION OF THE PLANT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.1. Historical background and general description of the WWER-440 NPP . . . . . . . . . . . . . . . 353.2. Safety related plant features and systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.2.1. Normal operation equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363.2.2. Safety systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.3. System design highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413.3.1. Reactor system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413.3.2. Reactor coolant system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493.3.3. Chemical and volume control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.3.4. Primary circuit purification system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553.3.5. Primary pressure control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573.3.6. Power conversion system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593.3.7. Secondary decay heat removal system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613.3.8. Plant control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633.3.9. Protection system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643.3.10. Emergency core cooling system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723.3.11. Emergency/auxiliary feedwater system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773.3.12. Secondary side pressure control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783.3.13. Containment system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803.3.14. Electrical power supply system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833.3.15. Service water system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863.3.16. Intermediate component cooling system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873.3.17. ECCS compartment cooling system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893.3.18. Fuel handling, storage and transportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

3.4. Structural materials used in WWER-440 NPPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

4. DESIGN RELATED SAFETY FEATURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

4.1. Normal operational systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974.1.1. Safety merits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974.1.2. Safety concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4.2. Safety related systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994.2.1. Safety merits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994.2.2. Safety concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

4.3. Instrumentation and control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044.4. Electrical power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1054.5. Protection of equipment from external hazards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

4.5.1. Fire protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064.5.2. Aircraft impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

5. CLASSIFICATION OF PLANT STATES CONSIDERED IN THE DESIGN . . . . . . . . . . . . . . 108

5.1. Normal operational states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085.2. Anticipated operational occurrences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085.3. Accident conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085.4. Severe accidents beyond design basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ill

6. OPERATION OF MULTIPLE UNITS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

6.1. Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136.2. Disadvantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

ANNEX I. COMPARISON OF SOVIET SAFETY REGULATIONS WITH UNITED STATESGENERAL DESIGN CRITERIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

ANNEX II. DESIGN BASIS ACCIDENTS PROPOSED FOR CONSIDERATIONIN THE PROJECT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

ANNEX III. REQUIREMENTS IN STRENGTH ANALYSIS OF NPP EQUIPMENT ANDPIPING - COMPARISON OF SOVIET AND UNITED STATES PRACTICE . . . . . 129

ANNEX IV. TECHNICAL DATA ON MAIN STRUCTURAL MATERIALS USED FORMANUFACTURE OF EQUIPMENT AND PIPING IN WWER NPPs . . . . . . . . . . . 139

ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

SYMBOLS USED IN PIPING AND ELECTRICAL DIAGRAMS . . . . . . . . . . . . . . . . . . . . . . 155

1. INTRODUCTION

1.1. OBJECTIVE AND PURPOSE OF THE REPORT

The report provides basic information essential for the safety evaluation of a plant, both qualitative andquantitative. Logically the material is divided into two parts - the first is dedicated to the definition of designbasis and the second provides basic information concerning design features of a plant with a WWER-440/213 type reactor.

Engineering and normative basis used in the design process is highlighted with some references toaccepted international safety philosophy. Where appropriate the differences are pointed out. The materialpresented in the report supports qualitative comparison of design basis as used by the vendor with currentinternational practice. It also sets up the logical framework for safety analysis performed within the project -this subject is discussed in detail in other project documents.

The information on design features of WWER-440/213 plants, with particular attention given toBohunice NPP, serves two purposes. The first is to provide a comprehensive description of the plant for thereader who is not well informed about WWER NPPs. This material is intended to back up more detailedsafety assessment that is covered by other documents of the project.

The second purpose is to give a qualitative evaluation of the design in the areas that are not necessarilyfurther developed within the project.

1.2. SCOPE OF THE REPORT

The material related to design basis includes a brief presentation of major elements of engineering andnormative rules applied in the design of the plant by the vendor. These requirements are consistent withdeterministic design basis framework.

Information provided in the report is based on general safety standards used in the former Soviet Unionin the 1970s. Lower level technical requirements used at this time by design organizations are also discussedin the report.

In addition to general design principles information is provided on the selection of design basis accidentsbeing considered in the project.

The main emphasis is on acceptance criteria used in the design for proving compliance of the plantdesign with safety objectives. Various types of acceptance criteria are described, ranging from generalconditions related to overall plant safety, to very specific ones, concerning a particular type of plantequipment, as well as criteria for design basis accident analysis.

In the latter group criteria are given for various classes of initiating events concerning process variablesand system parameters, initial conditions, boundary conditions, as well as required computer code capabilitiesand modelling aspects.

This material presents both criteria used by the vendor and those proposed for use in the project byindividual participants.

Description of the plant provided in the report is limited to basic information, essential to properunderstanding of safety analyses performed within the project. System design highlights are given only for

safety significant systems. For each system functional description as well as the numerical characteristics andgeometrical data are given. Simplified system diagrams and drawings of main components are also includedwhere it has been found to be convenient for clear presentation of the material.

In addition to system highlights some evaluation of design features is given, addressing both safetyconcerns and safety merits. However, this discussion is limited, since no systematic design review was carriedout within the frame of the project. Identification of the most relevant safety issues and evaluation of theirsafety significance are based mainly on engineering judgment and to a large extent on various safetyassessment studies recently conducted for WWER-440 NPPs as well as other existing information gainedfrom operational practice.

In addition to design related material the report provides some information on classification of plantstates considered in the design. This classification of plant states is made depending on their probabilitiesof occurrence and their consequences as available at the date of preparation of this report.

1.3. OUTLINE OF THE REPORT

Section 2 presents design basis applied in the design process by the vendor and the design basisproposed to be used in safety assessment carried out in the project. All logic elements of the design basisare discussed including specifications for selecting postulated initiating events, basic rules and assumptionsused in the definition of plant conditions considered in the design, and acceptance criteria for provingcompliance of the plant design with safety objectives.

Section 3 provides basic information related to WWER-440 model 213 units. It includes the historicalbackground of the WWER technology and a general description of the plant. Some rational explanation isgiven on which systems are significant for plant safety, thus providing limits for the scope of plant systemdescriptions. Then detailed description of all relevant systems is given.

Section 4 concludes with basic information on Bohunice plant design, pointing out the safety merits andshortcomings of the plant design. The material presented in this section addresses both the general featuresof the plant and those related to individual systems.

Section 5 provides information on classification of plant states used in the design of WWERs.

Section 6 discusses some design related safety issues specific to multiple units, highlighting bothadvantages and disadvantages of multiple units arrangements.

Annexes I -IV include additional detailed information. Annex I compares the general safety standardsapplied by the Soviet vendor with those used by the US NRC. Annex II provides a detailed selection ofdesign basis accidents to be considered in the project as proposed by the participants. Annex III comparesthe technical requirements used by the Soviet vendor in strength analysis with those applied in the USA.More detailed information on the main structural materials used for manufacture of equipment and pipingin WWER NPPs is given in Annex IV.

2. DESIGN BASIS

2.1. THE DEFENCE IN DEPTH CONCEPT

"Defence in depth" is a fundamental principle underlying the safely philosophy of nuclear power. Itconsiders all safety activities - organizational, behavioural or equipment related - as a hierarchically orderedset of different independent levels of protection. Protection measures include successive barriers whichshould in principle never be lost, and which must be violated in turn before harm can occur to people or theenvironment. The barriers are physical, providing for the confinement of radioactive material at successivelocations.

The first three physical barriers are the fuel matrix, the fuel cladding and the boundary of the primarycoolant system. These barriers serve both operational and safety purposes. The containment is a fourthphysical barrier which has the main purpose of confining the radioactive material.

"Defence in depth" includes protection of the barriers by averting damage to the plant and to thebarriers themselves. The reliability of the physical barriers is enhanced by applying the concept of defencein depth to them in turn, protecting each of them by a series of various measures.

There are many modes of protection against the possibility and the effects of accidents at nuclear powerplants. Defence measures may be categorized using various logical criteria.

One way of categorization is to arrange possible defenses in order of progression of a nuclear projectfrom its beginning to plant operation (siting, design, manufacture and construction, commissioning andoperation).

The modes of protection can be classified according to the severity of the threat to plant safety. Thisseverity is in turn measured in terms of extraordinary demands on equipment and staff performance or interms of any resultant plant damage. This latter classification is illustrated in Fig. 1 compiled from theINSAG-3 report [1].

Figure 1 shows events challenging the safety of the plant ordered with severity increasing from left toright. Plant actions required to cope with occurrences (labelled "control") are displayed, arranged accordingto type of the plant challenge. The diagram shows how strategy, procedures, systems and the integrity ofbarriers would depend on the class of events and their severity (labels -"procedures", "response", "conditionsof barrier", respectively). The figure also introduces two broader categories of defence strategies - accidentmitigation and accident prevention. The first measures of preventing accidents depend on high quality indesign and good operational practices, quality assurance, surveillance during operation, and other steps ofpreventing small plant deviation to develop into a more serious situation. The accident mitigation provisionsinclude accident management, engineered safety features and off-site countermeasures.

A second complementary presentation of defence in depth is provided in terms of "defence levels".

The first level of protection in defence in depth is the prevention of deviations from normal operationalconditions. Mitigation of "normal" releases and preventing incidents are the prime safety objectives. Theyare achieved by a combination of conservative design, quality assurance, surveillance activities and a generalsafety culture.

The second level of defence in depth is control of operation, including response to abnormal operationor to any indication of system failure. The prime safely objectives are mitigation of incidents and preventionof accidents. This level of protection is provided to ensure the continued integrity of the first three barriers.

Strategy

Events

Control

Procedures

Response

Conditionsof barriers

Accident prevention \

Normal operation

Normal operatingactivities

Anticipatedoperationaloccurences

Normal operatingProcedures

Design basisand complexoperating events

Control of \accidents indesign basis

Emergency \operating \procedures N

Normal operating systems \ Engineered\ safety\ features

Area of specified Fiacceptable fuel design limit faii

el Severeure fuel

damage

Accident mitigation

Severe accidentsbeyond the

design basis

. Accident management

Ultimate part ofemergency operating

procedures

\ Special \ Off-site\ design \ emergency\ features / preparation

Fuel Uncontrolledmelt , , ,,fuel melt

1 1

1Loss of

confinement

1FIG. 1. Overwiew of defence in depth.

The third level of defence in depth is the prevention of evolution of failures of equipment and personnelinto design basis accidents, and of design basis accidents into severe accidents, and also to retain radioactivematerials within the confinement. This level of protection is afforded by engineered safety systems andprotective systems.

The fourth level of protection comprises measures that include accident management, directed topreserving the integrity of the confinement. The prime safety objectives are mitigation of on-siteconsequences and prevention of off-site consequences.

The fifth level is that of off-site emergency response, aimed at mitigating the effects of the release ofradioactive materials to the external environment.

The defence in depth concept has been refined and strengthened through years of application. Whenproperly applied, it ensures that no single human or mechanical failure would lead to injury to the public,and even combination of failures that are very unlikely would lead to little or no injury.

The defence in depth concept provides an overall strategy and a very broad perspective for evaluationof safety measures and safety features of nuclear power plant. Therefore, this concept is systematicallyreferred to in this project to provide a logical framework guiding the presentation and discussion of thematerial included in the report.

In general, most of the components of defence in depth are implemented in WWER-440 model 213plants. Respective sections of this report provide detailed discussion and evaluation of organizational,behavioural and design related measures used at successive levels of protection. Sections 2.2 - 2.7 addressthe general basis for design and Section 3 general design features of the plant.

10

The safety design principle incorporates ail four physical barriers providing confinement of theradioactive material. To a large extent the design of the plant is based on engineering practice proven in pastuse.

Safety objectives and principles used in plant design are in general compliant with current internationalsafety thinking. The plant is designed to cope with a set of events including normal conditions, anticipatedoperational occurrences and accident conditions. Conservative rules and criteria incorporating safety marginsare used in design. The plant has also distinct inherent safety characteristics.

Plant process control systems and engineered safety systems are included in the plant design. Safetysystems make use of redundancy of design and the physical separation of parallel components, whereappropriate. Safely related components, systems and structures are designed and constructed to allow forinspection and testing.

A containment structure is designed to withstand the conditions resulting from the design basis accident.No explicit provisions have been made in the design for protection against severe accidents.

A detailed discussion of design issues related to the defence in depth concept is provided in Sections3 and 4 of this report.

2.2. GENERAL BASIS FOR DESIGN

The deterministic approach, basically comparable to the approach used in current international practice,was applied in the design process.

The plant design takes into account that the challenges to all echelons of defence may occur andprovides appropriate design measures to ensure that the safety functions are accomplished and the safetyobjectives are met. The plant is designed to cope with a specified set of plant states. These plant states stemfrom events that lead to deviations from normal operation or to accident conditions. These events (furthercalled postulated initiating events) range from single events, such as an equipment failure, human errors,man induced or natural events, to complex combinations of individual events and their failure effects.Conservative rules and criteria incorporating safety margins are used to define plant conditions created bythese events that are taken into account in the design process. Appropriate acceptance criteria are appliedfor each of the plant states to prove compliance with selected safety objectives.

The engineering and normative basis, used in this design concept for establishing necessary capabilitiesof the plant, is further called design basis. The design bas?s includes all logic elements mentioned above- specifications for selecting postulated initiating events that the plant has to accommodate, basic rules andassumptions used in the definition of plant conditions considered in the design and acceptance criteria forproving compliance of the plant design with safety objectives.

In general, the design concept described above is compliant with the Soviet standards "GeneralProvisions for Assuring Safety at Nuclear Power Plants during Design, Construction and Operation" -OPB-82 [2] and "Nuclear Safety Regulations for Nuclear Power Plants" - PBYa-04-74 [3].

The first document specifies some general safety criteria providing mandatory guidance in the designingof the facilities. It also contains some technical, procedural and managerial requirements. The documentdescribes the top level rules and regulations analogous to the United States General Design Criteria forNuclear Power Plants from 10 CFR 50. Annex I provides a more detailed comparison of these twodocumeiits. The second document contains certain qualitative and quantitative requirements in regard to

11

safety, addressing methods for achieving safety. An additional document related to the design basis concept- "Standard Content for Technical Substantiation of the Safety of a Nuclear Power Plant" (TOB) - includesmore detailed requirements concerning the minimum set of initiating events taken into account in the designprocess.

The above mentioned documents constitute the basic normative framework that reflects the design basisphilosophy of the vendor applicable to the design of Bohunice Units 3 and 4. OPB-82 is not referenced inany Bohunice design documentation, since the plant was in a well advanced phase of construction at the timeof issue of the standard (commissioning date was 1984). However, taking into account the relatively longperiod of time usually needed for issuing such standards, it should be assumed that the document reflectsthe safety design philosophy applied in the design practice much earlier. The draft of the OPB-82 must havebeen at the designers' disposal since most of the model 213 improvements in comparison to the older model230 are in accordance with the OPB-82.

Recent revisions of the documents OPB (issued in 1988 as OPB-88 [4]) and PBYa (issued in 1989 asPBYa-RUAES-89 [5]) introduce some changes and/or additional requirements; however, the generalconcept has not been altered. A full package of new normative documents that has been developed veryrecently, in addition to general documents OPB and PBYa, includes several lower level standards andtechnical guides, such as:

Norms for Strength Analyses of the Nuclear Power Plant Equipment and Pipelines (PNAE-G-7-002-86);Rules for Arrangement and Safe Operation of the Nuclear Power Plant Equipment and Pipelines (PU)(PNAE-G-7-008-89);Equipment and Pipelines for Nuclear Power Plants (PU) (PNAE-G-7-009-89);Equipment and Pipelines for Nuclear Power Plants. Weld Joints and Welds-on. Control Rules (PK)(PNAE-G-7-010-89);Equipment and Pipelines for Nuclear Power Plants. Welding, Weld-on. Main Provisions (OP)(PNAE-G-7-009-89).

In comparison to existing norms and standards those recently adopted introduce several significantchanges that reflect current international philosophy in NPP safety. Consideration is given to accidents ofvery low likelihood, but more severe than design basis accidents. Some elements of probabilistic safetyassessment are introduced to provide the appropriate framework for the treatment of severe accidents.Several probabilistic safety requirements were introduced, such as limiting value for a probability of severecore damage (less than 10"5 per reactor year), limits for radioactivity release under severe accident conditions(3 x 104 Ci for 1-131 for accident scenarios with estimated probability higher than 10"7 per reactor year),probability limit for reactor pressure vessel damage (10~7 per reactor year).

More attention is given in the design to quality assurance. Introducing safety classes for equipment andpipi'T^es an provides appropriate basis for corresponding requirements of quality control. More strictrequirements are used for vessels and pipelines of the secondary circuit.

Quality control of the welding process is improved by introducing stricter requirements concerningpersonnel qualification, as well as better technical means and increased scope of weld joints control.

Treatment of brittle fracture is improved by using strength intensity coefficients (temperaturedependent) instead of applying brittle fracture critical temperature alone. The permissible number of cycleswas increased in calculating the fatigue strength (from 106 to 1012).

12

2.3. DESIGN SAFETY OBJECTIVES

The general safety objective for nuclear power plants is to protect individuals, society and theenvironment by establishing and maintaining an effecti%'e defence against radiological hazards. This generalobjective is usually expressed more specifically in the form of two complementary objectives - radiationprotection and technical safety.

The first objective is to ensure during operational states that radiation exposure of site personnel andthe public remains below prescribed limits and is kept as low as reasonably achievable (ALARA), and toensure mitigation of the radiation exposures from accidents.

The second objective is to prevent with high confidence accidents in nuclear plants; to ensure that, forall accidents taken into account in the design of the plant, even those of very low probability, radiologicalconsequences are small; and to ensure that the likelihood of severe accidents with serious radiologicalconsequences is extremely small.

Soviet standards OPB-82, PBYa-04-74 with related Radiation Safety Standards SP-AES-79, addressexplicitly the radiation protection objective defining the system of dose limitation.

The ALARA principle is not expressed directly in these standards. Such safety objectives are includedexplicitly in IAEA Safety Series No. 50-C-D (Rev.l) [6J and in 75-INSAG-3 [1], US NRC Code of FederalRegulations 10 CFR 50 and other safety standards currently in use in other countries.

These safety objectives are achieved by implementing various defence in depth measures. In additionto rigorous application of conservative engineering practice used in setting design bases, some general safetyprinciples and criteria, directed to strengthening defence in depth provisions, are in fact included in Sovietstandards, although not all levels of defence are addressed with equal attention.

Consideration currently given in the IAEA Safety Series No. 50-C-D (Rev.l) and INSAG-3 to accidentsof very low likelihood, but more severe than those taken into account explicitly in the design (accidentsbeyond design basis), is not directly incorporated in the design concept of the WWER-440 plants.

In the current safety philosophy severe accidents are considered in a limited way. Considerationsusually include the following elements:

Identification of event sequences that lead to severe accidents;Consideration of existing plant capabilities, including the possible use of some systems beyond theiroriginally intended function, to return the plant to a controlled state and to mitigate the consequencesof the severe accident;Evaluation of potential design changes which could cither reduce the likelihood of these events or wouldmitigate the consequences;Establishing accident management procedures, based on representative and dominant severe accidents.

This type of analysis was lacking in the design process of WWER-440 plants. Some elements of thisapproach are intended to be included in this project.

2.4. POSTULATED INITIATING EVENTS

The selection of postulated initiating events (PIEs) for their use in the design basis should ensure thatall credible events with potential for serious consequences and significant probability have been anticipated

13

and can be accommodated by the design of the plant. There are no firm criteria to govern the selection.Compilation of the list of PIEs is usually based on engineering judgement and experience from previousnuclear plant design and operation. Some guidance may be provided on a probabilistic basis.

Initiating events can be equipment failures that directly or indirectly affect the safety of the plant,human errors or other internal events like fires, floods of internal origin, etc. External natural or maninduced events that are credible at a given site should have been taken into account in the design basis.OPB-82 includes explicit requirement concerning natural external events to be considered as design basisinitiating events.

In the current safety philosophy the treatment of PIEs depends on their probabilities of occurrence andtheir consequences.

Events classified as normal operating events, or for which there is a reasonable expectation ofoccurrence during the life of the plant, are required to be accommodated without any damage to the plant.Events of much lower probability that cause significant damage to items important to safety, or lead toaccident conditions, should have acceptable consequences.

Events of the latter class are the most essential element of the design basis, since the plant conditionscreated by these events tax the features of the safety systems. Safety systems are included in the plant designto protect against the possibility of occurrence of accidents that would otherwise contribute significantly torisk, or to mitigate the consequences of such accidents. Any engineered safety system is designed to preventor to mitigate a specific spectrum of accidents. The accidents in this spectrum that determine the featuresof the safety system are termed the design basis accidents for that system. Design provisions introducedto cope with this class of events are considered as the third level of defence in depth strategy (see Section2.1).

An important class of plant conditions included in the design basis covers operational processesdeviating from normal operation, which are expected to occur once or several times during the operating lifeof the plant. These plant conditions are initiated by malfunctions or faults of individual items of normallyrunning plant; they are termed anticipated operational occurrences. These initiating events are consideredin the design basis, since they often determine plant process control system characteristics. When combinedwith other human or mechanical failure they may lead to accident conditions. Appiopriate design provisionsand plant feedback features are to be incorporated and verified, based on plant conditions imposed by thoseinitiating events. Related design features protect plant against significant damage and prevent incidents todevelop into accidents. They are considered as the second level of defence in depth strategy (seeSection 2.1).

Normal operational conditions (including shutdown, power operation, shutting down, starting,maintenance, testing and refuelling) are taken into account in the design in establishing a set ofrequirements and limitations for operation. They include constraints on process variables and parameters,safety systems settings, requirements for maintenance, testing and inspections, etc. These requirements andlimitations provide a basis for the establishment of "Operational Limits and Conditions" for plant operation.

2.5. GENERAL DESIGN PRINCIPLES

Some general conservative rules are applied in the design that are related to the definition of plantconditions created by postulated initiating events, to be taken into account in the design basis. These rules

14

may be considered as design measures that are used within the deterministic design approach to achieverequired high reliability of systems for the performance of safety functions.

2.5.1. Single failure criterion

The single failure criterion is the fundamental principle used in the design of nuclear power plants.This principle is also explicitly referred to in the general safety requirements OPB-82 to be applied in thedesign of WWER-440 plants, including the Bohunice NPP.

The single failure criterion requires that a system under consideration is able to meet its intendedfunction despite a single random failure, assumed to occur in any element of the system, not dependent onthe initiating event. This rule is applied to either an active or passive element having mechanical movingparts. Multiple failures resulting from a single occurrence are considered to be a single failure.

The faults to be considered within the single failure criterion include also a single human error. Humanerrors may range from faulty or incomplete maintenance operation or incorrect setting of control equipmentlimits to wrong operator actions.

According to OPB-82 undetected failure of elements of safety systems not monitored during operation,that could affect the performance of safety functions, should be taken into account in addition to a singlefailure of one of the types mentioned above. In some cases when a high level of reliability of the aboveelements or systems in which they are included is indicated or when the element is taken out for operationfor a short time for maintenance, their failure may not be taken into account.

Usually, the single failure criterion is applied to each safety group incorporated in the plant design. Thesafety group is that assembly of equipment which responds to a particular postulated initiating event in orderthat the limits specified in the design basis for that event are not exceeded [6].

There are special cases where compliance with the single failure criterion is required for a specificsafety system. For example, OPB-82 contains such explicit requirement concerning emergency protectionsystem.

Under the current design practice implemented in the design of WWER-440 NPPs the single failurecriterion was interpreted selectively, depending on the initiating event, and its use involved some subjectivejudgement.

For safety groups associated with LOCA within the containment, single failures were assumed to occursimultaneously in each of the systems responding to the initiating event, including the reactor protectionsystem, active part of the ECCS ( both the high pressure injection and the low pressure injection systems)and passive part of the ECCS ( the core flooding system).

The single failure criterion was not applied in the case of LOCAs within the steam generator. In thiscase credibility was given to a single valve (primary loop isolation valve) for isolation of the faulty SG fromthe reactor. PWR plants of non-Soviet design are not provided with primary loop isolation valves and forthis reason more attention was given to this type of accidents (concerning both technical and proceduralmeasures). It should be noted that consequential application of the single failure criterion for a WWER-440/213 steam generator LOCA would not require any modification of the plant since the existing plantequipment is judged to be sufficient to cope with this accident, provided that appropriate emergencyprocedures are implemented for this initiating event. In this case the safety of the plant would be better thanthat of the plant without loop isolation valves.

15

2.5.2. Combination of events

The possibility of a combination of events in the definition of postulated initiating events and selectionof candidates for single failure criterion is normally restricted by some general rules.

Normally, independent events are not considered to occur simultaneously. However, where combinationof randomly occurring individual events could credibly lead to anticipated operational occurrences or accidentconditions, they should be considered as a basis for design [6].

Events which may occur during a long term period before the initiating event with expected probabilityof occurrence relatively high should be considered as the part of the original initiating event if properprovisions for their identification do not exist or if the time needed for the corrective action is long [6].

For a relatively long period of post-event recovery additional events may need to be taken into account,depending upon the length of the recovery period and the expected probability of events. In this case it maybe realistic to assume that the severity of an event which has to be taken in a combination is not as high asis required to be assumed for the same kind of event considered over a time span corresponding to thewhole life of the plant. For example, in the recovery period following a LOCA, if a random combinationwith an earthquake is required to be considered, the earthquake severity could be taken as less than theseverity of the design basis earthquake of the plant.

Certain events should be considered to be part of the original initiating event, if there is relatively highlikelihood that they are consequences of the initiating event. An example of such consequential effects isa flood following an earthquake. Another combination of this type is loss of off-site power following aLOCA. This combination is typical for the design of the WWER-440 plants, due to certain plant featuresincorporated in the design. This event combination is taken into account in the design of the WWER-440.However, other combinations are in general not considered.

2.53. Operator actions

Normally, operator actions appropriate for mitigation of a particular initiating event may be taken intoaccount in the definition of the design basis conditions. Operator actions to be considered are limited tothose that are properly supported by sufficient information indicating the current status of the plant and arecovered explicitly by existing operational procedures.

Some realistic constraints should be applied with regard to the time margin available for the operatorto take a decision and to perform appropriate actions. Operator interventions are only acceptable where thedesigner can demonstrate that the operator has sufficient time to decide and to act, that the necessaryinformation is clearly and unambiguously presented, and that the physical environment following the accidentis acceptable.

The standards OPB-82 do not include explicit requirements concerning this issue. According to a recentedition of OFB-88, operator actions taken within the first period of 10-30 minutes following the initiatingevent are not to be considered in the design.

2.6. DESIGN BASIS ACCIDENTS

Design basis accidents adopted in the design of Bohunice Units 3 and 4 are developed according to ageneral concept described in Sections 2.2 - 2.5.

16

Soviet standards OPB-82 do not provide detailed guidance related to design basis accidents. However,this document introduces so called maximum design basis accident (MDBA). This accident is initiated byinstantaneous, double-ended guillotine rupture of the primary coolant system pipe during operation of thereactor at nominal power (with regard to possible excess of nominal power due to errors and tolerances ofthe monitoring and control system).

The accident created by this initiating event is in a certain sense "maximal", since it determines thedesign capabilities of several important safety systems, such as containment system, core flooding system andlow pressure injection system. No equivalent definition of maximum DBA is used in the IAEA guidelines,the US NRC 10 CFR 50 nor any regulations used in the USA and in western Europe.

In addition to MDBA, a relatively large number of postulated initiating events was included in thedesign, based on international practice and experience accumulated by design organizations and plantoperators. The list of PIEs includes both anticipated operational occurrences and accidents, as discussed inSection 2.4. Plant conditions considered in the design basis are defined by application of conservative rulesdiscussed in Section 2.5. More detailed information concerning initial conditions and boundary conditionsof the plant is provided in Section 2.7.2.

Design basis accidents, originally taken into account by the Soviet vendor, did not include anticipatedtransients without scram (ATWS). The current safety practice, applied in the USA and in western Europe,requires that ATWS should be considered in the safety analysis. The argument used is not that reactorprotection and reactor shutdown systems are unreliable, but that, because of the relatively high rate at whichthey are challenged by anticipated transients, an extraordinary high reliability is required. The requirementsregarding ATWS treatment were included to assure appropriate safety margins, since the needed reactorshutdown reliability was difficult to verify.

Detailed information on design basis accidents as adopted by the vendor, is given in Section 5. A listof design basis accidents selected for this study is provided in Annex II.

2.7. ACCEPTANCE CRITERIA

Acceptance criteria are included in the design basis to be used in showing compliance of the plantdesign with the design safety objectives. Both quantitative and qualitative conditions are applied for thispurpose. These conditions are consistent with the deterministic design basis framework and the safetyphilosophy based on the defence in depth concept. Various types of acceptance criteria are used on differentlevels of the design process. They range from very general conditions, related to overall plant safety, to veryspecific conditions concerning a particular type of plant equipment.

Two very broad classes of acceptance criteria may be distinguished depending upon their applicationwithin the design basis framework. One class of acceptance criteria is used for system and componentdesign. These criteria have the form of engineering design rules, based on engineering practice proven bypast application, research, testing and dependable analysis. Criteria of this type have the simultaneousobjective of reliability and safety. Their use is intended to assure balanced plant design with all levels ofdefence in depth well protected.

Another class includes criteria applied in the analysis of the design basis accidents to show that for eachof the plant states considered in the design basis appropriate safety objectives are fulfilled. These criteriaare established in the form of limiting conditions for certain process variables and important parameters ofthe plant. The criteria of this type are, in some cases, supplemented by detailed specifications concerninga particular method of analysis.

17

2.7.1. Engineering rules for plant and system design

Acceptance criteria in the form of engineering design rules are used for system and equipment design.Both very general and specific requirements are provided for this purpose in OPB-82 and PBYa-04-74.

Engineering rules for use in the design of systems and devices important to safety included in OPB-82and PBYa-04 74 are briefly presented in this report addressing various groups of safety related systems andequipment. System classification and corresponding definitions given in the NUSS programme (Code on theSafety of Nuclear Power Plants: Design, Safety Series No. 50-C-D (Rev.l)) [6], slightly different from thoseused in Soviet standards, are followed in this report1.

When appropriate, some comments are provided concerning the most important differences betweenthe Soviet safety principles and those used in other countries (in particular, the lack of certain generallyaccepted safety requirements is pointed out).

2.7.1. L General criteria

(a) Radiation protection

Nuclear power plants should be designed to ensure compliance with existing radiation protectionstandards. Radiological acceptance criteria are established related to maximum permissible doses forpersonnel, the dose range for the population and the limits on the content of radioactive products in theenvironment during normal operation and planned emergencies. Specific criteria used in the design basisaccidents analysis are discussed in Section 2.7.2.

(b) Safety functions

In order to ensure a acceptable level of plant safety, appropriate safety systems should be incorporatedin the plant to perform the following safety functions:

shut down the reactor and maintain it in the safe shutdown conditions in operational states and inaccident conditions;remove residual heat from the core after reactor shutdown, including accident conditions;confine radioactive products within established limits during operational states and during accidentconditions.

(c) Quality of the plant

A programme to ensure quality of construction and operation of the plant should be establishedaddressing the activities of organizations involved in the design, fabrication, construction, erection, testingand operation. Inspection and acceptance by the appropriate organizations should be provided in all stagesof the plant life. Appropriate records of the design, fabrication, erection and testing of structures, systemsand components important to safety shall be maintained by the plant licensee throughout the life of the unit.

1 Systems important to safety are defined to include "safety related systems/equipment" and "safety systems". The latter groupincludes protection system (in Soviet standards referred to as "safety control systems"), safety actuation systems (in Soviet standardsthis group of systems is divided into "safety protective systems" and "accident localization systems") and safety system support features(Soviet term: "safety support systems").

18

Current international safety practice requires that structures, systems and components are classified onthe basis of their importance to safety. No such requirements were included in OPB-82 nor in PBYa-04-74(they are included in OPB-88).

(d) Provisior for in-service testing and maintenance

Structures, systems and components important to safety should be designed to be periodically tested,maintained and inspected throughout the entire service life of the nuclear power plant with respect to theirfunctional capability. Direct and complete check for conformity to the design characteristics should be madefor systems and components important to safety. If such check cannot be made, an indirect or partial testsshould be ensured and corresponding methods and devices for this established. In-service tests andmaintenance should not lead to a reduction of the safety level.

(e) Design for optimized operator performance

Appropriate provisions should be made in the design to eliminate or attenuate, if possible, the effectsof erroneous actions of personnel which may lead to aggravation of the consequences of equipment failures.

(f) Design for system reliability

Quantitative reliability analysis is required for systems important to safety. However, no reliabilitytargets are assigned to safety systems or functions. No explicit requirements are included with regard todesign features of the plant that determine the high level of reliability, such as diversity, independence,fail-safe design, etc.

(g) Fire protection

The only requirement concerning fire protection explicitly included in OPB-82 is that capability foractuating safety systems and gathering adequate information on plant status should be maintained during fireconditions by the use of a stand-by control room. More specific acceptance criteria related to fire protectionare used, based on general standards applicable to thermal power engineering and industrial safety.

(h) Effects associated with equipment failures

The systems and components important to safety should be designed, manufactured and installed withregard to possible mechanical, thermal, chemical and miscellaneous effects that arise as a result of accidentsincluded in the design basis. This requirement has been found not always consequently considered in thedesign of the WWER-440.

(i) Sharing of structures, systems and components

Structures, systems and components important to safety should generally not be shared between twoor more units. Nevertheless, if such structures, systems and components are shared, it should bedemonstrated in the design that integration of functions does not lead to violation of safety requirements.

2.7.1.2. System specific criteria

(a) Reactor core

The reactor core and associated coolant, control and protection systems are required to be designedwith appropriate margins to assure that fuel damage limits and the related levels of primary coolant activity

19

should not be exceeded during the entire calculated service life under normal operating conditions. Thisrequirement is extended also for certain deviations from normal operation (provided that safety systems areoperable), as specified in OPB-82:

malfunctions of the reactor control and monitoring system;loss of power supply of the primary coolant pumps;switching off turbine generators and heat sinks;complete loss of external power supply;leaks in the primary coolant system within the capability of normal make-up system.

The rated maximum damage of fuel elements during normal operation is specified as 1% of the fuelelements with defects of the gas leak type and 0.1% of fuel elements for which direct contact of the coolantand fuel material occurs.

The total power coefficient of reactivity usually should not be positive under any operational conditionsof the plant, If the total power coefficient in any operating condition is positive, nuclear safety of the reactormust be assured and specially demonstrated in the design and operation.

The reactor core must be designed so as to exclude the possibility of displacement of core componentsleading to increase of reactivity.

The characteristics of the fuel, the design of the reactor core, the primary circuit and other systemsshould exclude the possibility of critical condition of the core during any accident (including those that leadto failure of the core or meltdown of the fuel). If this condition cannot be fulfilled, it should bedemonstrated in the design that accidents leading to criticality of the core are beyond design basis accidents.

(b) Reactivity control systems

The means for shutting down the reactor should consist of at least two diverse systems (eitherindependent devices or independent groups of devices). At least two of these systems should be, on theirown, capable of rendering the reactor subcriticality by an adequate margin from any operating conditions(without exceeding the allowable limits of fuel element damage) and maintaining it in a subcritical state atoperational temperature of the coolant.

At least one of the envisaged two systems must be capable of bringing the reactor into a subcritical stateand maintaining it in that state under normal and accident conditions, assuming single failure in the systemand failure of control element with the highest reactivity worth.

The reactivity control system must be capable to cope with a single disturbance in the monitoring andcontrol system without allowing the increase of the reactor power, which could lead to exceeding theallowable limits of fuel element damage.The maximum efficiency of the reactivity control elements and themaximum possible rate of reactivity increase, in the case of erroneous actions of personnel or of a singledisturbance in any system of the plant, should be limited so that the effect of a subsequent power increasedoes not lead to the excess of maximum permissible pressure in the primary coolant system, non-permissibledeterioration of core cooling or meltdown of the fuel element.

(c) Reactor coolant system

The reactor coolant system and its associated auxiliary systems should be designed in such a way as towithstand the static and dynamic loads and temperature effects anticipated during unintentional transientscaused by:

20

ejection of the control element with the highest reactivity worth;discharge of cold coolant into the core;a sharp reduction of primary coolant flow rate or disruption of heat removal from the primary coolantsystem.

No direct requirements are included in OPB-82 nor in PBYa-04-74 concerning the selection of materialfor the pressure vessel and the primary piping, related design standards, inspectability and fabrication of theprimary circuit equipment. No provisions are explicitly required in the above mentioned standards for thematerial surveillance programme for the reactor vessel and other important components appropriate fordetermining the effects of irradiation and ageing of structural material. In the case of Bohunice V-2 theabove mentioned requirements are specified by the individual QA programme.

(d) Instrumentation and control system

A control room should be provided from which the reactor and other systems of the nuclear powerplant are monitored and controlled in all its operational states and during accident conditions.

An instrumentation and control system should be provided for monitoring and recording processvariables over their possible ranges and automatic or remote control of normal operating systems in allmodes of operation. The monitoring and recording equipment should be adequate to ensure that essentialinformation is available for following the course of accident conditions and for planning the appropriatepersonnel actions.

Means of monitoring and control of the nuclear fuel fission process should be provided in all modesof operation and under all conditions of the core (including refuelling), when conversion to a critical stateis possible.

Indicators of the position of the reactivity control elements, monitoring of the concentration of dissolvedabsorbents and indicators of the state of all other reactivity control devices should be provided. Designdocumentation should contain analysis of possible hazardous response of the control systems that lead toviolation of safe operating limits in the case of system malfunctions (such as short circuits, loss of insulation,decrease of voltage, etc.). The systems should be checked for possible dangerous and spurious reactionsbefore the reactor is started up.

The capability of detecting leaks in the primary coolant system should be assured.

The radioactivity level of the coolant and the radioactive waste should be monitored.

(e) Protection system

A protection system which encompasses all electrical and mechanical devices and circuitry (from sensorsto actuation device input terminals) involved in generating signals for initiation and controlling operation ofsafety actuation systems and safety system support features, should be provided. The protection systemthrough safety actuation systems should prevent or eliminate conditions that lead to damage of the fuelelements above the rated limits.

Response of reactivity control elements should not depend on external power supply.

Failure in the protection system should result in operations directed toward ensuring safety (fail-safebehaviour).

21

The system should be designed for high reliability by following strict requirements on the quality offabrication, checking and testing during operation, providing non-interruptible power supply and applicationof multichannel structure of the system. Independence of redundant channels should assure that no singlefailure (including common cause failures) affects system operability.

The protection system should be separated from the monitoring and control system to excludeinterference of these systems. Failure of any element or channel of the monitoring or control system shouldnot affect the capability of the protection system to perform the intended safety function.

The capability of manual actuation of the safety systems should be provided. Failure in the automaticinitiation loop should not prevent manual initiation and performance of the appropriate safety function.Acting on a single element (key or button) should be sufficient foi manual control.

The system should be designed so that the initiated action provides completion of the function. Returnto initial state should require sequential operations of the operator. Possibility of false response should bereduced to a minimum.

The protection system should be designed to permit periodic testing of individual channels and theentire system when the reactor is in operation. If some part of the system is inoperable, then the appropriateinformation should be displayed in the control room.

The capability of actuating the safety systems and of monitoring their operation from a stand-by controlpanel should be provided if for some reason this cannot be done from the main control room.

(f) Protective safety systems

Protective safety systems should perform safety functions required for mitigation of any postulatedinitiating event upon a single failure not dependent on an initiating event.

Protective safety systems should include an emergency core cooling system, composed of severalindependent channels (trains), that ensures the required capability, assuming a failure independent of theinitiating event, of any one channel of this system.

Cooling systems (channels) designed for normal operation may be used as emergency core coolingsystems if they meet the requirements applicable for safety systems. Measures preventing criticality of thereactor caused by the operation of emergency core cooling systems should be provided in the design.

Operation of protective safety systems should not lead to damage of the equipment of normal operatingsystems. The number of responses of safety systems permissible during the service life of the plant (includingspurious responses) should be substantiated in the design with regard to the effect on the operating life ofequipment.

(g) Containment systems

Containment systems should be provided to confine radioactive materials that have escaped from thereactor installation during an accident considered in the design basis.

The primary coolant system should be located in the leaktight building, either entirely or partially, sothat in the case of design basis accidents localization of released radioactive material within the leaktightcompartments is ensured. Controlled release of radioactivity into the environment is permissible in individualcases, if it is substantiated in the design that the plant safety is ensured with this release.

22

Containment systems should fully perform their intended functions for all plant conditions consideredin the design basis.

In case of multi-unit plants individual localization systems should be provided for each unit. Systemequipment may be shared if it is proven in the design that accidents cannot spread from one unit to the otherunits.

Containment systems should perform their functions during accidental leaks of coolant from the primarycoolant system with regard to the consequential mechanical, thermal and chemical effects.

In those cases when active heat removal is provided to prevent increase of pressure in the containment,there should be several redundant channels that ensure system operability, assuming a single failure.

Each line that penetrates the containment, which should be closed in the event of accident conditionsto prevent discharge of radioactive materials to the outside of the containment, should be fitted with at leaf ttwo adequate containment isolation valves arranged in series, one outside and the other inside thecontainment.

Each line that penetrates the containment and is neither part of the reactor coolant pressure boundarynor connected directly to the containment atmosphere, is permitted to have a single containment isolationvalve located outside the containment.

The accepted permissible rate of leakage of the containment boundary should be substantiated in thedesign and methods of achieving the given level of leaktightness should be indicated. Conformity of achievedleakage rate of the containment with the design value should be confirmed after completion of installationwork and should be checked regularly through the plant service life. Containment test before plant operationshould be performed at the containment design pressure and subsequent tests are permitted at reducedpressure. The equipment located inside the containment should tolerate pressure tests without damage.

OPB-82 does not include explicit requirements concerning containment atmosphere cleanup. A recentversion of OPB-88 requires that appropriate measures, necessary to control the concentration of explosivegases in the containment atmosphere, are included in the design.

(h) Safety system support features

Support systems that supply safety systems with working media and energy during accidents consideredin the design basis should be provided.

Support systems should have suitable redundancy to perform their functions for all initiating eventsconsidered in the design basis, assuming a single failure.

No specific requirements are provided in OPB-82 and PBYa-04-74 concerning emergency power supplysystems. Such requirements are included explicitly in the IAEA Safety Series 50-C-D (Rev.l) and US NRCstandards 10 CFR 50.

(i) Fuel handling and radioactive waste storage systems

Fresh or spent fuel storage systems should be designed to prevent criticality by physical means orprocesses, primarily by the use of geometrically safe configuration.

23

A reliable residual heat removal system should be provided in spent fuel storage. Correspondingchemical composition of the heat removal medium should prevent damage to the fuel, as a result of whichthe radioactive material may enter the nuclear power plant buildings or the environment.

Analysis of the composition and the amount of solid, liquid and gaseous radioactive wastes, both duringnormal operation and during accidents, should be included in the safety documentation of the plant.

Means of reprocessing, locations and methods of temporary and long-term storage of wastes,requirements concerning the purification process prior to discharge of air into the atmosphere and of waterinto natural reservoirs, methods of transporting wastes within the plant and to long term storage should bedetermined.

2.7.2. Criteria for design basis accident analysis

Acceptance criteria used for the design basis accident analysis define initial and boundary conditionsas well as limiting conditions for certain process variables or important parameters of the plant (includingdamage to fuel elements). Some requirements are also provided with regard to modelling aspects andcomputer codes features.

Acceptance criteria used by the vendor in the design process of the WWER-440 are specified both inthe existing normative documents OPB-82, PBYa-04-74 (or their more recent revisions OPB-88,PBYa-RUAES-89) and in technical guidelines/engineering rules developed and implemented by the designorganizations.

The following technical guidelines are reported to be applied in the design of the WWER-440.Generally, initial conditions are established to take into account all possible deviations of process variablesdue to measurement errors and quality of control devices according to plant design specifications. Spatialpower distribution is established to assure the most conservative conditions for each accident scenario.Pessimistic conditions are assumed also with regard to fuel burnup and associated reactivity coefficients(temperature, moderator density and Doppler effect coefficients).

The activity and the content of radioactivity in the primary and secondary systems used in the analysisof radiological consequences are treated conservatively, taking into account the increase of fission productrelease from fuel elements due to operation of the reactor protection system, changes of the primarypressure, etc.

When establishing boundary conditions, a maximum time delay of the reactor protection system isapplied, based on experiments performed in the plant under operational conditions. The first signal for thereactor scram is considered to fail. The most effective control element is assumed to stuck outside the core.

Residual heat is assumed conservatively and includes decay heat of fission products, decay heat fromU-238 absorption and fission from delayed neutrons.

Operator actions directed to minimization of accident consequences are assumed to be undertaken onlyafter a sufficient period of time (in most cases more than 30 min).

Acceptance criteria used in the design basis accident analysis usually depend on the accident scenario.They are selected from the following list of criteria:

(1) Primary pressure and secondary pressure should not exceed 115% of the nominal value.

24

(2) Primary and secondary pressures should not exceed the limits determined by brittle fracturecharacteristics of the vessel and mechanical strength of the fuel elements.

(3) Both short terra and long term cooling of the primary circuit should be established.(4) Maximum acceptable damage of fuel elements for normal operation is 1% for defects of the gas leak

type and 0.1% for defects with direct contact of the coolant and the nuclear fuel.(5) No boiling crisis should occur in the core (calculated with probability higher than 95% with 95%

confidence level).(6) Maximal temperature of the fuel should not exceed melting point of the fuel material during the whole

transient.(7) Fuel cladding stresses should not exceed specified limit for all operational conditions including power

transitions and departures from normal operational conditions.(8) For transients with fast reactivity increase radially averaged fuel enthalpy should not exceed 830 kJ/kg.(9) Maximum acceptable damage of fuel is limited by the following conditions: maximum cladding

temperature not exceeding 1200°C,- maximum local cladding oxidation not exceeding 18% of the initial mass of the cladding,- maximum total oxidation of Zr in the core not exceeding 1% of the total mass,- design deformations of the reactor core should not prevent sufficient coolability of fuel elements.

(10) For accidents involving dropping of spent fuel container, plant design is acceptable without checkingradiological consequences if the distance of the container drop does not exceed 9 m, and containermovement is slowed down by using special devices.

(11) Dose limits accepted for normal operation should not be exceeded.(12) Dose equivalents measured at the boundary of the exclusion area should not exceed 5% of the limits

established for accident conditions.(13) Dose equivalents measured at the boundary of the plant site should not exceed limits established for

accident conditions.

Existing normative documents related to the definition of design basis for WWER plants are quitegeneral, and in fact, they leave a considerable area within the judgement of the responsible organizations.It is reported that the list of criteria used in the design, as well as respective numerical values used in thedefinition of limits, are selected during the design process on a case by case basis. Criteria used in thedesign basis analysis depend on the type of accident initiator. For scenarios classified as anticipatedoperational occurrences criteria (1), (3) - (7) and (11) are usually applied. For some reactivity inducedaccidents criterion (2) is applied additionally. Criteria used by Soviet design organizations for scenariosclassified as design basis accidents are listed in Table I.

Similar criteria are being developed or have already been developed in the former CSFR, to be usedby the operators and regulatory organization in accident analysis of WWER plants. For two groups ofaccidents, namely reactivity induced accidents and loss of flow accidents, these criteria and relevantrequirements have been officially issued in national regulatory guidelines [7, 8]. Short summaries of thesetwo documents are provided in Sections 2.7.7.1 and 2.7.2.2, respectively. For the other two groups, i.e. largesecondary steam leaks and loss of reactor coolant accidents (LOCAs), a proposal for such criteria has beenelaborated and presented for utilization within this project [9, 10], but without any formalized approval bythe regulatory body. Summary reauirements for these two groups of accidents are given in Sections 2.7.2.3and 2.7.2.4, respectively.

It should be noted that criteria which have been developed so far are neither sufficiently comprehensivenor fully completed. Criteria proposed for individual accidents may also differ from practices of othercountries. Unification of these criteria seems to be very desirable.

Acceptance criteria for reactivity induced transients, loss of RCS flow accidents, large steam leaks fromthe secondary circuit, and loss of reactor coolant accidents (i.e. the criteria available in the Czech Republic

25

TABLE I. ACCEPTANCE CRITERIA USED IN DBA ANALYSIS OF WWER NPPs

Definition of initiating event/accident

Spurious opening of pressurizer of safety valve or safetyrelief valve

Spectrum of small break LOCAs caused by postulatedruptures of primary circuit piping

Control rod ejection with control rod drive head rupture

Seizure of one RCP

Rupture of SG feedwater pipeline

Spectrum of various steam lines ruptures inside and outsidethe containment (including rupture of single SG tube)

Break of the shaft of one RCP

The most unfavourable accidents during fuel manipulationsinside the containment and in the spent fuel storage

Accidents due to spent fuel container drop

Leakage from or malfunction of gaseous radioactive wastessystem

Leakage from or malfunction of liquid radioactive wastestank

Postulated release of radioactivity due to rupture of liquidwastes tank

SG collector cover rupture or several SG tubes rupture

Criteria used in the design

1, 2, 3, 5, 6, 11

1, 2, 3, 6, 9, 12

1, 2, 3, 6, 12

1, 3, 6, 8, 12

1, 6, 12

1, 2, 3, 6, 12

1, 3, 6, 12

11

10, 11

12

12

13

1, 2, 3, 6, 9, 13

and Slovakia until now) are presented in the following sections together with additional requirementsconcerning modeling aspects and computer code capabilities. Some of these requirements, mainly thoserelated to computer code capabilities, may be considered as not fully relevant since considerable progresshas been made in development of the best estimate codes. These criteria are proposed to be used in thedesign basis analysis of the project.

2.7.2.1. Reactivity induced transients

Initiating events considered in this group include: uncontrolled withdrawal of group of control elementsduring startup (a) and during power operation (b), various inoperabilities of control element (c),inadvertent connection of cold loop to the reactor (d), uncontrolled reduction of boron concentration in thereactor coolant (e), and control element ejection (f).

26

The acceptance criteria for process variables and system parameters are as follows:

(1) No boiling crisis in the core (calculated with probability higher than 95% with 95% confidence level);(2) No fuel melting (melting point 2840°C for fresh fuel, 2670°C for burnout fuel);(3) Primary pressure lower than 13.8 MPa ( approximately 110% of the nominal value);(4) No direct steam relief from the secondary circuit to the atmosphere;(5) Sufficient time for the operator actions (30 min during refuelling, 15 min for other operational regimes);(6) Peak value of the RCS pressure lower than the pressure that would result in the stresses exceeding the

ASME Code [11], service limit C ( non-acceptable stresses);(7) Radially averaged fuel enthalpy in any point of the core lower than 840 kJ/kg (acceptable fuel damage

from the point of view of long-term coolability of the fuel elements);(8) Doses to the most exposed people at the plant surroundings not exceeding limits specified in general

radiation protection standards.

The acceptance criteria applied depend on initiating event:

- for initiating events (a) and (c) - criteria (1) and (2);- for initiating events (b) and (d) - criteria (1),(2),(3) and (4);- for initiating event (e) - criteria (1),(2),(3),(4) and (5);- for initiating event (f) - criteria (6),(7) and (8).

Radiological consequences of the accident, criterion (8), are based on the expected number of fuelelements that are damaged during the accident. The fuel element is assumed to be damaged, if:

- a boiling crisis occurred, according to acceptance criterion (1), or- radially averaged fuel enthalpy at any point of the core exceeded 710 kJ/kg.

Initial conditions at the initiating event onset are defined as follows:

- reactor power known with 2% accuracy;- most conservative combination of reactivity coefficients (moderator temperature, moderator density,

Doppler effect) and spatial power distributions;- pessimistic values of delayed neutron fractions and prompt neutron lifetime;- conservative heat transport properties of the fuel;- conservative values of the core flow rate, inlet/outlet temperatures and pressures. Pessimistic

conditions depend on initiating event and sensitivity studies are recommended for their selection.

Boundary conditions are defined as follows:

- maximum time delay of the reactor protection system and minimum efficiency of control elements;- most effective control element stuck at the top position after reactor scram;- if three-dimensional neutron calculations are not applied, conservative assumptions concerning reactivity

spatial effects;- conservative power distribution, assuming its changes during the transient;- sensitivity studies of Doppler effect coefficient, gas-gap heat transfer coefficient, and other important

parameters are required.

Required computer code capabilities:

- model combining neutronic and thermal hydraulic characteristics of the core; for some applicationssimplified model of the primary and secondary circuit should be included;

27

- all necessary feedback effects adequately included;- at least six groups of delayed neutrons taken into account;- axial nodalization of the fuel channel, radial nodalization of the fuel element, modelling of coolant flow

along the fuel channel length and control element insertion should be possible;- if space dependent kinetics is not modeled, the effect of the neutron flux distribution changes during

the transient on inserted reactivity, feedback coefficients, accumulated heat, total energy released andheat transport to the coolant should be examined.

2.7.2.2. Loss of RCS flow accidents

Initiating events considered in this group include: seizure of one RCP, coastdown of several RCPs,coastdown of all RCPs. Different number of RCPs initially in operation should be considered for eachinitiating event.

Acceptance criteria for process variables and system parameters are as follows:

(1) No boiling crisis in the core (calculated with probability higher than 95% with 95% confidence level);corresponding values of DNBR may differ considerably depending on CHF correlation (see [10]);

(2) No fuel melting (very unlikely for these lEs);(3) Primary system pressure during the early phase of the transient (RCP speed >10% of the nominal

value) should not exceed 110% of the nominal value;(4) Safe transition to natural circulation;(5) No coolant boiling at the average channel outlet (more stringent criterion used in addition to criterion

(4) to avoid unfavourable two phase flow phenomena that may disturb natural circulation or lead toearly core uncovering).


- reactor power equal to 102% of the nominal value; nominal value of the reactor power should dependon the number of operating RCPs (83.5%, 67.0%, 50% for 5, 4, 3 RCPs operating, respectively);

- inlet core coolant temperature 2 K higher than the nominal value;- coolant pressure 0.2 MPa lower than the nominal value; reactor coolant flow rate equal to 96% of the

nominal value; nominal value of the reactor coolant flow should depend on the number of operatingRCPs (88.7%, 75.3%, 59.5% for 5, 4, 3 RCPs operating, respectively; it is assumed that main gatevalves in non-operating primary loops are closed);

- conservative assumptions concerning reactivity coefficients and power distribution (from the point ofview of boiling crisis criterion);

- conservative assumption concerning core flow and by-pass flow distribution;- residual heat calculated using ANS correlation with 20% uncertainty, infinitely long fuel irradiation,

conservative assumption concerning reactor power prior to initiating event (applicable for cases withreduced number of operating RCPs).


- both correct and incorrect operation of the reactor power control system should be considered;- maximum time delay of the reactor protection system, low insertion velocity and low efficiency of

control elements;- heat transfer to primary circuit components should be considered;- possible failures of the pressurizer heaters and the coolant injection should be taken into account.

28


residual decay heat taken into account;parallel channels in the core modeled;non-ideal mixing in the lower plenum;thermal hydraulic model of the primary circuit and possibly simplified model of the secondary circuit;basic controllers (including reactor power control, ROM-limitation of the reactor power, pressurizerpressure and level control, feedwater flow control, turbine power control, SG safety valves and steamdump station (BRU-A) control) should be modeled.

2.7.2.3. Large secondary steam leaks

Initiating events considered in this group include: main steam header rupture, SG pipeline rupture (fullor partial), inadvertent opening of secondary steam dump facilities (SG safety valves, BRU-A, BRU-K).


(1) Pressure and temperature in the primary circuit should be kept within the acceptable limits establishedwith regard to brittle as well as ductile fracture;

(2) Reactor core should not be recritical due to rapid cooling down of the primary circuit; reactorsubcriticality should be assured also during long term cooling;

(3) No boiling crisis in the core (calculated with probability higher than 95% with 95% confidence level);corresponding values of DNBR may differ considerably depending on CHF correlation (see [10]);

(4) Maximum confinement pressure/temperature and maximum confinement differential pressure shouldnot exceed design values with sufficient margins;

(5) Dose equivalents for the most endangered individuals should be less than 0.25 Sv for the whole body,1.5 Sv for the thyroid in adults, 0.75 Sv for the thyroid in children; complementary criteria forintervention levels (sheltering, iodine prophylaxis, evacuation, limited food consumption) must bechecked.


- conservative value of reactor power - either hot state-zero power or 102% of the nominal value shouldbe used in checking specific acceptance criteria (typically hot state-zero power is conservative inchecking criteria (1),(2) and (3) and 102% power is conservative with regard to criteria (4) and (5);

- other reactor coolant parameters including flow rate, inlet temperature, core outlet pressure should bechosen conservatively (sensitivity studies are recommended for their selection) using the followingranges:

inlet core coolant temperature: the nominal value plus 2 K; higher inlet temperatures are advisedin checking confinement pressure criterion, low values - in criticality criterion;coolant pressure: the nominal value plus 0.2 MPa; low values are expected to be conservative inchecking DNBR margin;reactor coolant flow rate: 96-103% of the nominal value; !<r" value of the reactor flow is expectedto be conservative in checking DNBR margin, high value - in criticality criterion and impact onreactor vessel;

- conservative assumptions concerning reactivity coefficients and power distribution should be applied;strong reactivity feedback (reactivity coefficient corresponding to the end of fuel cycle (EOC) and zeroboron concentration) are advised as conservative in checking recriticality and impact on reactor vessel,the opposite assumption is appropriate for checking the confinement pressurization criterion;

29

- residual heat should be treated conservatively; minimum estimate is appropriate for reactor recriticality(EOC), high values are advised to be used for checking confinement pressurization.

Boundary conditions depend on specific acceptance criterion. Generally, both correct and incorrectoperation of the reactor systems should be considered in order to assure the most conservative conditions.Application of single failure criterion should also be selective in this context. Equipment not qualified foraccident conditions, including instrumentation used to activate safety systems, should be considered only ifit is leading to worse consequences. Specific conditions are discussed below for each type of acceptancecriteria.

Criteria concerning reactor criticality

- minimum time delay of the reactor protection system, most effective control rod stuck in its upperposition, stuck control rod should be placed in the affected (cold) section of the core;

- boron injection from accumulators should not be considered;- increase of boron concentration due to ECCS operation should not be considered, or time delay for

boric acid transport must be considered conservatively;- influence of the high pressure injection system should be analyzed parametrically with respect to

cooldown rate and boron concentration;- main isolation valves should not be considered for isolation of primary loop;- main circulation pumps should be considered running at least in affected loop, if their reliable

switching-off is not assured;- single failure criterion should be considered when increasing cooldown rate (e.g. failure of isolation

valve to close in the secondary system);- heat transfer to primary circuit components should be considered;- possible failures of the pressurizer heaters and the coolant injection should be taken into account.

Criteria concerning reactor vessel damage

- loss of power supply coincident with initiating event;- maximum number of ECCS pumps in operation, with conservatively high estimate of injected flow;- different number of isolated loops by means of main isolation valves should be investigated to analyze

non-symmetrical reactor cooling.

Criteria concerning confinement overpressurization

- assumptions leading to time delay and low efficiency of the confinement spray system (loss of powersupply);

- consideration of leaktight confinement to maximize overpressurization and underpressurization;- single failure criterion applied to increase energy release to the confinement.

Criteria concerning radiological consequences

- loss of power supply leading to non-availability of the condenser and direct steam release to theatmosphere;

- maximum allowed activity in both primary and secondary circuit;- maximum allowed number of damaged fuel elements, maximum allowed leakages from the primary

to the secondary circuit;- no positive operator actions before 10-30 minutes.

30


- complex code capable to simulate adequately behaviour of primary and secondary systems as well asneutron kinetics of the core;

- best estimate type code is preferred, with conservative initial and boundary conditions;- 3-D dynamic neutronic model is preferred; if not available it is necessary to combine conservatively 3-D

steady-state neutronic model with 1-D thermal hydraulic model;- a model with non-ideal coolant mixing in the reactor plenum is preferred; if it is not available, a

conservative approach should be applied;- water carry-over by steam flowing out of the secondary circuit should be modeled; otherwise,

conservative approach should be chosen and discussed;- SG secondary side mixture level should be calculated using best-estimate approach or conservative

approach should be applied to maximize cooldown rate.

2 7.2.4. Loss of reactor coolant accidents

Initiating events considered include: cold leg guillotine rupture at the reactor inlet (break flowcoefficient changing from 0.4 to 1.0 to identify the worst conditions), hot leg guillotine rupture at the reactoroutlet, hydroaccumulator line rupture, pressurizer surge line rupture, representative spectrum of partial coldleg rupture (equivalent break diameters 10 - 200 mm), steam leaks from the pressurizer.


(1) Maximum cladding temperature not exceeding 1200°C;(2) Maximum local cladding oxidation not exceeding 18%;(3) Maximum total oxidation of Zr in the core not exceeding 1%;(4) Maximum deformations of the reactor internals lower than prescribed;(5) Maximum blockage of fuel element flow area less than 75%;(6) No fuel melting;(7) Subcriticality of the reactor for long term cooling;(8) Control elements inserted into the core;(9) Pressure and temperature in the reactor vessel within acceptable ranges determined by brittle fracture

characteristics (special analysis needed for checking conformity with this criterion);(10) Maximum containment pressure and temperature lower than the design limits, with sufficient margins;(11) Maximum time duration of the containment overpressure shorter than prescribed value;(12) Containment differential pressure lower than prescribed values, with sufficient margin;(13) Dose equivalents for the most endangered individuals less than 0.25 Sv for the whole body, 1.5 Sv for

the thyroid in adults, 0.75 Sv for the thyroid in children;(14) Complementary criteria for intervention levels (sheltering, iodine prophylaxis, evacuation, limited food

consumption) must be checked.


- reactor power equal to 102% of the nominal value;- inlet core coolant temperature 2 K lower than the nominal value;- coolant pressure 0.2 MPa lower than the nominal value;- reactor coolant flow rate equal to 96% of the nominal value;- conservative assumptions concerning power distribution (axially chopped cosine for large breaks,

non-symmetrical distribution with maximum at the top part of the core for small and medium LOCA);- uncertainties in power distribution (local power density - 15%, fuel rod power density - 18%);

31

- maximum power of the fuel assembly - 5.95 MW, maximum linear power of the fuel element325 W/cm;

- conservatively low heat transport properties of the fuel element (gas-gap heat transfer, fuelconductivity).


- conservative assumptions concerning the reactor scram (maximum time delay, low control elementefficiency, the most effective control element stuck outside the core);

- the first signal for the reactor scram considered to fail;- malfunction of the normal control system;- loss of power supply at the moment of turbine trip;- operation of main isolation valve not considered;- conservatively low capabilities of high and low pressure ECCS pumps;- independent failure of one hydroaccumulator, one HP and one LP pump (due to DG failure);- for large break LOCA, additional single hydroaccumulator and single LP pump ineffective, due to

coolant loss through the break;- reactor coolant pump conservatively assumed in operation;- at the beginning of refill during the large break LOCA no residual water in the reactor vessel is

considered;- conservatively low containment pressure for reflooding;- only systems designed to operate in accident conditions can be considered;- operator's actions only after adequate period of time (10-30 min);- residual decay heat calculated using the ANS correlation with 20% uncertainty, infinitely long fuel

irradiation;- sensitivity study with respect to hydraulic resistance of the hydroaccumulator line;- cladding damage assumed if stresses are higher than specified limit;- boiling crisis assumed to occur if DNBR is low or core flow rate is low.

Required computer code capabilities and modeling aspects:

- codes verified by comparative calculations and by experiments;- following aspects of LOCA considered (by means of several codes):

jet forces and reaction forcessubcooled decompression ( reactor internal forces)blowdownrefill and refloodmain circulaîion pump overspeedingcladding thermo-mechanical behaviour and damagepressure-temperature containment transientsradiological consequences (preferably, but not necessarily consistent with other aspects);

- model combining neutronic and thermal hydraulic characteristics of the core;- possibly several parallel channels in the core;- if hot channel not modeled, then flow through this channel should be reduced to 70-80% of the average

channel flow;- chemical reaction on cladding surface considered if temperature >900°C for the period of time longer

than 15 s, Baker-Just equation without steam flow limitation, after cladding rupture the reaction on bothinternal and external surface;

- appropriate temperature and pressure distribution modeled, mainly in the vicinity of the break;- appropriate modeling of axial temperature and pressure distribution in SG and in the core;

32

- modeling of at least two legs for large break LOCA and three legs for small breaks to take into accountloop asymmetry;

- correlations used only within their range of validity;- modified Bernoulli equation for subcooled blowdown and Moody equation for two-phase blowdown (if

appropriate experiments are not available);- abrupt change from pre-crisis correlations to stable film boiling after boiling crisis;- heat exchange with primary and secondary circuit walls considered;- steady-state heat transfer correlation acceptable;- modeling of the loop seal phenomena should be included;- adequate modeling of steam separation mainly at low pressures (for small and intermediate LOCAs);- main circulation pump modeling for one and two phase flow (worst conditions found by comparative

analysis);- for cladding temperature > 700-750°C, effect of cladding deformation on gas-gap heat transfer should

be considered;- in the core region above the mixture level, heat transfer assumed only to the steam;- reactor refill calculations from the end of blowdown to the start of reflooding should assume the

adiabatic core heat-up;- return to nucleate boiling from post-crisis regimes during blow-down phase not allowed;- for stable film boiling, correlation of Miropolskii (pressure >4 MPa) and Dougal-Rosenow (low

pressures) are recommended;- accident simulation time is determined by reaching safe and stable core conditions.

2.73. Criteria used in strength analysis of NPP equipment and piping

All NPP equipment and pipelines are designed to assure appropriate mechanical strength. Stresses dueto loads are determined using computer codes based on finite element method. Additional verification ismade by experimental investigations. Experiments are carried out using models and photoelasticitytechniques, as well as measurements of actual stresses by the use of resistance strain gauges.

Calculational analysis usually includes basic dimensioning and checking calculations. Static strengthcalculations, stability calculations, cyclic strength calculations, brittle fracture calculations and seismic effectanalysis are typical elements of this analysis. The theory of maximum tangential stresses is applied in thecalculations. For brittle fracture analysis the theory of highest normal stresses is used. Design pressures anddesign temperatures used in the strength analysis are derived based on normal operating conditions. Threecategories are considered when performing the checking calculations. They depend on the classification ofplant conditions and include: normal operating conditions, operational occurrences, and accidents.

Seismic input loads are included depending on the category of equipment. A combination of loadsunder normal operating conditions plus either safe shutdown earthquake or design basis earthquake load isapplied.

Allowable strength margins are determined depending on equipment type and stress categories.Allowable stresses are derived from minimum value of ultimate strength and/or minimum value of yieldpoint. Average tensile stresses from mechanical load, combined tensile stresses from mechanical load plusthermal effects, and reduced stresses from all mechanical loads (tensile, bending, torsional) plus temperatureeffects are calculated. Allowable stresses depend on plant conditions. The values used for normaloperational states are usually increased by 20% for operational occurrences or 40% for accidents. Allequipment and pipelines are checked for low-cyclic fatigue using the appropriate stress margins and allowablenumber of cycles.

33

Brittle fracture analysis is based on empirical correlations. Initial conditions include normal operation(including hydro-tests), operational occurrences and accidents. Stress intensity coefficients are estimatedusing critical brittle-to-ductile transition temperature. Temperature ageing, cyclic damaging effects andneutron exposure effects are considered. Analysis is carried out for so called design defects.

Calculation of defects detected during operation is also performed. Allowable crack dimensions arecalculated such that for all operating conditions stress intensity factors are less than those estimated fordesign defects. Various strength margins are used depending on plant state (normal operation conditions,operational occurrences, accidents). General approach and logical elements of the calculations are verysimilar to those applied in the USA. Some differences are observed in the numerical values of stress marginsas well as in the correlations used in the analysis.

More detailed comparison of standards related to strength analysis used in the design of WWER-440NPPs and appropriate standards applied in the USA is provided in Annex III.

34

3. DESCRIPTION OF THE PLANT

This section includes basic information related to the WWER-440 model 213 plant that is essential forproper understanding of safety analyses performed within the frame of the project.

Section 3.1 presents a historical background of WWER technology and a general description of thenuclear power plant model 213 considered in the project.

Section 3.2 describes which plant systems are important from the safety point of view. This sectionestablishes limits for the scope of plant system descriptions provided in Section 3.3. The latter includes moredetailed information concerning system design.

3.1. HISTORICAL BACKGROUND AND GENERAL DESCRIPTION OF THE WWER-440 NPP

Bohunice Units 3 and 4 used standard plant design, designated as WWER-440 model 213. This plantdesign version was introduced in the late 1970s. Design and other technical aspects of this plant model haveundergone a long period of evolution and have been validated by considerable experience and testing.

The first commercial pressurized water reactor was commissioned in the former USSR in 1963 atNovovoronezh. The first unit, known as WWER-210 unit, was followed by a second prototype, a 365 MW(e)version that became operational in late 1969. From these prototypes, a standardized 440 MW(e) nuclearpower plant, called WWER-440, was developed. The first WWER-440s use the standard plant designreferred to as model 230. The first 230 unit was Novovoronezh Unit 3, which began power operation in1972.

The 230 plants have been in operation since the early 1970s in the former USSR, Bulgaria, the formerCzechoslovakia and were operated in the former GDR (until 1991). Twelve units of this type are presentlyin operation.

A later model of WWER-440 designated as 213 was commercially introduced in 1980/81 in Rovno(Units 1 and 2). Model 213 nuclear steam supply system in a containment structure (of Westinghousedesign) was used in Loviisa NPP (unit 1 commercially operated since 1977- unit 2 since 1981). Two otherunits with 213 model using a different containment structure are under construction in Cuba. Over 20 unitswith 213 reactor are in operation or in final stage of construction in former CSFR, Finland, Hungary andthe former USSR. Construction of two 213 units was cancelled in Poland and the project for theconstruction of four 213 units (one unit already in operation and three units under construction) was stoppedin the former GDR.

All WWER-440 plants have six loops, isolation valves on each loop and horizontal steam generators.All use two 220 MW(e) steam turbines.

The reactor core is composed of hexagonal fuel assemblies with 126 fuel rod positions each. Controlrod assemblies are combination of fuel assembly and an absorbing extension. The WWER-440 uses a rackand pinion drive mechanism to move the control rods.

The WWER-440 model 230 relies on local area compartmentalization alone to prevent the release offission product. Accident localization compartments have pressure release valves intended to relieveover-pressure and then reclose.

35

The design basis accident is a pipe rupture with an effective 100 mm diameter. Special orifices reducethe flow to an amount corresponding to 32 mm equivalent diameter. The 230 plants have limited capabilityfor emergency core cooling; the main limitation is the lack of hydroaccumulators. Designs of ECCS differconsiderably in various plants.

The 230 plants use low inertia canned motor pumps having minimal coast-down performance. Toprovide non-interrupted pumping in the event of loss of electrical power, 230 models have special house-loadgenerators located on the turbine generator shaft to provide electric power for approximately 180 seconds.

The WWER-440 model 213 substantially differs from the older model 230. The 213 has both additionalaccident localization features and the standard ECCS. Reactor coolant pump is equipped with high inertiaflywheel to increase the pump coast-down.

The most significant addition to the accident localization system involves the inclusion of a pressuresuppression system, incorporating a large number of water trays serving as suppression pools, in whichextensive steam condensation occurs during an emergency LOCA conditions. For each unit, the set ofpressure suppression trays is located inside a separate building (the bubbler/condenser tower) constructedadjacent to the reactor building. The tower is connected to the steam generator compartment by arectangular tunnel. The condenser tower also houses four large receiver volumes serving as air traps.

The model 213 was designed to cope with a 500 mm pipe rupture. The design pressure of the model213 accident localization volume is about 0.25 MPa absolute. Displacement of air from the localizationcompartments, followed by condensation of steam due to passive heat removal to cold structures and alsodue to operation of spray system, permits the pressure to be reduced to sub-atmospheric values after 10-15minutes (valid for 500 mm pipe rupture). Continued cyclic operation of the sprays maintains the pressurein the localization compartments between 0.085 and 0.095 MPa absolute.

The WWER-440 model 213 incorporates redundant independent emergency core cooling systemsincluding high pressure pumps, low pressure pumps and accumulator tanks. The high pressure systemincludes recirculation capabilities and does not perform any make-up functions, for which a separate systemis used. A spray system is provided in the steam generator and pump compartments to condensate steamduring emergency conditions. Table II summarizes the main differences in design features of WWER-440/230 and 213 models using as an example Bohunice VI and V2.

3.2. SAFETY RELATED PLANT FEATURES AND SYSTEMS

Equipment related design features, essential from the safety point of view, are discussed in the followingsections of this report. The presentation is structured according to the logical framework provided by the"defence in depth" concept, briefly described in Section 2.1.

All equipment or systems important to safety are addressed in this section. They include normaloperation equipment or systems related to safety, and safety systems.

3.2.1. Normal operation equipment

The reactor core system and the reactor coolant system are classified as items important to safety, sincethey determine the quality of the first three safety barriers. Several inherent safety features built in thedesign of these systems are also very important from the safety point of view. Conservatively designedequipment and positive feedback features provide important safety measures included in the first and thesecond level of defence in depth.

36

TABLE II. MAIN DIFFERENCES BETWEEN BOHUNICE VI (MODEL 230) AND BOHUNICEV2 (MODEL 213)

Feature/Component

Model 230 Model 213

Reactor core

In-coremeasurements

Reactor

Main isolationvalves in RCS

Maincirculatingpumps

313 fuel assemblies (including 37control assemblies)36 dummy (steel) assemblies inperipheral region of the core

neutron flux measurementperiodic measurements (once aweek) using self-powered typedetectors (12 measuring channelseach containing 7 detectors)

inlet and outlet nozzles horizontallyshiftedflat core barrel bottom plateno accumulator nozzlesno material samples in the vessel

Soviet manufacturerclosure time 78 sh%îi requirements for drive powerhigh-pressure water sealing used

low inertia leaktight case pump GCN-310 (inertia momentum 75 kg m2)

coast down time in case of all pumpsoff =10 s (acceptable coastdown isassured by electrical connection of thepump motor to special house loadgenerator on the turbine shaft)lower pump efficiencyreactor coolant flow higher (7 % incomparison to that for 213)no anti-reverse protectionno sealing water required

349 fuel assemblies (including 37control assemblies with fuelfollowers)

continuous core monitoring by theuse of HINDUKUS system basedon rhodium self-powered typedetectors (36 measuring channelseach containing 7 detectors)

inlet and outlet nozzles above eachotherelliptical core barrel bottom4 additional nozzles forhydroaccumulatorsbuffers on the core barrel fordistribution of coolant fromhydroaccum latorsmaterial samples located in thevessel

Czechoslovak manufacturerclosure time 38 slower requirements for drivepowerno water sealing applied

high inertia sealed shaft pumpGCN-317 (inertia momentum 1025kgm2)coastdown time in case of allpumps off =190 s

higher pump efficiencylower reactor coolant flow

anti-reverse protectionsealing water requiredgenerally more complicatedoperation

37

TABLE II. (cont.)

Feature/Component

Model 230 Model 213

Pressurizer

Emergencycore coolingsystem

Containment

Setpoints,interlocks

Instrumentationand control

PRZ volume 40 m3 (24 m3 of liquid)2 surge line nozzles

maximum DBA is a rupture of100 mm line with 32 mm flow limiter1 large ECCS tank ((800 m3), it isused also as a sump2 groups of HP pumps (3 pumpseach), 2 pumps of each grouppowered from essential power supplysystem ((DG)(after reconstruction)

low volume confinement(approximately 12.000 m3) designedfor 0.1 MPa overpressure

relatively low leaktightness

blow off valves to atmosphere as anover pressure protection (1 valve520 mm D, 8 valves 1130 mm D,opening at 0.067 and 0.078 MPa,respectively)

relatively simple due to simplesafety systems

safety systems logic controllers arenot designed as separate sub-systemsunit information system with verylimited capabilitiescore parameter monitoring limited(as one of the functions of unitinformation system)

PRZ volume 44 m2 (28 m3 ofliquid)1 surge line nozzle

maximum DBA is a guillotinerupture of 500 mm RCS pipe3 x 100 m3 ECCS tanks in HPsystem3 x 300 m3 ECCS tanks in LPsystemcore flooding system composed of4 accumulators3 independent ECCS trains

high volume containment(approximately 50.000 m3),pressure suppression type withbubble condenser; designoverpressure 0.15 MPamoderate leakage rate (9-16vol.%/day)

1400 m3 of water in bubblecondenserunderpressure reached after DBAdue to air separation (air traps,and passive spraying)

more sophisticated signal logic

I and C divided into severalsubsystems with autonomousfunctionsreactor protection and engineeredsafeguards actuation functionsseparated from control functionsrelatively complex automatics andinterlocksunit information computer systemin-core monitoring HINDUKUSsystem

38

The power conversion system is the normal operational system; however, certain equipment and thepiping of the system play an essential role in accident conditions.

The primary circuit purification system maintains appropriate water chemistry and low level of primarycoolant contamination during normal operation of the plant. This function is also important with regard toaccidental release of radioactivity to the environment. In case of LOCA bypassing the containment (e.g. SGLOCA) a large amount of primary coolant may be released through the secondary circuit to the atmosphere.

The chemical and volume control system and the primary pressure control system perform importantfunctions during normal operation, but they are also safety related, since they are the part of primary coolantpressure boundary. In addition, they are used as safety systems during accident conditions, providing certainfunctions of accident mitigation (see Section 3.2.2).

A plant control system that uses plant feedback characteristics is also included in this group, since itprotects the physical barriers by keeping the plant in a well defined region of operating parameters, wherebarriers will not be jeopardized (the second level of defence in depth).

Fuel handling, storage and transportation systems are also safety related. Manipulations with spent fueloutside the containment may be associated with relatively high risk, since the number of protective barriersis in this case considerably reduced.

322. Safety systems

Safety systems and their accident mitigation functions are discussed below for two general accidentgroups - LOCAs and transients. Three types of safety systems are to be distinguished - system involved ingenerating appropriate signals associated with the protective function (protection system), systems whichfulfill required safety actions when initiated by the protection system (safety actuation systems), and systemsthat provide services such as cooling, lubrication and energy supply required by the protection system andthe safety actuation systems (safety system support features). These systems are referred to in Section 2.1as the third and fourth level of defence in depth.

3.2,2.1. LOCA mitigation systems

Prompt termination of the nuclear chain reaction by the reactor protection system (RPS) is the firstsafety function to be performed in the case of smaller break size LOCAs. Reactor subcriticality must beaccomplished to lower the core power output to the decay heat level. For large break LOCA this RPSfunction is not required, at least at the initial phase of the accident.

Next in precedence are the functions for appropriate core cooling - ensuring adequate inventory in thereactor coolant system (RCS), RCS pressure control and decay heat removal from RCS. Success of thesefunctions is achieved by the emergency core cooling system which provides a coolant into the primary system,the primary pressure control system (PPCS) which maintains the pressure below the appropriate design limitand several secondary side cooling systems removing the heat from the steam generators in accidentconditions.

In the WWER-440 model 213 plant the ECCS comprises three independent subsystems - the coreflooding system (CFS), the high pressure injection/recirculation system (HPS) and the low pressureinjection/recirculation system (LPS). These systems provide full protection across the entire spectrum ofbreak sizes.

39

The high pressure injection system prevents uncovering of the core for small coolant piping leaks, whenthe high system pressure is maintained, and serves to delay the uncovering of the core for intermediate sizedleaks. Passive CFS is an additional means to supply the coolant into the primary system. Due to highpressure set-point for discharging coolant from the accumulator, this system may essentially support thefunction of HPS during small and intermediate sized leaks. In certain conditions (e.g. SB LOCA withsecondary "feed and bleed" cooling) CFS may even replace the short term cooling function of the highpressure injection system.

The low pressure injection/recirculation system (LPS) is designed to recover the core cooling at lowpressures. For larger breaks, up to the double-ended rupture of the largest pipe, the LPS and the CFSoperate together providing cooling medium into the RCS. The recirculation mode of the LPS is designedto permit boron concentration control and long term core cooling after a LOCA.

The primary pressure control system is an important mitigation system during a LOCA of a certainbreak size range. In case of very small break LOCAs with secondary side cooling unavailable, pressurizersafety relief valves (PSRVs) may be used to ensure a sufficient rate of HPS cooling by controlled bleed ofsteam through PSRV (primary "feed and bleed"). However, in the WWER-440 this mode of RCS coolingwas not taken into account by the plant designer and at present it is not covered by existing emergencyprocedures.

Secondary side cooling systems are important mitigation systems for very small break size LOCAs andfor small break size LOCAs with complete unavailability of HPS. Secondary side cooling is accomplishedby delivering feedwater to steam generators using emergency feedwater or auxiliary feedwater systems withsimultaneous steam dumping from the secondary circuit by means of SG safety relief valves, atmosphericsteam dump stations or process condenser steam dump stations (the part of secondary decay heat removalsystem).

The above mentioned systems are referred to in Section 2.1 as the third level of defence in depth.

The reactor building pressure suppression system and the reactor building spray system preventoverpressure of the localization compartments and perform radioactivity removal function. Practically, thesesystems do not affect operation of ECCS; however, if successful mitigation of the LOCA cannot be achievedand core melt ensues, the consequences of the accident would be reduced if the functions of containmentoverpressure protection and radioactivity removal are performed. These systems provide the protectionreferred to in Section 2.1 as the fourth level of defence in depth.

3.2.2.2. Transient mitigation systems

Reactor subcriticality is the first safety function to be performed in response to a transient. The RPSmust operate to lower the core power to the decay heat level and to prevent a potentially severe RCSoverpressure. If the RPS fails and the RCS components survive the overpressure transient, reactorsubcriticality can also be achieved by injecting borated water into the RCS via the HPS.

After achieving reactor subcriticality the core must be kept cool by removing decay heat from the RCS.This is accomplished by delivering feedwater to the steam generators from the emergency/auxiliary feedwatersystem and boiling off this water to the atmosphere via the SG-safety relief valves and atmospheric steamdump stations (BRU-A) or to the process condensers via the SDHRS.

If the EFS/AFS are unavailable, decay heat may also be removed directly from the RCS via a "feed andbleed" operation provided that the HPS is available. The core is cooled by boiling off the RCS coolant into

40

the sealed compartments via the PSRVs. This mode of cooling is not covered by existing emergencyprocedures.

For certain severe transients, such as those involving a failure of the RPS or a delay in secondary sidecooling, the operabih'ly of PSRVs would be required to prevent a potential rupture of the RCS. The PSRVsthat open as a result of the transient must all reclose to avoid a small LOCA.

Even though a small LOCA, induced by PSRV failure to reclose, has been prevented, the function ofRCS inventory makeup should still be fulfilled via the HPS (or via normal RCS make-up system) to respondto potential losses of RCS inventory through various smaller leaks and to temperature shrinkage of coolantduring the RCS cooldown.

The reactor building spray system (RBS) is required to prevent overpressure of the localizationcompartments if "feed and bleed" core cooling via HPS is utilized. If successful mitigation of the transientis not achieved and core melt ensues, the RBS can lessen the consequences of the accident.

3.2.2.3. Safety system support features

Successful operation of the LOCA and transient safety actuation systems requires that several supportsystems are operable. Appropriate support functions include: electrical power supply, control/actuation ofsafety related systems and component cooling.

The following support systems are important:

- Electrical power supply system, providing motive power to pump motors and motor operated valves inmost process systems (both safety actuation and support systems) and to protective/control systems;

- Service water systems, providing cooling water to various components and technological systems,including ECCS heat exchangers, ECCS/RBS pump motor coolers, diesel generators and processcondensers of SDHRS;

- Intermediate component cooling system, providing coolant to several components and technologicalsystems including ECCS/RBS pump seals and main circulating pump coolers;

- ECCS compartment cooling system, providing air cooling in ECCS/RBS room to ensure properenvironment for electrical equipment.

3.3. SYSTEM DESIGN HIGHLIGHTS

33.1. Reactor system

The reactor system is composed of the following components: the pressure vessel, the reactor internals,the vessel top head with head mounted components and control drives. The reactor internals include thecore barrel, the flow distribution structure, fuel assemblies and control assemblies.

3.3.1.1. Reactor pressure vessel

The reactor pressure vessel (Fig. 2) is the pressure boundary for the reactor core. It houses a varietyof internals that support and center the core and provide for flow distribution to the core. It is fabricatedfrom sections of cylindrical forgings of a low alloy, high strength steel. The forgings are welded into acylinder with a hemispherical bottom. The reactor pressure vessel head is bolted on to complete the vesselpressure boundary and to support and locate the control rod drives. Internal surface of the vessel is

41

IB CI Of I

1 - eliptical bottom head, 2 - plain rings, 3 - nozzle rings, 4 -reactor vessel flange, 5 - support rings, 6 - separating rings, 7 -bolts, 8 - washers, 9 - consoles, 10 - flange, 11 - reactor vesselupper head, 12 - nozzle, 13 - screw, 14 - nut, 15 - sealing.

FIG, 2. Reactor pressure vessel

protected by stainless steel cladding, 9 mm thick. The reactor vessel has 6 inlet and 6 outlet nozzles (500mm diameter). The outlet nozzles are located at the higher elevation than ihe inlet nozzles. The inlet andoutlet nozzles are offset.

Reactor vessel internals include structures for control of hydraulic flow and for supporting fuelassemblies and control rods.

A cylindrical tank, further called core barrel, holds the core basket containing fuel assemblies. At thesame time it serves to separate incoming and outgoing coolant and to distribute its flow through the reactor.The core barrel is composed of two parts. The upper part (Fig. 3) is a cylindrical vessel, 8 m high and 50-55mm thick, fastened to the vessel top by use of supporting flange that rests on the vessel support ring. Thecylindrical wall of the core barrel serves also as thermal shield to reduce the neutron flux at the reactorvessel wall.

The bottom of the core barrel (Fig. 4) consists of a support plate for fixing the core basket, cylindricalshroud, lower support plate and spherical perforated bottom. Upper support plates have openings for fuelassembly nozzles and control rod guides. The cylindrical part houses the guide tubes for the movable shim

42

033GO

o

l - flange, 2 - cylindrical wall, 3 - holes, 4 - ledge, 5 - samplechannel, 6 - labyrinth sealing, 7 - alignment element.

03300

03230

33015

FIG. 3. Core barrel - upper part.

030« S

X*1 upper plate, 2 - lower plate, 3 - flow skirt, 4 - perforatedbottom, 5 - protecting and guide tube, 6 - allocation pin

FIG. 4. Core barrel - bottom pan

43

03030

0g^o -v- i ^^•«••M l--* + -Ht- •*• -t t «-4 -t f+ -f t r l t 5

4 +

t t-

f * ^ * « f f

+ t f

+ J t

03070,

l- lower plate, 2 - skirt, 3 - shroud, 4 - pin.

FIG. 5. Core basket

rods that penetrate below the core. Upper and lower support plates, located at the bottom part of thecylindrical shroud, provide support for the guide tubes. The lower plate is perforated to allow coolant flowto the core inlet.

The core basket assembly (Fig. 5) consists of two plates separated by a series of tube guides for controlrods. A flow skirt around the periphery aids in flow distribution. Fixed fuel assemblies are centered at thetop by assembly arresters and fixed by the core hold-down/upper internals structure.

The core hold-down/upper internals structure (Fig. 6) positions the heads of the fuel assemblies so thatthey cannot be pushed upward by the coolant. Control rod guide tubes and tubes for temperaturemonitoring sensors are an integral part of this structure.

3.3.1.2. Reactor core

The reactor core in the 213 model is composed of 312 fuel assemblies and 37 movable controlassemblies. The bottom portion of the movable assembly contains fuel (so called fuel followers) and is intandem with the upper portion containing boron-steel control material. This movable control assembly isfurther called a shim assembly. The construction of the fuel section shim assembly is, with small deviations,like that of a fixed fuel assembly.

44

l - upper plate, 2 - lower plate, 3 - guide tube, 4 - skirt,5 - assembly arrester, 6 - ring, 7 - hold-down spring unit,8 - measurement line protecting tube.

FIG. 6. Core hold-down/upper internals structure.

The fuel assemblies (Fig. 7) contain 126 fuel rods each, arranged in a triangular grid with a rod pitchof 12.2 mm. The hexagonal fuel bundle is surrounded by the fuel assembly shroud (2 mm thick) that holdsall parts of the fuel assembly together, forming an integral unit. It also allows control of the coolant flowrate through individual fuel assemblies. The flow rate is adjusted by means of throttling orifices, installedin the support plate of the core barrel. Eleven honeycomb type grids, secured on a central tube, are usedto space fuel rods and to prevent rod buckling.

The fuel rod is made of 7.5 mm diameter uranium dioxide pellets (2.4-3.6% U-235), contained in 9.1mm outside diameter tubes made of Zr - 1% Mb alloy, 0.65 mm thick. Fuel pellets have central hole of 1.5mm diameter to reduce the temperature in the center of fuel pellet and to lower the probability of centerlinemelting during operation. The gap between the pellet and the clad is 0.16 mm (at initial conditions, at roomtemperature). A 56 mm plenum at the top of the pellet stack allows for the fuel expansion during operation.

45

l - hold-down pin, 2 - top nozzle shank, 3 - central tube, 4 - upper grid,5 - fuel element, 6 - hexagonal shroud tube, 7 - spacer grid, 8 - lower grid,9 * bottom nozzle, 10- spring-loaded pin.

FIG. 7. Fuel assembly.

A spring is placed in the plenum to hold the pellet stack. The gap and the plenum are filled with an inertgas under pressure and are seal-welded at both ends. The active length of the fuel rod for fixed fuelassembly and the shim assembly is, respectively, 2420 mm and 2320 mm.

The lower part of the fuel assembly is provided with a cylindrical shank (nozzle), designed to fit intoan opening in the bottom plate of the core basket. The head of the fuel assembly is provided with agrabhead, designed for refuelling and transportation.

The grabhead and shank of the shim assembly differ from their counterparts in the fixed fuel assemblyand have different purposes. The grabhead of the shim assembly (Fig. 8) is designed to connect to theabsorber extension. The shank of the shim assembly has a dumper, which is a cylindrical tube with radialopenings and is capped on the upper end.

46

_<pito

1 - top nozzle, 2 - central tube, 3 - upper grid, 4 - fuel clement, 5 - hexagonalshroud tube, 6 - lower grid, 7 - bottom nozzle, 8 - damper.

FIG. 8. Control rod fuel section.

The absorber extension is attached to the top of the movable fuel assembly via the shank. At the topof the control absorber (Fig. 9) there is a receptacle for the shank of the control rod drive shaft. There areopenings at the top and bottom to allow water passage. Boron steel inserts provide reactivity control. Theabsorber extension components are assembled together with a hexagonal shroud, similar to the one used inthe fuel assembly. Hexagonal stainless steel shroud is a good absorber of thermal neutrons; boron steelinserts absorb thermal and epithermal neutrons.

47

l - openings for water flow, 2 - hexagonal shroud tube, 3 - boronsteel insert, 4 - shunk with coupling, 5 - fuel assembly.

FIG. 9. Control rod absorber section.

3.3.1.3. Control rod drives

The WWER-440/213 uses a rack and pinion drive mechanism to move the control rods. The pinionis rotated by a two-stage right-angle reducer connected to the motor. The rack and pinion are alwayscoupled. When a trip occurs, power to the electric motor is cut off and the control assembly drops by gravityinto the core. The drive rods and mechanisms are cooled by intermediate component cooling system.Control rod drives and control rod cooling system are mounted on the reactor vessel head. A schematicdiagram of control rod drive is provided in Fig. 10.

48

Positioner

Bayonet joint

Intermediate rod

Control assembly

FIG. 10. Mechanical diagram of control rod drive (SVZ).

332. Reactor coolant system

The reactor coolant system (RCS) conducts the heat from the reactor core to the steam generators thatprovide steam to the turbine generators through main steam lines. Six primary coolant loops have commonflow paths through the reactor vessel, but are otherwise independent in operation. Operation with a loopout of service is possible, due to the use of primary coolant system isolation valves. However it is notrecommended because of asymmetrical distribution of flow in individual loops. In some plants (e.g. PaksNPP) this mode of operation is administratively excluded.

Each RCS loop includes a horizontal steam generator, a main circulating pump and two isolation valves.Primary coolant flows from the reactor outlet nozzle to the steam generators. The primary coolant isconnected to the tube side of the horizontal steam generator and is then pumped by the reactor coolantpump (RCP) through another isolation valve to the reactor inlet nozzle.

49

J

l - inlet primary nozzle, 2 - outlet primary nozzle, 3 - primary collector lid,4 - secondary lid, 5 - collector shield, 6 - primary lid tightness monitoringline, 7 - secondary lid tightness monitoring line, 8 - primary collector ventline, 9 - feedwater line, 10 - emergency feedwater line, 11 - support, 12 - perfo-rated plate, 13 - emergency feedwater nozzle.

FIG. 11. Steam generator - cross section A-A.

In order to reduce primary coolant elevations the hot leg includes an U-shaped section. This featureprovides loop seal effects during a LOCA accident.

The pressurizer, which maintains overall system pressure (12.5 MPa) and compensates for changes inthe volume of the primary coolant, is connected to the RCS between the reactor outlet nozzle and the outletisolation valve in one of the loops. The pressurizer is connected by two pipelines (200 mm diameter) withhot leg, between the RPV and isolation valve, and by an injection pipeline with the cold leg of the primaryloop piping at the RCP discharge. A more detailed description of the pressurizer is given in Section 3.3.5.

3.3.2.7. Steam generators

The steam generators (SGs) are horizontal units (Figs. 11,12), with submerged tube bundles and built-in steam separator. Each unit includes a cylindrical horizontal shell (outer diameter 3.34 m and length 11.4m), two vertical inlet and outlet manifolds of 750 mm diameter and two horizontal tube bundles of stainlesssteel, U-shaped tubes of 16 mm diameter and 1.4 mm thickness. Primary coolant flows through the tubeside, the feedwater is delivered to the shell side.

The steam generators produce dry, saturated steam at a pressure of 4.6 MPa at the rate 452 t/h. Steamis separated by gravity and by steam dryer louvers, collected by 15 standpipes and directed to the horizontalsteam header line installed at the top of the steam generator tank.

The SG unit is hung by means of four suspension rods fixed to the ceiling structure. The inlet andoutlet primary piping lines are connected vertically from the bottom.

3.3.2.2. Reactor coolant pump

The reactor coolant pump (Fig. 13) is of a shaft seal type, GCN-317. A special flywheel is installedon the pump shaft to provide the desired flow pump coast down. The pump capacity is 7100 m3/h at the

50

CROSS SECTION B-B CROSS SECTION C-C

1 - steam generator shell, 2 - eliptical head, 3 - moisture separating equipment,4 - feedwater line, 5 - steam line, 6 - emergency feedwater line, 7 - blow downnozzle, 8, 9 - drainage nozzles, 10 - steam nozzle, 11 - manway, 12 - nitrogenpire.

FIG. 12. Steam generator - cross section B-B and C-C.

pressure rise 0.4 MPa. The pump motor (1400 kW) is supplied with power from 6 kV AC normaldistribution load center. The cooling and the lubricating of the radical thrust bearing is provided by its ownoil system.

The intermediate cooling system (RCP cooling circuit) provides cooling water for the coolers of RCPshaft sealing, and RCP motor.

3.3.2.3. Isolation valves

The isolation valves used in the primary circuit (Fig. 14) are of a disk type GZZ-500. Tight closing ofthe valve is ensured by two disks which close the valve opening tightly in one direction of the fluid flow. Theisolation valves in Bohunice V-2 NPP were made in Czechoslovakia. In comparison to an earlier design usedin 230 units the new design does not require high pressure water for sealing, and both driving power andclosure time (38 s) are considerably reduced.

333. Chemical and volume control system

The chemical and volume control system (CVCS) controls the volume, purity and boric acid contentof the reactor coolant during normal operational conditions and transients, including startup, shutdown andchanges of the reactor power level.

During normal operation the CVCS compensates uncontrolled and controlled leaks from the RCS.Adjustments in coolant volume are made automatically to maintain a predetermined level in the pressurizer.

51

SCPARATC LOOPWATER OUTLCT

1 - casing, 2 - shaft, 3 - impeller, 4 - diffuser, 5 - flange,6 - auxiliary impeller, 7 - radial bearing, 8 - scaling module,9 - thrust bearing, 10 - stud, 11 - gasket, 12 - thermal shield.

FIG. 13. Reactor coolant pump.

Coolant purity is controlled by continuous purification of bypass stream of reactor coolant. A bleed and feedtechnique is used to control the boric acid concentration in the reactor coolant. The CVCS also providesseal injection water for the main circulating pumps and collects pump seal leakoff. During unit startup thesystem is used for filling up the RCS and for carrying out integrity and pressure tests (with the exception ofstrength test).

In addition to normal operational functions, the CVCS supplies emergency make-up in case of abnormalRCS leaks and emergency boration function during reactivity induced transients.

52

l - casing, 1 - disk, 3 - siem (spindle), 4 - pressure lid, 5 - plate,6 - bellows, 7 - seal, 8 - drive.

FIG. 14. Main isolation valve.

The CVCS is, in general, a non-safety system, even though some of its portions, such as the emergencyboration piping and those sections of piping that form a part of the reactor coolant pressure boundary, aresafety-grade piping. Electrical power is supplied by the plant AC distribution system (both essential and non-essential power supply subsystems). The majority of the system functions related to transients and abnormalconditions require the operator actions.

The CVCS is composed of several subsystems:

make-up and boric acid concentration control;demineralized water;emergency boration;purification bypass;letdown line.

53

Borated water tanlcs

Emergency boration subsystem

Boron control deaerator

+3 W W W M (4

FIG. 15. Schematic diagram of chemical and volume control system (CVCS).

The make-up subsystem (Fig. 15) includes deaerators, main make-up pumps, heat exchangers andassociated piping with appropriate armature. The demineralized water subsystem contains two water storagetanks, pumps and associated piping. The emergency boration subsystem comprises borated water storagetanks and pumps with associated piping. Pump charging lines are connected to the main make-up pumpssuction header. The purification bypass includes two letdown pumps with associated piping, taking suctionfrom the make-up deaerator and connected to the RCS low pressure purification system. The letdown linewith regulating valves connects the RCS through a regenerative heat exchanger to the make-up deaerator.

During normal operation controlled letdown steam is directed to the make-up deaerator. One make-uppump draws suction from the deaerator and discharges into the RCS cold leg piping through theregenerative heat exchanger. One demineralized water pump provides clean water make-up to the deaerator.Boric acid concentration is controlled periodically (once a shift) by providing clean water make-up into theRCS (to compensate long term reactivity changes due to fuel burnup). If required, highly concentrated boricacid may be supplied from the emergency boration subsystem tanks (to compensate larger uncontrolledleaks).

54

Emergency boration function during abnormal conditions may be provided by the operator, either fromthe make-up deaerator by the main make-up pumps or from high concentration boric acid tank to the mainmake-up pumps suction collector and then to the RCS.

The CVCS system may compensate uncontrolled operational leaks from the RCS up to 50 m3/h.

33.4. Primary circuit purification system

Water chemistry applied for primary coolant is based on ammonia-potassium chemical treatment. Therequired regime is maintained by the introduction of potassium hydroxide to increase the pH value andammonia which decomposes under irradiation to form nitrogen and hydrogen. Excess hydrogen ensures astrong suppression of the coolant radiolysis process that is essential to maintain the oxygen concentrationat the minimum level.

It was proved by WWER NPP operating experience that this water regime ensures high corrosionresistance of primary coolant system structural materials and low level of equipment contamination.

Special water purification systems are applied in the NPP in order to collect and decontaminateradioactive liquids and to solidify liquid radioactive wastes. They perform the following functions:

recycling of purified water in NPP process systems,minimizing of the amount of radioactive wastes for final disposal,confining of main radionuclides (Cs-137 and Co-60) in a small volume of non-organic sorbent filters.

The purification system serving the reactor coolant system (RCS) includes the following subsystems:

- purification of RCS blow-down water (SWP-1),- purification of RCS drain water (SWP-2),- purification of RCS leak and drain water (SWP-3),

purification of cooling pond and ECCS tank water (SWP-4),purification of boric concentrate (SWP-6).

Blow-down water purification system (SWP-1) is used for purification of primary circuit coolant fromstructural material corrosion products, nuclear fission products, and impurities that penetrate with make-upsolutions and "clean" condensate.

The system is composed of two independent trains with capacity 20-25 t each.

One of the trains containing the mixed action filter is operated during the base load of the unit. Itcollects primary coolant from cold legs 1, 2, 6. The other train containing individual anion and cation filtersis put into operation if it is necessary to correct water chemistry and to remove radiochemical impurities.It collects the coolant from loops 3, 4, 5. Simultaneous operation of both trains is also possible.

The technological scheme of the two trains of SWP-1 is similar. The coolant collected from the coldlegs is supplied to the header through the regeneration heat exchanger and additional cooler to the ionexchanger and to the material filter trap. Then it is returned through the heat exchanger to RCP intake inthe RCS. The system is designed for 18 MPa pressure, the operational temperature of ion exchangers is50°C.

Drain water purification system (SWP-2) is designed to remove from the primary coolant the materialcorrosion products and the nuclear fission products. It also maintains water chemistry during both normal

55

operation and boron control modes. The system consists of H-cation filter, OH-anion filter and filtermaterial trap. The design pressure of the system is 1.0 MPa, the operating temperature of the ionexchangers is 50°C.

The primary coolant is supplied by a coolant removal pump to one of the filters and returned to theintake of make-up pumps. During boron control mode the coolant is purified in cation and anion filters andis supplied to "dirty" condensate tanks.

Leak and drainage water purification system (SWP-3) is designed to perform separate treatment ofleak water and boron containing water produced during the boron control mode as well as during reactorcooldown and refuelling conditions.

Evaporated salt concentrate produced during the treatment of leak water is transferred to liquid wastestorage, and distillate is re-used for primary system make-up and auxiliary purposes.

Boric concentrate and "clean" distillate produced during the treatment of boron containing water areboth re-used in RCS.

The system is composed of several parts: sewage collection, boron water collection, filtration andcollection of leak water, solution evaporation, steam condensation and degassing, and final purification ofdistillate.

Leakages and washing water are collected in leak water sumps, serving two units. From the sumps thewater is pumped into hydroelevators and then distributed to leak water filters for purification frommechanical impurities. After the filtration the leak is collected in leak water tanks (volume capacity 250 m3).From the tanks leak water is supplied by pumps to the evaporator.

Boron containing water and primary coolant from boron control operations as well as startup andshutdown of reactor are collected in "dirty" condensate tanks (volume capacity 636 and 534 m3). From thetanks the condensate is directed by dirty condensate pumps to the evaporator. The same pumps may be usedto pump the primary coolant for purification in SWP-2 subsystem. "Dirty" condensate subsystems serve twounits.

There are two interchangeable evaporators for treating boron containing water and leak water. Theevaporator of a capacity of 7 t/h operates at 0.25 MPa (in a heating chamber).

The leak water is evaporated to a salt concentration of 60 g/1. The solution is distributed under gravityfrom the bottom part of the evaporator to an additional evaporator, where it is concentrated to 200 g/1 (stillresidue). The secondary steam is returned to the main evaporator and the still residue is pneumaticallytransported to the still residue tank in the liquid radioactive waste storage.

The boron containing water is concentrated in the evaporator to 40-50 g/1 and is distributed undergravity to the boric acid sump tank of SWP-6 subsystem for further purification and recycling in RCS.

The secondary steam from the evaporator is condensed in the condenser-degasser. This condensateis pumped out through filters to remove oil.

Some condensate is returned to the evaporator to wash down the secondary steam. Non-condensedsteam and gaseous impurities from the condenser-degasser are supplied to the relief device. The gases aresubjected to special gas purification and the condensate is supplied to condenser degasser.

56

After filtering Ihe oil-free condcnsate is cooled in the condensate cooler, passes through ion exchangefilters and filter material trap, and is collected in check tanks (volume capacity 70 m3). After radiochemicalanalysis the condensate is supplied by pump to the "clean" condensate tanks for re-use in RCS. In case oflow quality the condensate may be returned to leak water tank for another treatment.

Cooling pond and ECCS tank water purification system (SWP-4) is designed for purification of boroncontaining water used in the pond, ECCS tanks and bubble condenser. The system is intended to removestructural material corrosion products, chemical and radiochemical impurities both during normal operation(maintaining required water chemistry) and after accident (preventing environmental radioactivity release).The system includes two interchangeable trains and serves two units. During normal operational conditionsthe system is connected periodically.

The boric acid solution from ECCs tanks, the cooling pond and the bubbler condenser is supplied bycorresponding pumps to the SWP-4 where it is treated at the mechanical, H-cation, OH-anion filters andis returned through the trap to tanks, pond and bubble condenser, respectively.

If the required purity standards are not fulfilled at SWP-4, the solution may be drained to "dirty"condensate tanks for treatment in the evaporator.

Boric concentrate purification system (SWP-6) is designed for purification of boric concentrate whichis produced as a result of the treatment of boron containing water and drain water from the RCS to be re-used in the NPP cycle. The system u.isists of cooler, sump tanks, pumps and ion filters.

Boric concentrate supplied from the evaporator is cooled in the cooler and collected in the sump tank(volume capacity 8 m3). From the tank the concentrate is pumped to ion exchange filters. Additional meter-pump is used for recirculation of the concentrate through the boron meter.

Cation and anion filters are designed to operate at 1.0 MPa and 50° C. Filtered concentrate after havingpassed the filter material trap is supplied to the boric concentrate tanks.

During normal system operation, the boric acid concentration is controlled automatically by changingthe flow rate of concentrate supplied from the evaporator.

All ion filters used in the purification systems are periodically serviced to restore the exchange capacityof filter material. The restoration process includes: agitation, regeneration, post-regeneration washing, hydro-discharge of spent resin, and hydro-loading of fresh resin. For restoration the filters are disconnected fromthe main flow line.

Structural materials used in the purification systems are selected with respect to system operational,parameters, water chemistry, environmental parameters and external loads.

Stainless steel 08H18N10T is applied for all valves and piping and for the majority of the equipment(in SWP-1, SWP-3, SWP-6). Acid resistant steel 10H18N9T is the main structurai material for equipmentin SWP-2 and SWP-4 subsystems.

33.5. Primary pressure control system

The primary pressure control system (PPCS) is part of the reactor coolant system (RCS). The systemalso plays important role in accident conditions.

57

During normal operation pressurizer establishes and maintains the RCS pressure within prescribedlimits and provides a steam surge chamber and a water reserve to accommodate changes in the density ofthe reactor coolant. Level instrumentation on the pressurizer monitors RCS volume to determine make-upand let-down requirements.

Under abnormal conditions the pressurizer performs two additional functions. The relief valve andsafety relief valves on the pressurizer are the only means of external pressure relief for the RCS. Also, thesystem can be used together with high pressure injection system to remove heat from the RCS when heatremoval through the secondary system is not available.

The PPCS consists of the pressurizer equipped with pressure relief valves, pressure relief sprays, coolantheaters, as well as coolant-level instrumentation.

The schematic diagram of PPCS is provided in Fig. 16. The pressurizer is a vertical cylindrical vesselconnected to the hot leg of RCS (loop 1). The pressurizer contains removable electric heaters in its lowersection and a water spray nozzle in its upper section.

Spray flow and heaters are controlled by the pressure controller. The pressurizer water level iscontrolled by the level controller. Pressure is automatically maintained by the use of pressurizer heaters andsprays. The water level is automatically controlled by the RCS make-up and let-down functions. Thepressurizer spray relies on the driving force produced by running MCPs. Pressure control is disabled afterMCPs are switched off.

The pressurizer spray line (108 mm D) originates at the cold leg of RCS between reactor vessel nozzleand isolating valve (loop 1). Pressurizer spray flow is controlled by the set of motor operated valves. Thereare 4 parallel lines, each equipped with 3 valves in series. By-pass lines for each spray valve and anadditional by-pass line for the whole spray valve set (with regulating valve) is provided to allow forcontinuous water flow through the pressurizer and its piping.

The pressurizer heaters compensate heat lost during normal steady-state operation, raise the pressureto normal operating level during RCS heat-up from cooled-down conditions, and restore system pressureafter transients. The heaters are grouped in five banks and are controlled by the pressure controller (on-offcontrol).

The pressurizer is connected to the relief tank through two piping lines. One of them is used fornitrogen release during plant startup; it also plays a supporting function of pressure relief under accidentconditions. The other is equipped with two pilot operated safety relief valves (PORV). Each PORV iscontrolled by the opening or closing of two pilot valves in response to the pressure setpoints.

During normal operation the pressurizer maintains RCS pressure using pressurizer sprays and heaters.

During abnormal conditions the pressurizer provides pressure relief. Demands for primary relief canarise from inadvertent actuation of pressurizer heaters, loss of primary-to-secondary cooling or someundercooling situation. The set-points for opening and reclosing for one of the PORVs are slightly lowerthan those for the other.

On loss of primary-to-secondary heat transfer, RCS heat removal can be accomplished by manuallyholding the PORV control switch open while maintaining inventory with high pressure injection system (feedand bleed operation). This method of HPI cooling is necessary for accidents initiated by SB LOCA ortransients if secondary cooling is lost.

58

PSKV PSRV Pilot valve

TP

PRZ spray line

Make-up

FIG. 16. Schematic diagram of primary pressure control system (PPCS).

33.0. Power conversion system

The power conversion system is a normal operational system designed to transport the heat from thesteam generators to the turbines, where thermal energy is converted to mechanical energy. The steamexpanded in the turbine is condensed before being pumped through a series of feedwater heaters,demineralizers and deaerators and returned to the steam generators.

The system is also used for beat removal through the steam generators during normal plant cooling-down and in post-accident conditions.

The system is composed of three main subsystems: main steam subsystems, main condensate subsystemand feedwater subsystem.

59

_^ BRU-KReheat steam

SG-1

i ri rReheat steam

*-

BRU-A

BRU K

i rF/G. 77. Simplified diagram of mam steam system of WWER-440 NPP.

The steam produced in six steam generators (SGs) is distributed through the individual SG piping linesto the main steam collector (see Fig. 17). The air operated fast-acting valve and the main steam valve areinstalled on each SG line for isolation of individual SGs. Each SG is protected by 2 safety valves connectedto an SG piping line at the isolable section.

From the main steam collector the steam is distributed to two turbines. Each turbine is supplied steamby two main steam lines equipped with throttle valve and block valves. The main steam collector can beseparated for two symmetrical parts by the fast-acting air operated valves normally open.

60

There are several connections from the main steam headers to various steam dump facilities -atmospheric steam dump stations (BRU-A), turbine by-pass valves (BRU-K), and steam process condenserdump stations (BRU-TK). The latter facilities are part of the secondary decay heat removal system (SDHR)described in Section 3.3.7 of this report. Brief information concerning other steam dump facilities installedin the secondary circuit is provided in Section 3.3.12.

The steam flow to the turbines is split into two streams, with the majority going to the high pressuresection of the turbine. The remainder goes to the reheaters. In the high pressure section of the turbinethere are several bleeds to the high-pressure feedwater heaters. After exiting the high pressure section, thesteam is reheated before entering the low pressure turbines. Low pressure sections have bleeds for the lowpressure heaters.

The coolant from the condenser is pumped to a series of low-pressure feedwater heaters anddemincralizers, before entering the deaerators.

There are two main condensate trains with identical structure for the two turbines of the unit. Eachcondensate train contains two condensers, three main condensate pumps, condensate demineralizer and fiveLP preheaters.

Air ejectors maintain the vacuum in the condensers. The ejectors are supplied with steam (0.5 or 0.7MPa) from pressure reduction stations connected to the main steam collector. The level in the condensersump is maintained by two control valves.

The condensate from the sump is collected through the common suction line by the condensate pumpsand directed to the demineralizer. After exiting the demineralizer it enters the cooler of the steam ejectorand the condenser of the sealing steam and through the LP preheaters it is directed to deaerator feedwatertanks.

The main feedwater (MFW) system consists of two deaerators, five feedwater pumps, six HP preheatersand associated piping with isolation and regulation valves. Feedwater pumps take suction from the deaeratortanks through a common header. The feedwater is pumped to a common head line, which is split into twotrains, each containing three preheaters. Both trains are connected to a common feedwater collector. Fromthis collector the feedwater is distributed to individual steam generators.

Two auxiliary feedwater trains are connected to the same feedwater collector (see Fig. 18). Auxiliaryfeedwater pumps are used during the startup or shutdown of the plant, as well as in emergency conditionsAuxiliary feedwater and emergency feedwater systems are presented in Section 3.3.11.

33.7. Secondary decay heat removal system

The secondary decay heat removal system (SDHRS) is designed for normal cooldown of the plant, butis also a recommended mean of system cooling down in post-accident conditions.

The SDHRS (Fig. 19) is composed of two redundant trains. Each train consists of a steam dump valve(BRU-TK), process condenser (PC) and piping with associated valves. Each train is connected to thedeaerator or to the low pressure SDHR subsystem.

Steam dump valves BRU-TK are similar to BRU-A. The rated capacity of these valves is approximately65 t/h (steam flow at 4.6 MPa). Two safety relief valves are installed on the steam line between the SDvalve and the PC for condenser protection.

61

l TG-2

RSA-2 RSA- 1

IF

C3QQL£oc.o: G

ÛC

C4

ï

?:«:

1ÛC

I CI I

IÎFW-2

PX.ac

1

Cd

-

_J&_l?LjSt_

in

OL

inH

ce

»o MK>

ai

ÉEFW-]

f;c

1

1f

r

1

MFW Main feedwater systemEFW Emergency feedwater sys(emAFW Auxiliary feedwater systemSDHR Secondary decay heat removal systemRSA Steam dump valve (BRU-A)TG Turbogenerator

FIG. 18. Simplified schematic of secondary cooling systems.

The condenser pressure is maintained within specified limits. The process condenser is cooled by theservice water system. The condensate is directed to the deaerator forced by the pressure difference.Additional isolation valves on PC inlet lines and cross-flow pipe connection are provided to allow the useof equipment from the other train in case of equipment inoperability.

Control valves installed on PC outlet lines are used for controlling the water level in process condensers(valve opening and closing signal is provided by the level controller).

The SDHRS operates in feed and bleed operational mode until the primary system temperature 140-150°C is reached. Then the whole secondary system is filled up with water and low pressure SDHR pumpsare used to direct the condensate to SG inlet header.

62

j£i

Steam damp station

Process condenser

4„ JDeaerator

FIG. 19. Simplified diagram of secondary decay heat removal system (SDHR).

33.8. Plant control system

Several plant features, specific to WWER-440, provide the key basis for the nuclear steam supplysystem. They include the use of constant primary coolant flow rates, horizontal steam generators and asaturated steam cycle. For this design, as the power increases, the temperature difference between theprimary and secondary coolant must increase to allow the increased heat transfer.

The WWER-440 does not have any flow control capabilities; however, if the power level is to bereduced for a significant period of time, one or more loops may be turned off and isolated. This approachis not recommended due to pressure control problems in the main steam system.

Requirements of the plant control system are determined by these design features, by the neutronic andphysical characteristics of the core and the technical limitations of the fuel and nuclear steam supply systemcomponents.

The basic control strategy used to provide the proper balance between the primary coolant andsecondary coolant systems, implemented in the control system relies on maintaining constant secondarypressure. The plant controller is also capable of maintaining constant neutron power.

Two main control loops are used for maintaining the neutron flux within acceptable limits and ensuringthermal balance between the primary and secondary circuits: reactor power controller and turbine controller.

The reactor power controller relies on secondary steam pressure and neutron flux signals. The signalfrom reactor flux monitor controls the position of control rods only when there is a rapid change in theneutron flux. Under steady state full power operation the controller responds primarily to changes ofsecondary pressure.

63

Turbine controller operation is based upon the integrated signal that compares the turbine generatorlimiting output, as determined from the status of heat transport system, to the actual output of theturbogenerator. This signal controls the turbine valve drive system by adjusting turbine synchronizer. Inaddition, the turbine controller can limit turbine power based upon manual input, pressure in turbine controlstage, process safety parameters and other parameters.

Additional plant controllers are used to control the pressurizer (water level controlling and pressurecontrolling) and the steam generators (water level controlling).

In addition to the main control loops mentioned above, certain number of signals are generated, whichare based on different limitations with regard to primary pressure, boiling limit, recriticality limit, thermalshock limit, power limit as a function of running RCPs, etc.

Plant instrumentation devices and circuitry are provided in the plant to deliver to the control systemappropriate data describing plant operating conditions. This system performs also monitoring functions,providing information on plant process variables, reactor power balances, core power maps, degree of xenonand samarium poisoning, etc.

For neutron flux monitoring ex-vessel neutron flux detectors are used. These detectors depend on theoperating range. For power range six detectors (combined in 2 of 3 logic) are located in the reactor coreshield. The intermediate and source range detectors are located in the ionization chamber channels of thebiological shield of the reactor shaft. There are 24 ionization chamber channels, combined for 2 out of 3voting logic. All of them are dedicated to control function, and their signals are multiplied to be used forprotection system functions.

In addition to ex-core flux monitoring devices, in-core neutron detectors are located in 36 radiallydistributed lances, each containing a string with detectors at seven axial positions. This accounts for a totalof 252 detectors in the core. The in-core detectors are rhodium self-powered.

Primary coolant temperatures, both in the cold and hot legs, are monitored using platinum resistance-thermometer devices (RTD). There are 36 thermocouples; three of them are associated with each of thesix hot legs and three with each of cold legs. The measurements are used for both control and protectionsystems.

A large number of core exit thermocouples are used to monitor the radial power distribution (for powershape optimization). They are located just above individual fuel assemblies. 210 out of 349 assemblies aremonitored in this way. Miniature thermocouples (chromel-alumel type) are used for this purpose.

Primary coolant pressure measurements are used both by the control and protection systems. Thereare pressure sensors, located at the core inlet, core outlet and the outlet of each circulating pump.

Turbine rotational speed is measured and used by the turbine synchronizing unit for power control, asare the network frequency and turbogenerator electrical output. For general control of the plant thefollowing parameters are also monitored: steam generator water levels, pressure and water level in thepressurizer, pressure and level in deaerators, condenser water level, feedwater heater water levels andfeedwater pump header pressure.

33.9. Protection system

The protection system (originally called emergency protection system by the Soviet designers) monitorsthe reactor, the reactor coolant system and other safety related plant systems. Under abnormal conditions

64

of any one or a combination of various parameters, it provides appropriate signals associated with theprotective functions. The system is designed to prevent plant parameters or conditions from exceeding theirsafe operational limits in order to avoid both unacceptable plant damage and unacceptable release ofradioactive materials.

Two main parts of this system are often distinguished: the system that protects the reactor (reactorprotection system {AZ}) and the system that initiates and controls the other safety related plant systems(sometimes called engineered safeguards actuation system).

The emergency protection system is the last step of the automatic control of the equipment and itoperates when all other systems (automatic regulators, automatic actuation of the reserve system, interlocks)have failed to maintain process parameters within the required limits.

The corresponding functions are performed according to the following priorities:

protective actions,personnel actions,actions of automatic regulators and discrete control devices.

The protection system monitors the following parameters:

period in source, intermediate and power range,neutron flux in intermediate and power range,core exit pressure,coolant temperature at core exit,pressure drop in the reactor loop,pressure drop in the reactor core,

- water level in the pressurizer,- water level in operating steam generators,

pressure drop in the main steam header,position of turbine stop valves,power supply to main circulation pumps,pressure in the reactor building compartments.

At low power levels the main factors that scram the reactor are the deviations in flux and period, whileat high power levels the thermal hydraulic signals and the signals indicating failure of steam and electricalsystems are used.

The RPS scrams the reactor only in response to the most serious emergencies; in other cases poweris simply reduced. Depending on the degree of hazard represented by the emergency signal, the reactorprotection system performs its protective functions with four levels of response ( AZ-1 to AZ-4).

In the case of the maximum response (reactor protection called AZ-1), all the safety and control rodassemblies are inserted into the core with maximum speed (0.2 - 0.3 m/s) for fast, complete, non-reversibleshutdown of the reactor. The AZ-1 protection signal is associated with some additional signals/interlockscontrolling some safety related plant components.

For AZ-2, the controlled scram, the safety and control rods are inserted into the core in individualgroups with maximum speed. If the warning signal stops, the rod insertion ceases and no further reductionin reactivity takes place.

65

The AZ-3 signal initiates a downward movement of groups of absorber rods (at a normal rate of 0.02m/s) until the signal disappears.

The AZ-4 signal simply inhibits safety and control rods withdrawal from the core, so as not to permita further increase in reactor power.

More detailed information on RPS protection signals is provided in Table III.

TABLE III. REACTOR PROTECTIONPOWER OPERATION)

SYSTEM SIGNALS (UNDER NORMAL

1. List of signals of emergency protection of type 1 (AZ-1)

No.

1

1

2

3

4

5

6

Signal description

2

Increase in reactorneutron power inenergy range,% of nominal

Decrease in reactorperiod inmeasurement ranges:

- source, s- intermediate^- energy, s

Decreased level inthe pressurizer (mm)and decreasedpressure at thereactor core outlet,MPa.

Pressure increase atthe reactor coreoutlet, MPa.

Pressure increase inthe steam generatorcompartment, MPa.

Increased pressuredrop at the reactor:with 6 RCP inoperation MPa;with 5 (or less) RCPin operation, MPa.

Parametervalue

3

100±2

10±29 %10+29 %10 ±29%

3260±150(from thebottom);

11.0 ±0.05

9.5 ±0.05

1.1 ±0.1

0.375+0.01

0.28 ±0.01

Signal purpose

4

Reactor shutdown atunforeseen power increasedue to uncontrolledwithdrawal of control rodor failures in the boroncontrol system.Requirement of PBYa-04-74*; Item 3.3.26

Reactor shutdown atunforeseen increase inthermal neutron flux.Requirement of PBYa-04-74'; Item 3.3.26

Reactor shut down due tochanges in primary circuitcoolant volume (medium& small leaks, operationaloccurrences, automaticsystems failures).

Reactor shutdown at largeleaks, operationaloccurrences, automaticregulator failures.

Reactor shutdown atincreased pressure in theleak tight compartmentsdue to large leaks in theprimary circuit, breaks ofsecondary circuit steampipes.

Reactor shutdown due toincreased hydraulicresistance of the reactorcore. Protection of in-vessel structures.

Com-ments

5

Holdingfor 15 s

' PBYa-04-74 Nuclear safety regulations, Atomizdat, 1977.

66

TABLE III (cont.)

1. List of signals of emergency protection of type 1 (AZ-1) (cont.)

No.

1

7

8

9

10

11

12

13

14

15

Signal description

2

Decreased level in anytwo operating steamgenerators (comparedto nominal), mm

Closing of 2 out of 4stop valves of the lastoperating turbine

Increased rate ofpressure drop in anyhalf of the main steamheader (at primarycircuit temperature ofat least 150°C), MPa

Loss of power supply to4 and more RCPs outof 6 operating pumps

Loss of 220 V voltagein control & safetypanel or emergencyprotection panel

Loss of power in twoout of four channels inone out of two sets

Loss of voltage tosensors in control rodposition indicators withthe signal AZ

Earthquake signal,- points- acceleration m/s

Pressing AZ/-1 buttonin main or stand-bycontrol panel

Parametervalue

3

450 ±10

0.09 ±0.01

4.5 ±0.50.5±0.1

Signal purpose

4

Reactor shutdown atdegraded heat removal fromthe secondary

Reactor shutdown to protectthe main steam headeragainst pressure increase

Reactor shutdown at rapidpressure decrease in steampipe due to leaks oroperational occurrences

Reactor shutdown at rapidreduction of reactor corecoolant flow rate

Reactor shutdown due to adefect in control andprotection system.Requirement of PBYa-04-74,Items 3.3.11 and 3.3.26

Protection system actuationbased on two sensor signalsout of threeRequirement of PBYa-04-74,Items 3.3.23 and 3.3.26

Reactor shutdown due toloss of design function ofcontrol and protectionsystem

Reactor shutdown due toviolation of design limits ofequipment operation underearthquake conditions

Requirement ofPBYa-04-74,Item 3.3.26

Comments

5

Holding for 5 s

Holding for 3 s

Signal is site -specific

67

TABLE HI. (cont.)


No.

1

1

2

3

4

5

6

7

Signal description

2

Increase in reactorneutron power level towarning setpoint inDE, DP, DI,* %

Reduction in reactorperiod to warningsetpoint in DE, DP,DI, s

Pressure increase inreactor upper plenumMPa

Reduced pressure atreactor core outlet,MPa

Increased coolanttemperature at thereactor outlet (in twoloops out of six), ° C

Loss of power toreactor in twochannels out of threein one out of two setsofAZ

Pressing AZ-2 button

Parametervalue

3

105 ±2

20±20%

14.0 ±0.05

11.5 ±0.05

310 ±1

Signal purpose

4

Reduction of reactorpower in case of itsunforeseen increase

Reduction of reactorpower in case ofunforeseen changes inthermal neutron flux

Reduction of reactorpower in case ofunforeseen pressureincreasing transient

Reduction of reactorpower in case ofunforeseen pressuredecrease due to leaks orautomatic system failures

Reduction of reactorpower in case ofunforeseen faults affectingthermal performance ofthe reactor core

Reduction of reactorpower based on the signalof two sensors out of three

Manual reduction ofreactor power in responseto failures in automaticsystems or in case ofemergency situations

Comments

5

Transfer fromAZ-3 in 10 s



DE-power range (3-110 % of nominal), DP-intermediate power range (10'5 - 10 % of nominal), DI-source range (10~l° - 10"% of nominal).

68

TABLE III. (cont.)


No.

1

1

2

3

4

5

6

7

8

9

Signal descriptioa

2

Increase in reactorpower to warningsetpoint in DE, DP,DI,%

Reduction in reactorperiod to warningsetpoint in DE, DP,DI, s

Pressure increase inreactor upperplenum, MPa

Increased coolanttemperature at thereactor outlet (intwo loops out of six),°C

Closing of two stopvalves out of 4 inone of two operatingturbines (with ARMnot-operating)

Increased water levelin any two operatingsteam generators,related to nominal,mm

Loss of power toreactor in twochannels out of threein one out of twosets of AZ

Main circulationpump switched off

Pressing AZ-3button

Parametervalue

3

105 ±2

20±20%

14.0+0.05

310 ±1

200±10

Signal purpose

4

Reduction of reactorpower in case of itsincrease and failure ofautomatic powerregulator

Similar to AZ-2

Reduction of reactorpower in case of pressureregulator failure or itsinefficient operation

Reduction of reactorpower in case ofunsatisfactory operationof the reactor powerlimitation device

Reduction of reactorpower in case ofunforeseen powerreduction of the turbineunit

Reduction of reactorpower due to degradedheat removal in steamgenerator

Similar to AZ-2

Reduction of reactorpower to the levelcorresponding to thenumber of operatingMCP in case of ROMfailure

Similar to AZ-2

Comments

5

Transfer to AZ-2in 10 s

Transfer to AZ-2in 20s

Transfer to AZ-2in 20 s

Transfer to AZ-2in 20s

Signal action timeis 20 s

69

TABLE III. (cont.)


No.

1

2

3

4

5

Signal description

Pressure increase inreactor upperplenum, MPa

Increased coolanttemperature at thereactor outlet (intwo loops out of six),°C

Falling down of atleast one control rodto bottom limitswitch

Loss of power toreactorinstrumentation intwo channels out ofthree in one out oftwo sets of AZ-4

Pressing AZ-4button

Parametervalue

13.5 ±0.05

305±1

Signal purpose

Limitation of reactorpower iiirease due todeviation from normaloperating mode

Limitation of reactorpower increase due todeviation from normaloperating mode

Limitation of reactorpower increase to avoidexcess power level densitydue to non-uniformpower distribution

Similar to AZ-3

Similar to AZ-3

Comments

Holding for 1.5 s

The engineered safeguards actuation system (ESAS) monitors parameters associated with major plantaccidents and initiates/controls operation of the proper safety systems. The system interfaces with individualcomponent circuitry in various safety related systems or staggered loading circuitry. The latter subsystemperforms sequential startup of large, safety related components fed from essential power supply, in order toprotect diesel generators against overloading.

The following vital safety related systems are dependent on ESAS: emergency core cooling system,reactor building spray system, emergency/auxiliary feedwater system and ECCS compartment cooling system.

In addition to the above mentioned safety related systems the protection system providesprotection/interlock signals to some relevant plant equipment such as turbines, main circulating pumps,pressurizer, certain isolation valves in primary and secondary systems, etc.

The protection system is designed according to general requirements mentioned in Section 2.7.1, suchas redundancy, independence and physical separation, fail-safe concept, testability and monitoring capabilityfrom the control room.

The signal generating circuitry is composed of redundant instrumentation channels, which monitor safetyrelated parameters in specific plant systems, perform signal conditioning/logic processing and provide tripor actuation commands to the control rod drives, the individual component control circuits or to theprogrammed startup circuitry.

The signal generation instrumentation consists of two independent subsystems, providing two redundanttrip/actuation signals to each of the three safety system trains. Each of these subsystems is designed with

70

three channels and 2/3 voting logic (except channels associated with primary circuit loops based on 2/6logic). System instrumentation includes input instrumentation channels (containing sensors, comparators andbistable elements), signal splitters, trip generators, trip distributors and in some cases combinational logic(combining signals from several input modules, monitoring various plant parameters).

Each parameter for which a signal is provided in the reactor protection system is represented by signalsfrom three self-contained sensors. Each sensor signal enters the signal splitter network by way of acomparator and relay that breaks a contact in response to an emergency level of the sensor parameter(neutron density, coolant temperature, etc.). Where several trip points involving the same parameters areused, a relay input for each is supplied. Each of these relays controls a small AC circuit, whose output isdivided by transformers in a signal separator block into three circuits necessary for the three channels of thetrip generator. The number of separation blocks in each channel of the signal splitter corresponds to thenumber of input parameter settings. In the trip generator, a trip signal for each of the four levels ofemergency response is formed (AZ-1 to AZ-4) in reaction to three signals transmitted from each of thematching level signal splitters, using the 2/3 voting logic. The output circuits of the trip generators areelectrically isolated from the input circuits, from the power circuits and from each other.

Output voltages from the trip generators are fed to the trip distributors that provide controlling signalsfor actuating elements of the RPS. Output duplicators are used for transmission of identical but independentemergency signals to control other plant systems (engineered safeguards actuation system).

Devices and relays of the first set of the protection system are located in the main control panel andthose of the second set in the stand-by control panel. Protection relay panels of the main control room andstand-by control room are identical.

All protection relays operate by disconnection. Normally, relay coils are under voltage, thus enablingsimultaneous monitoring of relays and associated cables. A relay failure (coil open circuit) or loss-of-currentresults in a faulty actuation.

Each of the three channels in the "two-out-of-three" set is power supplied from a different bus. Outputprotection relays of each set are powered from two lines connected through isolating diodes in order tominimize the possibility of power supply interruption.

Output protection relay coils operate at 110 V. They are connected to 220 V direct current networkthrough additional resistors. With such connection a short circuit in the coil of any relay does not affect theoperation of other relays.

All relays that generate process signals for the emergency protection circuit are duplicated and theircontacts are connected in parallel. The actuation of the protection system will occur only with simultaneousdisconnection of relays in at least one protection set. This approach was chosen based on the assumptionthat the most probable failure during long term operation is an open circuit in relay coil. The duplicationprevents a faulty signal in case of failure of one relay.

The relays in signal splitter are connected through the device fuses, thus monitoring the device andpreparing the channel for protection actuation in case of the device failure.

Any protection actuation is accompanied with audio and visual signal in the main control panel. Forexample, when any protection resulting in AZ-1 is actuated, two indicator boards will be activated in eachemergency alarm set: "emergency protection of type 1".

71

The primary cause of protection actuation is simultaneously indicated using blinkers. When theprotection is actuated, the flag appears only in the blinker associated with the primary cause of protectionactions. The information on the protection actuation is also recorded by the plant computer.

Actuation of the protection system is irreversible. The system is put back into operation manually bythe operating personnel after all causes of protection actuation are eliminated.

The actuation of each measurement channel and the "two-out-of-three" logic in each protection set maybe tested using special testing devices and switches. The switches of the protection test allow checking onlyone protection set at a time.

During the test output protection relays are shunted and the protection system operates as one trainsystem.

The monitoring of output protection relay operability is provided in the protection relay panels.

The control panel provides information on actuation on one channel out of three in each protection setand displays error signals of reactor protection sensors for each protection type.

This signal system is made with time hold-up necessary to prevent a signal due to actuation of devicesand sensors at different tunes.

Protection signals based on process parameters may be inhibited (shunted) during plant heating up andcooling down, provided that all control assemblies are in their bottom switch positions. This shunting isdisabled in case of loss-of-power to control rod drive position indicators.

33.10. Emergency core cooling system

3,3.10.1. Core flooding system

The core flooding system (CFS) provides core protection for intermediate and large RCS pipe failures.It is also an alternative mean to supply an initial influx of coolant into the primary system for small breakLOCAs, provided that the RCS system is depressurized by secondary side cooling systems. It automaticallyfloods the core when the RCS pressure drops below 5.9 MPa. The CFS is independent, self-actuating andpassive in nature. For performing its functions the system requires no external signal nor power source tooperate.

CFS is composed of four identical and completely independent accumulator tanks and correspondingpiping. The discharge pipe from each core flooding tank is attached directly to the reactor vessel coreflooding nozzle. Two trains supply cooling water into the vessel lower plenum and two other - to the upperplenum (Fig. 20).

Each train includes one safety Injection tank. The tank, with a total capacity of 70 m3, normally containsapproximately 40 - 50 m3 of borated water (approximately 12 kg/m3 boric acid concentration) and ispressurized to 5.9 MPa.

The driving force to inject the stored borated water into the reactor vessel is supplied by pressurizednitrogen. Connections are provided for adding both borated water and nitrogen during power operation sothat the proper level and pressure may be maintained. A simplified diagram of CFS is shown in Fig. 21.

72

FIG. 20. Simplified diagram of the ECCS connections to the reactor vessel.

3.3.10.2. High pressure mjection/recirculation system

The high pressure injection/recirculation system (HPS) is designed to operate for small LOCAs, whenreactor coolant pressure has not been significantly reduced, to permit coolant discharge from the safetyinjection tanks. The HPS makes also provision for core cooling and for compensation of temperaturereactivity effects during the accident initiated by secondary system piping failure.

Two operational modes of the HPS operation are possible for model 213: an injection mode (HPI) anda recirculation mode (HPR). During the HPI phase the system delivers borated water from the boratedwater storage tanks (BWSTs) into the reactor vessel through the reactor coolant inlet lines. In the secondphase the HPS pumps water from the reactor building emergency sump, supporting the low pressureinjection/recirculation system (LPS) pumps.

The high pressure injection/recirculating system is composed of three identical and completelyindependent trains. The HPS discharge lines in model 213 are connected to the cold leg sections betweenthe RCS loop isolation valves and the reactor vessel inlet nozzles.

73

Ventilationsystem

Nitrogensystem s\\/^ II Ji <!water

make-up

REACTOR

vSIT-1 SIT-2

—T-Ä——M-

-A——

FIG. 21. Simplified diagram of core flooding system (train 1 and train 2).

Each of the three HPS trains is designed to provide coolant at the rate of 60-130 m3/h for the reactorpressure range from atmospheric to nominal. Maximum pressure head is approximately 13 MPa.

The train consists of the high head pump that draws suction from the borated water storage tankthrough the suction header and the piping line with associated valves. The tank normally contains 40 kg/m3

of boric acid solution and has a capacity of approximately 100 m3.

The pump charging line contains check valves and normally closed isolation valves.

The pump suction line is connected to the suction header which is common to the HPS, LPS and RBS.The electric MOV is installed on the suction header section between suction lines of the HPS and the LPS.A schematic diagram of HPS is shown in Fig. 22.

The HPS is actuated automatically by the engineered safeguards actuation system (ESAS) in the eventof a LOCA or secondary system piping failure.

On receiving a protection signal the HPS pumps are started and the isolation valves on charging lineare opened. The HPS pumps are also activated according to the programmed startup after successful dieselgenerators startup. Following the HPS pumps startup the service water pumps are activated.

74

\ ECCS heat exchanger

FIG. 22. Simplified diagram of high pressure injection/recirculation system (HPS).

The system injects highly borated water to the reactor vessel from the BWST until the whole tanksupply is exhausted. At low water level signal the HPS pumps start to inject water from the LPS tank (12kg/m3 boric acid concentration), supporting the operation of the LPS pumps.

The HPS starts to operate in the recirculation mode from the sump when the LPS borated waterstorage tank is empty. This mode of operation is continued as long as required.

3.3.10.3. Low pressure injection/recirculation system

The low pressure injection/recirculation system (LPS) is designed to maintain core cooling in thesecond phase of LOCA when the RCS depressurizes below 0.7 MPa. Coolant injection mode (LPI) beginswhen the core flooding tanks have exhausted their supply of cooling water after a LOCA. In this phase ofoperation the system pumps borated water from the borated water tanks into the RPV. In thesecond phase the system delivers water from the reactor building emergency sumps, permitting recirculationof the spilled reactor coolant and injection water from the sump. This phase of operation is known as thelow pressure recirculation mode (LPR).

The low pressure injection/recirculation system (LPS) is composed of three identical and completelyindependent trains. Two trains of the LPS share common reactor vessel piping with the core floodingsystem. The third train is attached directly to one of the six primary coolant loops at the cold and hot legsections between the RCS loop isolation valves and the reactor vessel nozzles (Fig. 20).

75

T

i LP tank

Recirculation line

HP pump

\ ECCS heat exchanger

FIG. 23. Simplified diagram of low pressure injection/recirculation system (LPS).

Each of the three LPS trains is rated at 300 m3/h at pumping pressure below 0.4 MPa.

The LPS train is composed of the low head pump, the borated water tank, the heat exchanger andpiping with their associated valves - the pump charging and suction lines, the suction header, the pipingsection connecting the tank to the suction header and the piping section connecting the suction header tothe reactor building sump.

The pump charging line contains check valves and normally closed isolation valves. The check valvesopen when the RCS pressure drops below pump discharge pressure.

The suction header is connected to the BWST and to the reactor building sump. The first connectioncontains the MOV and the check valve. The heat exchanger and the MOV are installed on the h'ne betweenthe suction header and the sump. A schematic diagram of the LPS is shown in Fig. 23.

Each BWST contains normally 12 kg/m3 boron in solution and has a capacity of approximately 300 m3.Indicators for level and boron concentration are provided in the control room.

In the event of an accident the LPS is automatically actuated by ESAS.

76

pemiralized water pump

Demiralized water tank

FIG. 24. Simplified diagram of auxiliary feedwater system (AFW).

When the borated water storage tank supply is exhausted, at low level signal the suction valve from thereactor building emergency sump opens and the isolation valve on the line connecting the BWST to thesuction header closes. At this moment the low pressure recirculation phase is initiated. This mode ofoperation is continued for long term heat removal, until the core is cool enough to be unloaded.

33.11. Emergency/auxiliary feedwater system

The emergency/auxiliary feedwater system is designed to provide an adequate supply of cooling waterto the steam generators so that they can act as heat sink for decay heat removal in the event of mainfeedwater system inoperability.

The system consists of two independent subsystems:

- The subsystem supplying feedwater from the deaerator tank (auxiliary feedwater system);- The subsystem providing feedwater from the storage tanks (emergency feedwater system2).

The auxiliary feedwater system (AFS) provides feedwater from the deaerator tank to the mainfeedwater header distributing the water to individual SGs. Normally open MOVs are provided on thefeedwater header for isolation of the odd and even numbered steam generators.

The auxiliary feedwater system (Fig. 24) consists of two identical trains. Each line is connected to thedeaerator tank and discharges water to the appropriate part of the main header.

2 The term "super-emergency feedwater system" is also used for this subsystem by some utilities.

77

Each train is composed of the motor driven pump and piping with their associated valves. The pumpsuction line usually contains an isolating valve and a manual valve. The pump charging line contains a checkvalve, a regulating valve, a normally closed isolating valve and a manual valve. The charging line has aminimum flow recirculation line to the deaerator tank for pump protection. The recirculation line isequipped with isolating MOV, check valve and manual valve. The deaerator inventory is made up fromcondensate tanks, using make-up pumps.

Auxiliary feedwater pump motors are fed from the essential power supply system (category 2). Bothpumps are started on low water level in two steam generators.

The piping line connecting the main feedwater header to individual steam generators (e.g. SG-1) isequipped with two check valves and normally open isolation MOV. This valve is automatically closed onhigh water level signal or in case of SG steam line rupture.

Two control valves are provided to control the FW supply. The main control valve ("large") is usedduring normal operation. The normally open isolation valve is closed automatically in case of mainfeedwaler pumps switch off (with interlock for opening), SG steam line rupture, or high FW level in the SG.

A "small" (startup) control valve is used during low operational power level, plant startup or plantcooldown. The isolating valve is closed automatically in case of FW flow rate increase (with interlock foropening), SG steam line rupture, or high FW level in the SG. This valve is designed to open automaticallyin case of AF pump startup, or low FW level in the SG.

The emergency feedwater system (EFS) provides feedwater from water storage tanks. The systemconsists of two independent trains. The EFS train is composed of an emergency feedwater pump and pipingwith their associated valves. Three EFS storage tanks, containing demineralized water supplied from theplant treated water system (1123 m3 each), are shared by two EFS trains. The same tanks supply the EFSof the other unit of the plant. A simplified schematic of the system is shown in Fig. 25.

The EFW motor driven pump is designed to provide water at the rate of 65 m3/h. Pump motors aresupplied with power from essential AC distribution system (category 2). Each train has an independentpower supply from a separate EPS train.

EFW pumps start to deliver water on low water level in at least two steam generators. Pumps startoperation on recirculation lines. Normally closed isolating valves on SG feedwater lines open on low-lowSG level. Regulating valves are used for feedwater flow control at a rate of 45-65 t/h. In addition eachsteam line is provided with two check valves and a normally open isolation valve. This isolation valve isautomatically closed in case of SG steam line rupture.

33.12. Secondary side pressure control system

The secondary pressure control system (SPCS) is designed to control the secondary side pressure duringaccident conditions. SPCS protects the secondary circuit against overpressure and provides means to removedecay heat by boiling off the feedwater from the SGs during various post-accident conditions, including lossof power, feedwater system malfunctions, main steam line break and small LOCA.

The system consists of safety relief valves (SRVs) and atmospheric steam dump stations (BRU-A).There are two SRVs installed on the piping line connecting each SG with the SDHR steam header. Thenumber of atmospheric steam dump stations differs depending on plant design. In some plants each SG isequipped with a single BRU-A, in other designs there are two BRU-As connected to common steam header.

78

SGs - unit 1 SGs - unit 2

EF pump

Recirculation line

J_L / 1 1l_I

Demineraiized water storage tanks ! DEMI water| supply

FIG. 25. Simplified diagram of emergency feedwater system (EFW).

The steam relief valves are set to relieve steam at varying set points: for one valve the set points foropening and closing are slightly lower than those for the other. Full capacity of each valve is approximately150 t/h (at 6.0 MPa).

Steam dump valves (BRU-A) open and close automatically at prescribed system pressure values. Valveoperator and valve regulator are supplied with power from essential power supply system - category 1. Thecapacity of each BRU-A is approximately 200 t/h (at 5.4 MPA). Steam dump valves can operateautomatically controlling the pressure set up at required level (in the pressure range 4.8 - 5.2 MPa). Belowa specified lower limit for pressure BRU-A are controlled manually by the operator.

In addition to the steam dump facilities mentioned above, each steam line to turbine is equipped withtwo turbine steam by-pass valves (BRU-K) that relieve steam to the turbine condenser. Operation of thissubsystem is limited to normal operating conditions (condenser cooling depends on non-essential powersupply).

The steam header is separated into two parts by means of isolation MOVs, each connected to aseparate train of the secondary decay heat removal system that relieves steam to the process condenser.

79

33.13. Containment system

The WWER-440 model 213 containment system (originally termed accident localization system) isintended to prevent the escape of steam and fission products and to facilitate steam condensation, therebyreducing the pressure after the break of any single primary system pipeline, including the double-endedrupture of 500 mm inner diameter pipes.

The containment system is composed of:

- reinforced concrete accident localization structure, providing confinement function of the system;- bubbler condenser, providing passive pressure-suppression function;- water droplet spray system, providing active pressure-suppression function and radioactivity removal

function (addressed in this report as reactor building spray system).

3.3.13.1. Containment structure

The accident localization compartments include a sealed set of interconnected compartmentssurrounding selected primary system components (steam generators, inlet and outlet piping, pumps, isolationvalves and the major portion of the reactor vessel) and additional compartments containing bubblercondenser.

Compartments housing technological systems constitute a part of the reactor building. Bubblercondenser rooms are located in an additional building (bubbler condenser tower), connected to the reactorbuilding by a rectangular tunnel.

The reinforced concrete walls of the WWER-440/213 are approximately 1.5 m thick (compared with1.0 to 1.2 m thickness for the 230 model). All walls and roofs of the localization compartments have internalsteel lining. Reinforced concrete structures, the airtight entrance doors and penetrations are designed forthe 0.15 MPa overpressure.

3.3.13.2. Reactor building pressure suppression system

The bubbler condenser comprises twelve levels of water filled trays. Each level contains 163 trays. Thetrays hold borated water with the concentration 12 g/1. Total water inventory inside the bubbler condenseramounts to 1250 m3. Outer surfaces of adjacent trays form vertical weirs that are capped by a downwardfacing troughs submerged in water. The inside walls of the trays and troughs form water-filled verticalchannels, approximately 50 cm long.

The steam discharged from the break during a LOCA is distributed to each level of suppression traysthrough the vertical shaft. The steam-air mixture enters each tray from the bottom, flows upward throughthe vertical weirs and is deflected downward by the troughs, bubbles through water. Steam condensationtakes place as the steam rises upward through water. Air and that portion of the steam that escapescondensation in the trays collects in an airtight outlet plenum volume above all the trays at a particular level.It is directed through doubled check valves into four receiver volumes called air traps (three adjacent traylevels share one air trap) where it is localized. A schematic diagram of the system is shown inFigs. 26 and 27.

When the pressure in the reactor building compartments decreases below that in the outlet plenum ofthe tray, a reverse flow of water from the condenser trays is initiated. Water pushed out from the trays issprayed out by the perforated baffles mounted on the roof of each tray level plenum (passive spray).

80

l - reactor vessel, 2 - steam generator, 3 - MCP, 4 - LPS tank, 5 - RBS pump,6 - ECCS heat exchanger, 7 - RB sump, 8 - pressure suppression condenser tray, . _9 - localization tower, 10 - air trap compartment. ' M

FIG. 26. Schematic diagram of V213 containment system.

The outlet plenum of each tray level is connected by two redundant check valves to the vertical shaftof the localization tower. These valves prevent the initiation of passive sprays in the case of small breakLOCA or inadvertent initiation of sprays. The valves are blocked under large break LOCA conditions (whenover-pressure in the reactor building exceeds the prescribed level).

The overpressure inside the reactor building compartments depends on the break size. In the case of500 mm break it is predicted to attain a peak value of 0.13 MPa in several seconds following the inceptionof the break. Steam discharged from the rupture largely displaces the air ahead of the steam through thesuppression trays and into the air traps. Depressurization of the RCS is complete after less than 50 s. Activespray is initiated with approximately 60 s delay and by this time the pressure is reduced to 0.16 MPaabsolute, due to steam condensation. After approximately 12 min the pressure is expected to be 0.1 MPaabsolute. Displacement of air from the localization compartments, followed by condensation of steam fromthe containment atmosphere, permits the pressure to be reduced to subatmospheric values beyond this time.Active sprays are switched off when pressure has fallen below 0.085 MPa and switched on again whenpressure increases to 0.095 MPa. Continued cyclic operation of the sprays maintains the pressure in thelocalization compartments between 0.085 and 0.095 MPa absolute.

3.3.13.3. Reactor building spray system

The reactor spray system (RBS) provides a water spray to the reactor compartment following a LOCAor steam line break, to limit containment pressure and to minimize the release of radioactive iodine andparticulates to the environment.

The RBS is composed of three identical and completely independent trains, each of them with acapacity of approximately 600 m3/h.

81

l - inlet volume, 2- water tray, 3 - tray outlet plenum, 4 - uppertrough, 5 - lower trough, 6 - air trap, 7 - check valve controlledby inlet volume pressure, 8 - check valves, 9 - perforated baffle.

FIG. 27. Schematic diagram of pressure suppression condenser.

The RBS train (Fig. 28) is composed of the low head pump, chemical addition tank, water ejectorpump, piping with their associated valves and a spray header located inside the steam generator room. Thepump section line, with the manual valve normally open, is connected to the suction header common forthree systems - HPS, LPS and RBS. The pump draws suction through the ECCS suction header, either fromthe LPS tank or from the reactor building sump. The pump charging line contains isolating valves, normallyclosed.

Hydrazine is added to the spray water from the chemical addition tank by means of the water ejectorpump. The pump suction is connected to the RBS recirculation line, the pump outlet to the ECCS suctionheader. The chemical addition is initiated using the manual valve installed on the tank connection line.

The RBS may be manually actuated or it may be automatically actuated by the protection system. Theoccurrence of high reactor building pressure causes the protection system to actuate the RBS. The RBSpumps are started operating on the recirculation line. The recirculation flow rate signal opens the isolatingvalve and closes the motor operated valve. The system supplies water from the tank until it is exhausted.

82

Sprinklers

Chemicaladditives tank

F/G. 25. Schematic diagram of reactor building spray system (RBS) - train 1.

At low level signal the suction valve from the reactor building emergency sump opens and the isolation valveon the line connecting the BWST to the suction header closes. From this moment the recirculation phaseis continued.

The pumps are switched off when the RB pressure is decreased below the prescribed limit. They areswitched on again when the pressure reaches the upper limit.

33.14. Electrical power supply system

The electrical system supplies electrical power to the external power grid during normal operation (themain power system) and to the unit auxiliaries under normal and accident conditions (the plant loadsdistribution system). The plant is equipped with two turbine generators (TGs) of 220 MW(e).

The main power system receives electrical power from the unit generator and directs it to the unitstep-up transformers, where the electrical voltage is raised to a level compatible with the utility transmissionsystem. Isolated phase buses are used to connect the unit generators to the unit step-up transformers withtaps for connection to unit auxiliary transformers.

The plant house-loads distribution system is the normal source of electrical power for both normalelectrical equipment and engineered safeguards equipment. During normal operation the plant house-loadsreceive power from the unit generator through auxiliary transformers. When the TGs trip the house-loadsystem is powered from the grid through the unit transformer and auxiliary transformers.

83

The plant house-loads distribution system may be fed either from the external reserve grid or from theemergency power supply system.

The emergency power supply is provided for safe shutdown of the plant when normal and standbypower supply have been lost. The emergency power supply consists of two sources of electrical power: dieselpowered generators and 220 V batteries.

The plant loads distribution system is divided into three categories, according to their safety significance:

Non-essential AC distribution subsystem (category 3) that supplies electrical power to non-safety plantsystems or equipment;Essential AC distribution subsystem (category 2) that provides electrical power to those safety relatedplant systems that can be de-energized for a period up to 2-3 minutes;Essential DC/AC distribution subsystem (category 1) that provides an uninterruptible source of DCand AC electrical power to safety related instrumentation, control circuits and engineered safeguardsequipment.

The plant AC distribution system is a hierarchical arrangement of switchgear at various voltagelevels. Both essential and non-essential subsystems are designed in this manner. A schematic diagram of thesystem is shown in Fig. 29.

There are two different voltage levels within the AC distribution system - 6 kV and 0.4 kV. The higherlevel is fed from the unit generator through the unit auxiliary transformers, from the main switchyardthrough the unit step-up transformer and auxiliary transformers or from reserve switchyard through standbytransformers. The essential and non-essential distinctions are first made here. Most large pump motors inthe plant are supplied from a 6 kV switchgear. Also, the lower voltage switchgear is supplied from thisswitchgear.

There are four 6 kV loads buses used for normal unit loads (non-essential loads - category 3) and three6 kV load buses used for power supply of safety related plant systems (essential loads - category 2). Eachtrain supplies power to specific safety related process system trains.

Three diesel powered emergency supply trains, electrically and physically separated, are connected toessential load buses. Essential and non-essential load buses are automatically disconnected on loss of powerfrom normal and standby sources. The next voltage level is 0.4 kV. Switchgears at this level are fed froma 6 kV switchgear, 6/0.4 kV. This voltage level is used to supply power to medium to small pumps, fanmotors and valve operator motors. The separation between the various trains of non-essential and essentialsubsystems is maintained at this voltage level. There are three 0.4 kV switchgears dedicated to essentialsafety related plant systems. Three buses are provided for diesel related electrical loads.

There are several 0.4 kV switchgears in non-essential subsystem (category 3). One switchgear, suppliedwith power from a standby bus, is a standby source at this voltage level. Other switchgears supply powerto general plant process systems, to pressurizer heaters and to plant auxiliary equipment.

The essential DC/AC distribution subsystem (category 1) usually consists of five separate trains -three of them are dedicated to safety related redundant equipment (vital trains) and two to general plantloads.

Each vital DC/AC power supply train contains battery, battery chargers and converters. Batterychargers are fed from essential power subsystem, category 2. In the event of a loss of AC power thebatteries carry their associated loads for a limited time period.

84

external grid reserve grid

6kV

24V DC

cat.)0.4 kV AC

FIG. 29. Schematic diagram of electrical power supply system.

The vital 0.4 kV AC panelboards are supplied with power from inverters that are connected tocorresponding vital panelboards.

The plant DC/AC power trains (non-vital) are constructed in the same manner as each of the vitalDC/AC trains. They supply power to plant non-safety loads (including plant computer) and to the reactorprotection system.

During normal operation 6 kV switchgears are fed from the unit generator. When the unit is shutdown, the plant receives power from the main switchyard through the unit transformer. Essential and non-essential switchgears at 6 kV voltage level are connected.

85

During normal DC system operation, battery chargers supply power to associated distribution center.Battery remains floating on each bus in the stand-by mode until required upon loss of power to the batterycharger. All tie breakers on DC train are closed and their positions are monitored in the control room.

Should power not be available from either the normal source or the startup source, reserve power isprovided. On loss of voltage signal on essential 6 kV buses non-essential and essential buses aredisconnected, diesels are started up, each diesel generator tie breaker closes and load sequencing circuitryis actuated.

During the loadshed the DC essential power subsystem is fed from batteries until the correspondingAC bus supplying power to the battery charger is re-energized.

33.15. Service water system

The service water system (SWS) is an important support system, needed for the successful operationof many systems treated in the model both as front line and support systems. Particularly, it provides coolingwater to ECCS heat exchangers, ICCS heat exchangers, CCS heat exchangers, diesel generators and processcondensers of secondary decay heat removal system.

Service water system is composed of three identical trains. Each train is supplying cooling water tospecific engineered safety system train. The system is powered by the essential AC distribution system. Aschematic diagram of the SWS train is shown in Fig. 30.

Each train is composed of a pump house, distribution headers that branch into parallel legs supplyingwater to safety related coolers, discharge headers and storage tank with associated piping. In Bohunice plantpumps, distribution and discharge headers are common for two units.

Each train consists of 4 pumps. During normal operation of the plant one or two pumps are running.Charging line of each pump has a check valve and an isolating valve. Pump discharge lines join together intoa common collector with an isolation valve.

Distribution header branches to each of the associated coolers. The specific loads relevant from asafety point of view include diesel generator heat exchanger, process condenser, ICCS heat exchanger, CCSheat exchanger, ECCS heat exchanger and some pumps. Flows from all parallel legs are joined together ata common discharge header.

Each individual piping line supplying water to specific cooler has isolation valves at the inlet and outletof the cooler. Normally closed isolation valves open automatically on receipt of a safeguards signal.

The trains 1 and 2 supply water to two process condensers and train 3 is designed to be used as reservetrain.

Storage tank is designed to ensure sufficient water flow during accident conditions (the first 100 s)before SWS pumps are restarted under diesel startup programme.

During normal plant operation all three SWS trains are used. Distribution of loads among individualtrains assures similar operational conditions of each train. Selected pumps in each train are running, theothers are in stand-by.

86

Reactor compartment loads

Storage tankCCS heat exchajiger

—— 1AT-

_ _ _ _ _

'

I/

: o.

\\ JL\ ?

i

—— fxïK^

1to

*¥l , kIAJ pto other u

ICS heat exchangerHPS pump cooling

ECCS heatexchanger

SDHRS process condenser

to/from other PC train

•>——Ä-from other unit

SWS pumps

FIG. 30. Simplified diagram of service water system (single train).

Service water is directed only to operational loads. During normal operation the distribution lines todiesels, process condensers and HPS pumps are isolated. Pipe lines by-passing RCS loads are also isolated.ECCS heat exchangers are supplied with water discharged from RCS loads.

In emergency conditions on ESAS signal stand-by pumps in each train are started and isolation valveson piping lines supplying water to individual loads open automatically. Isolating valves open automaticallyduring LOCA to provide sufficient flow to ECCS heat exchangers.

33.16. Intermediate component cooling system

Intermediate component cooling system (ICCS) is designed to perform both normal and emergencyfunctions. It is used for heat removal from several components installed in or connected with reactorprimary system. System is composed of three independent circuits providing cooling medium for threegroups of equipment:

87

LPS pumpRBS pumpHPS pump

FLG. 31. Simplified diagram of intermediate cooling system/ ECCS cooling circuit (single train).

- emergency core cooling and reactor building spray pumps,- reactor coolant pumps and other equipment located inside the containment envelope,- control rods drive mechanisms.

The interruption of cooling flow to ECCS and RBS pumps during accident conditions may result inpump overheating and excessive leakage. Proper operation of this circuit is important for successfuloperation of ECCS and RBS during LOCA and some types of transients.

Cooling for the main circulating pumps includes cooling of the pump motor, pump bearings and pumpseals. Loss of pump seals cooling can result in seal damage, leading to increased RCS leakage orsmall-break LOCA conditions.

The ECCS and RBS pumps cooling circuit consists of three identical and independent trains, eachdedicated to one of three ECCS trains (Fig. 31).

Each train includes one heat exchanger, pump, surge tank, and piping with their associated valves - thepump charging and suction lines, three sections supplying coolant to and collecting it from HPS, LPS, RBSpumps, return Une with heat exchanger and recirculation line with surge tank.

Each of the three ICCS trains is rated at 8.6 m3/h at pumping pressure 0.5 MPa. Each pump is fedfrom separate EPS bus bar. The pump is actuated by ESAS automatically in case of any ECCS or RBSpump actuation.

The heat exchanger, installed on the return line at the suction side of ICCS pump, is tube-shell unit.Cooling medium (tube side) is provided by the service water system (SWS). Each unit is supplied from aseparate SWS subsystem.

The reactor cooling pump cooling circuit (Fig. 32) is a separate and independent subsystem. It includestwo heat exchangers, three pumps aligned for parallel operation, the surge tank and piping with then-associated valves.

88

iü-w-*-heat exchanger

FIG. 32. Simplified diagram of intermediate cooling system/ RCP cooling circuit.

Each of the three pumps is supplied with power from a separate electrical power supply train. Duringnormal operation one pump is running, the second is in hot stand-by and the third may be put inmaintenance or repair.

Heat exchangers, installed on the system return line, are tube-shell units. A cooling medium is providedby service water system. One heat exchanger is capable of meeting the requirements for heat removal fromall components connected to the system. During normal operation only one heat exchanger is put intooperation, the other one is in stand-by; isolation MOVs are installed on each heat exchanger line.

The surge tank is connected to the main suction line to ensure constant pressure at the pump suctionand to compensate changes in coolant volume.

Containment isolation valves are installed on the system charging line and on the return line. Isolationvalves are also furnished on each of the 6 sections supplying coolant to and collecting it from the RCP.

The control rod drive cooling circuit is a separate and independent system continuously operated. Itincludes two heat exchangers cooled by service water, three pumps aligned for parallel operation, a surgetank and piping with their associated valves. A schematic diagram of the system is provided in Fig. 33.

33.17. ECCS compartment cooling system

The ECCS compartment cooling system (CCS) is designed to maintain the air temperature suitable forpump motors and other electrical equipment located in ECCS compartments. The system operates duringaccident conditions.

89

37 controlrod drives

heel exchanger

lump

lyfir

\

FIG. 33. Simplified diagram of Intermediate Cooling System/ CRD cooling circuit.

The system is composed of three identical and independent trains. Each of the CCS trains circulatesair within the specific ECCS compartment.

Each train is composed of the motor driven fan and air cooler with associated ductwork. The air isdrawn from the ECCS compartment, passes through the air cooler and is exhausted back to thecompartment. The fan is supplied with power from the essential AC distribution system (category 2). Theair cooler is supplied with cooling water from appropriate SWS train.

33.18. Fuel handling, storage and transportation

Fuel management at the plant involves refuelling transportation and storage of the fuel, both fresh andspent fuel. Special equipment and storage facilities are provided in the plant for these purposes.

According to the generic fuel management plan applied in WWER-440 NPPs, one third of the core isdischarged from the core annually and replaced by fresh fuel.

Fresh fuel is transported to the plant in fresh fuel containers designed to accommodate four fuelassemblies. The container is a rigidly connected structure of four tubes with removable caps at the end,made of carbon steel. Each tube has hexagonal inserts to protect the assembly shrouds against damage.

Fresh fuel delivered to the plant is received in the fresh fuel section (FFS) located in the main buildingof the reactor section. The FFS is designed to contain one complete reactor load with 20% reserve and one

90

complete refuelling load with 20% reserve. The FFS is connected with the main reactor room by a port of1740 mm in diameter. One FFS serves two nuclear power units.

The FFS design satisfies the following requirements: location above 0-level in the flood-free zone withno water pipes and with controlled air temperature (above -15°C) and humidity (not exceeding 70%).

The FFS is equipped with appropriate transportation facilities. They include:

- grip device used for handling the fresh fuel containers,- 3.2 t crane used for lifting and transportation within the FFS,

turn-over device used for putting the fresh fuel container into vertical position,shroud for fresh fuel assemblies used for temporary storage of 30 assemblies in the FFS as well as fortheir transportation to the refuelling pond in the reactor section,shroud for leak tight fuel containers used for storage and transportation of leak tight containers fromthe FFS to the refuelling pond.

Fresh fuel to be loaded to the reactor during refuelling is transported to the spent fuel storage pond.From there the fuel is moved to the reactor by using a refuelling machine.

Fig. 34 is a schematic of the operations conduced during refuelling. All refuelling operations areperformed under a protective layer of borated water.

1- reactor pressure vessel, 2 - refueling machine, 3 - racks forspent fuel, 4 - receiving container, 5 - railroad transport,6 - transport cask, 7 - reactor building bridge crane, 8 - spentfuel storage pool (I - reloading of spent fuel from reactor tostorage pool and U - reloading of "cooled" spent fuel totransport container), 9 - water level during refueling, 10 - spentfuel element, 11 - water level during storage.

FIG. 34. Schematic of refueling operations.

91

l - periscope, 2 - frame, 3 - working shall, 4 - transport pulley,5 - changeable gripper mechanism.

FIG. 35. WWER-440 refueling machine.

For refuelling the reactor vessel top head is opened, the water tight barrier between the spent fuelstorage pond and the transfer canal is removed; the water level is increased in the storage pool to flood thetransfer canal and the space above the reactor. Fuel elements are removed from the core and transferredto the storage pond under water via the transfer canal by using the refuelling machine.

The refuelling machine applied in the WWER-440 NPPs is shown in Fig. 35. The machine consists oftwo major components: a frame bridge that moves on rails above the reactor shaft and the storage pond,and a cart that moves perpendicular to the direction of the frame. The operator rides in a control cab onthe frame. The moving cart carries the mechanisms necessary to fasten onto the fuel and raise it from thecore, and a television camera mounted on a periscope to permit viewing of the underwater operations.

Fuel assemblies removed from the core are checked for leakage of fission product by using sampleanalysis. Leaking assemblies are placed in hermetically sealed containers to reduce contamination of thestorage pond water. The containers are stored in special racks in the pond.

92

The spent fuel is kept in the storage pond for at least three years. In order to reduce its radioactivityand its residual heat rate to permissible level that enables its transportation from the pond. After three yearsperiod, the fuel is transported in shipping casks to either away-from-reactor storage or fuel reprocessingfacilities.

The standard spent fuel storage pond is designed to hold fuel from three planned reactor refuellingsand one complete load of the reactor core if it is necessary to unload the reactor for vessel inspection or incase of an accident.

The storage pond has its own cooling and water purification systems. The cooling system consists ofthree redundant trains. Each train includes a pump and a heat exchanger. The heat exchanger is cooledby an intermediate cooling system and is supplied power from an essential electrical power supply system(diesel generators). The refuelling pond and transfer pools are fitted with water from the ECCS water tanks.Water from the pond may be dumped by the use of a draining pump to the tanks of "dirty" condensatc.

All piping associated with the spent fuel storage pond is positioned so that a pipe rupture will not causethe pond to drain below the fuel elements.

Spent fuel elements transported from the pond are transferred to the spent fuel cask TK-6 (Fig. 36).The cask is a leak tight cylindrical vessel with top closure. Internal surface of the container vessel is linedwith stainless steel. A special spacing shroud is installed inside the cask to ensure appropriate subcriticality.

1 - hermetically sealed container for fuel assembly, 2 - internal barrel,3 - cask body, 4 - cladding, 5 - pivot, 6 - fastening ring, 7 - cask closure8 - lifting assembly, 9 - valves, 10 - support flange, 11 - stiffeners.

FIG. 36. WWER-440fuel transfer cask TK-6.

93

The capacity of the TK-6 cask is 30 standard fuel elements or 18 single assembly containers, which areused for leaking fuel assemblies.

The TK-6 cask uses water for the internal convective coolant in case of maximum fuel burnup (40MWd/kg), or nitrogen for lower burnup assemblies.

Each loaded cask is moved from the storage pond into a fuel handling room located in the middle ofthe reactor building, serving both units. One of the two travelling bridge cranes inside the reactor bay isused for transportation of the cask. Equipment inside the fuel handling room provides for lowering the caskonto a rail transport car at grade in the lower part of the reactor building.

All transportation and technological equipment used for fuel handling is subjected to periodic tests toprove conformance with technical specifications. All cranes and lifting mechanisms are tested according tothe requirements of the State Technical Supervision Committee.

The crane hook, the grip devices, the fuel assemblies' grips and shrouds are equipped with mechanicalinterlocks to exclude accidental disconnection. It is allowed to transport only one container with fresh fuelholding 4 fuel elements (not exceeding 70% of critical mass).

Fuel handling systems were designed taking into account various abnormal initiating events, such asfalling down of the container with fresh fuel, falling down of shroud with fresh fuel, falling down of the fuelassembly while being transported over the reactor and the storage pond, and the falling down of thecontainer with spent fuel.

Radiation safety during refuelling operations satisfies the requirements related to radiation protectionof the personnel. During transportation of one fuel assembly from the reactor to the pond rack the radiationlevel measured above the water surface does not exceed 3.1 x 10A R/h. Dose rate at the pond ceiling duringthe storage of the spent fuel in the rack is 1.03 x 10"1 R/h. The maximum dose rate for the personnelservicing the refuelling machine during transportation of a spent fuel assembly is 0.26 mR/h.

According to design the activity of the storage pond water does not exceed 10"5 Ci/1.

Proper operation of the storage pond cooling system is monitored in the control room. In case ofcooling pump failure there is an alarm signal. The redundant system is to be switched on by the operator.If all three cooling trains are not operable the personnel has approximately 3 h to restore the operation ofat least one cooling train.

3.4. STRUCTURAL MATERIALS USED IN WWER-440 NPPs

All materials used for construction of WWER-440 NPPs were fabricated according to the requirementsof certain technical specifications. The majority of structural materials were regulated by State standards(GOST). In the last two decades when WWER-440/213 plants were designed and constructed, severalrelated GOST standards were issued. Technical specifications for stainless steel piping were included inSoviet GOST 9941-72 and 9940-81, both of which refer to GOST 5632-72 for chemical composition limits.More general documents that provide technical specifications for structural materials are GOST 5949-75 andGOST 9940-81.

The most recent document containing technical specifications for large variety of structural materialsused in nuclear industry is the Soviet standard "Rules for Construction and Safe Operation of the Equipment

94

and Pipelines for NPPs" (PNAE-G-7-008-89). The document is dedicated to specialized materials used innuclear industry and includes a comprehensive set of technical specifications. Appropriate materials forwelding and building-up are applied according to the document "Equipment and Pipelines for NPPs.Welding and Building-up. Principal Regulations" (PNAE-G-7-009-89). Inspection of welding joints isperformed according to the document PNAE-G-7-010-89.

The documents were issued in 1989, but they reflect the material technology applied in nuclear industrymuch earlier. Therefore, these documents were the basic source of information related to technicalspecifications of materials applied in the construction of WWER-440/213 NPPs, to be used in the project.Chemical composition of the materials may vary slightly from plant to plant depending on the equipmentmanufacturer but precise information on tuese characteristics were not available for the project.

The main structural material for the main coolant piping, the pressurizer piping, most of the RPVinternals, the main coolant pumps, the ECCS pipelines and SG tubes is chromium-nickel titanium-stabilizedaustenitic steel (08H18N10T or 08H18N12T). The reactor vessel, reactor vessel head and core shroud aremade of low alloy chrome-molybdenum-vanadium steel (15H2MFA or 15H2MFA-A). Carbon quality steel(22K or 22K-VD) is used for steam generator shell, pressurizer vessel and nozzles, RPV instrumentationnozzles and ECCS tanks.

The inner surfaces of the RPV, pressurizer vessel and ECCS tanks have anticorrosive cladding that isbuilt up by welding. Vessel cladding is applied in a number of layers using thin, wide strips. The stainlesssteel used for cladding is a chromium-nickel niobium-stabilized weld material (usually 0.5 weight percent ofNb).

Main structural material used for manufacturing fasteners and studs is the structural alloyed steel38HN3MFA or iron-nickel alloy HN35WT-VD.

Reactor coolant pump shafts are made of high alloy martensitic-ferritic steel 14H17N2.

More detailed information on the material manufacturing process, grade chemical composition andguaranteed mechanical properties is given in Annex IV.

Structural materials used for fabrication of equipment are manufactured with special attention to assurelow concentration of detrimental impurities (especially sulphur, phosphorus, copper and other non-ferrousmetals), gases (hydrogen, nitrogen) and non-metallic inclusions (oxides, silicates, sulphides, etc.).

The high quality of the materials is achieved by using special blending materials, appropriate fabricationprocesses, vacuum casting and out-of-furnace processing.

95

4. DESIGN RELATED SAFETY FEATURES

This section provides a brief qualitative evaluation of the design related safety features of WWER-440/213 plants included in the project (as presented in Section 3).

It should be emphasized, however, that no systematic design review was carried out within the frameworkof the project. The material used as the basis for this presentation originates from technical documentsavailable at the moment of publication of this report [12-17]. They include the DOE safety assessment studyof WWER plants [12,13], evaluation of design and operational safety related issues for Loviisa NPP [14], andthe reports from safety review missions carried out for Zarnoviec NPP [15-17]. Some preliminary resultsof the IAEA Extrabudgetary Project on Safety of WWER-440 Model 230 NPPs - when found to be relevantto 213 plants - are also considered [18].

It should be realized that the source documents used in the preparation of this section have certainlimitations that affect the completeness and the general applicability of the discussion presented below.

The majority of the documents mentioned above address specific plants (Loviisa [14] and Zarnoviec [15-17]). Since there are differences among the WWER-440/213 plants due either to slightly different designand/or equipment fabrication or to some backfitting measures already implemented at the plants, not allissues included in these documents are fully applicable to all WWER-440/213 plants. There are also someplant specific safety issues relevant to other WWER-440/213 plants that are not covered in these sourcedocuments. Only the basic technology specific problems are common to all WWER-440/213 plants.

The US DOE report [13] is based on limited information which was available in the open literature atthat time. In certain areas this information is not complete and does not reflect the up-to-date practice inthe WWER-440/213 plants.

At the time of completion of this document several activities in important fields are in progress withinthe framework of the IAEA and other international or bilateral programmes related to the safety of WWER-440/213 plants. The most important studies include: evaluation of the operational experience gained so far,embrittlement operational issues, status of quality assurance at the individual plants, evaluation of designand beyond design basis accidents, and external events. Results of these studies will provide more correctinformation than most of the literature sources used in the preparation of this report. Insights from theseinvestigations will be presented in other documents being prepared under the project framework.

In parallel to the IAEA projects, national projects are ongoing in the Slovak Republic, the CzechRepublic, Ukraine and Hungary. Plant specific safety evaluation and backfitting measures are consideredas the main goals of these projects. The AGNES project carried out for the Paks NPP is one of the recentactivities concentrating on quantitative reassessment of WWER-440/213 plant safety.

The material presented in this section is structured following defence in depth strategy. Section 4.1addresses general plant features related mainly to the first and second defence in depth level. Section 4.2reviews more detailed issues concerning individual safety related systems (mainly the third and fourth levelof defence in depth).

Some general areas of design are presented separately because they interfere with a large number ofsystems or equipment and influence the performance of the main safety functions. These areas includeinstrumentation and control (Section 4.3), electrical power supply (Section 4.4), and protection of equipmentfrom external hazards (Section 4.5).

96

Each safety issue discussed in the report is given an alpha-numeric code for further reference. Safetymerits are designated by the letter "A" and safety concerns by the letter "B".

The discussion of safety merits and safety concerns mainly refers to specific plants addressed in Ref. [14-17], therefore not all the items are fully applicable to all the plants covered by the project.

4.1. NORMAL OPERATIONAL SYSTEMS

The WWER-440/213 plant has some specific features that affect the overall characteristics of the plant,both from the economic and the safety point of view. Relatively low operating parameters and mediumreactor output, a primary coolant system layout with a large number of cooling loops, the use of horizontalsteam generators, two medium size turbines instead of one, have the most considerable impact on economicplant factors, primarily through the large investment costs. However, from the safety point of view, mostof these design choices have positive side effects. The design has many safety merits not found in the nuclearpower plants currently designed.

4.1.1. Safety merits

Al. Relatively low thermal output of the reactor with consequential small dimensions of the corepositively affects the core characteristics with regard to spatial xenon oscillations. With smooth and easilypredictable behaviour of the WWER-440 core, the special equipment for controlling local power variationinside the core is not necessary [14].

A2. Low power density with respect to fuel mass, with consequential low heat flux, ensures a large safetymargin to heat transfer crisis and good core behaviour during various kinds of abnormal transients. Thisalso decreases the average fuel temperature during normal operation. An additional benefit is lowering themaximum fuel temperature by using the fuel pellet with a hole in its center. Lower f uel temperatures resultin better retention of the gaseous fission products in the fuel matrix [14].

A3. The large water inventory in the primary circuit and in the steam generator is a unique featureof the WWER-440 plant. Owing to the large thermal capacity of the heat transport system, the plant isvery well protected against various disturbances affecting the balance between heat production and heatremoval, such as loss of feedwater (due to station blackout or turbine hall fire). A relatively large timemargin (5-6 hours) is assured for the operator to recover proper cooling capabilities before the core damageoccurs [14].

The large water inventory of the primary coolant circuits is also beneficial under small LOCA conditionswith simultaneous failure of high pressure injection. A sufficient time margin exists to performdepressurization of the reactor coolant circuit by the use of secondary side cooling systems, allowing longterm cooling by the low pressure injection/recirculation system.

The large thermal capacity of the heat transport systems makes the plant insensitive to the most commonoperational disturbances [14]. In many PWR power plants of non-Soviet design major operationaldisturbances that start from the secondary circuit (with relatively high frequencies) cause a large transientin the reactor system and often require opening of the pressurizer relief valves. If the valves fail to operateproperly, the plant conditions may escalate to a severe accident. In the WWER-440, most disturbancesoriginating the from secondary circuit are easily accommodated by minor changes in the steam generatorwater level, and they have almost no influence on the primary circuit parameters.

97

In the case of anticipated transients without scram (ATWS), the resulting peak pressure is considerablylower than in other PWR plants of non-Soviet design. A much longer time period is also assured for theoperator to shut down the reactor manually. At the same time, due to large thermal margins (as measuredby DNBR), a heat transfer crisis is much less likely than in other PWRs [14].

A4. The primary coolant system layout with six loops profits from decreasing possible disturbances, suchas those that are caused by a trip of a circulating pump [14]. In WWER-440 plants this event does notrequire the reactor trip (the reactor trip is initiated by the protection system in case of a trip of more thanthree reactor coolant pumps).

A5. The use of horizontal steam generators together with the overall layout of the primary coolantsystem facilitate the transition to one-phase natural circulation in the primary circuit. Therefore, decay heatremoval from the core during the plant cooldown may rely on the same heat transfer path as that usedduring normal power operation. This feature is beneficial because it minimizes the number of pipeconnections to the primary circuit (lowering the likelihood of interfacing LOCA), provides larger flexibilityin using various alternative ways of heat removal from the steam generators, and profits from their large heatcapacity under loss of ultimate heat sink conditions [13,14],

A6. Isolation valves in the primary coolant loops allow the maintenance of individual steam generatorsand main circulating pumps without decreasing the water level in the reactor coolant system. This operation,normally needed in other PWRs, is difficult to control and may lead to temporary loss of residual heatremoval, if the water level is lowered too much [14].

A7. The use of two parallel turbines also contributes positively to limiting the severity of the mostcommon transients originating from a turbine trip. Additional benefit follows from the large amount ofwater contained in the two feedwater tanks (deaerator tanks) that accommodate effects of any disturbancesin the turbine system. This plant layout also implies the existence of two independent connections to theoff-site grid; this improves significantly the reliability of electrical power supply to the plant equipment [14].

4.1.2. Safety concerns

Bl. Vulnerability to brittle fracture of the reactor pressure vessel (RPV) is the main safety concernrelated to WWER-440 design. The unfavourable feature of the RPV design is the small distance betweenthe core edge and the vessel wall, and the consequential high fluence of fast neutrons [13,14].

The ductile-brittle transition temperature is unfavourably decreased with the content of impurities suchas copper and phosphorus in the vessel material, especially in the weld region. Unfortunately theWWER-440 reactor vessels have a circumferential weld at the core region (belt line region).

Due to the particular importance of the problem and the lack of precise embrittlement correlations,further progress in the brittle risk estimation is still required. This issue is the subject of more detailedanalysis carried out within the framework of the project and will be addressed in other project documentsplanned to be published. Based on available knowledge it is not expected, at least for the RPVs fabricatedby Skoda, that brittle fracture problems would limit the plant lifetime.

Favourable built-in features of the WWER-440 heat transport system diminish the severity of coolingtransients that may result in pressurized thermal shock. However, needs for some additional means forpreventing low temperature overpressurization of the RPV (based on automatic protection) should still beevaluated [15].

98

B2. Vulnerability to a significant leak of the primary coolant to the secondary circuit due to potentialrupture of the manifold in the steam generator is another serious safety concern in WWER-440 power plants[14]. The manifold is a cylindrical tube 800 mm in diameter and 70 mm thick with several circumferentialwelds, capped by a cover bolted to the tube. Potential rupture of both the tube wall and the bolts cannotbe excluded, especially because such an accident has already occurred once in the Rovno NPP.

A LOCA of this type results in loss of primary coolant to ihe outside of the containment boundary, whichcould disable long term cooling capabilities of the ECCS (by loss of RB sump inventory) an i could lead tocore melt. The leak could be stopped by successful closing of the isolation valves in the respective loop, butthese are single non-safety related valves, which according to single failure criterion should not be taken intoaccount in the design basis accident. The other mitigating measure is to assure a proper isolation of the SGat its secondary side. As mentioned earlier this strategy is used in non-Soviel PWRs. It can also besuccessfully applied in WWER-440 plants provided that appropriate emergency procedures are developedand implemented.

4.2. SAFETY RELATED SYSTEMS

Safety systems included in the design are, in general, comparable to those used in other plants withpressurized water reactors. However, there are some specific design features, both positive and negative,that affect safety functions performed by the system and the overall plant safety. These features arediscussed in this section.

Table IV summarizes the discussion, addressing various safety related design features recognized in theproject as relevant, and their safety significance. Effects associated with each feature (positive or negative)are described in terms of logic elements of "defence in depth" strategy (safety functions, barriers, levels ofdefence). The assessment of the effects is only qualitative and based on engineering judgement. Thisqualification does not reflect safety significance associated with the specific design related issues inquantitative terms. In this context the term 'negative* indicates only increased likelihood of loosing certainsafety functions, barrier or level of defence; it does not mean the complete loss of this specific element ofdefence in depth.

The list of safety related issues provided in Table IV is arranged by systems. Some issues associatedwith normal operational systems, discussed in the previous section, are also included in this table.

42.1. Safety merits

A8. In the model 213 unit normal operational make-up functions are performed by a separate systemtermed here chemical and volume control system (CVCS). In some existing PWRs this function is performedby a high pressure injection system (HPS) combining normal operating functions and safety functions. Thiscombination may have a negative effect by decreasing the independence of the HPIS system.

The CVCS pumps are supplied with power from the essential power source and may be used asalternative means for RCS inventory control under small break LOCA conditions (emergency borationsubsystem).

A9. Four levels of emergency command signals for reactivity control applied in the reactor protectionsystem permit earlier protective actions than the simple reactor scram used in many non-Soviet PWRs and,in consequence, smooth response to minor deviations from the operational state. The spectrum ofconceivable abnormal events covered by the protection system signals is considered adequate [14]; especiallythe careful monitoring of the rate of neutron flux change (reactor period) is to be noted.

99

TABLE IV. DESIGN RELATED SAFETY FEATURES AND THEIR EFFECTS ON INDIVIDUALDEFENCE IN DEPTH ELEMENTS - POSITIVE (P) OR NEGATIVE (N)'

Safety ^^"--\ Related components ofrelated system- ^"~~-\^ defence-in-safety related ^~^-^ depthdesign features ~"~\^^

Reactor systemLow thermal output and small coreLow power densityLow fuel temperature

Reactor coolant systemSystem layout- Large number of primary loops- RCS loop configuration vulnerable to

loop seal phenomena during LOCA- large water volume in RCSThe use of horizontal SG- large water volume in the SG shell- vulnerability to LOCA within the SGThe use of RC loop isolation valvesRVP vulnerability to brittle fracture- fast neutrons fluence relatively high- RPV welds location (high flux region)Measures for leak before breakidentification not adequateDynamic loads due to piping failures notfully verified

Plant balanceThe use of two turbogeneratorsLarge water inventory in deaerators

Emergency feedwater systemRelatively high level of redundancyInsufficient diversity

• Vulnerability to CCF- common location of redundant trains- connections to SGs common for the

main and auxiliary feedwater systemReliability of EF and AF pumps notadequate

Secondary decay heat removalDecay heat transfer path through SGsVulnerability to common cause failures(location in turbine hall)

Effect +relatedsafetyfunction1

PI, P2PI, P2P2

P1,N3

N2PI, P2

PI, P2N2P2N2

N2

N2

P1,P2, P3P2

P2N2N2

N2

P2

N2

Effect +relatedbarrier 2

PI, P2PI, P2PI, P2

PI, P2, N3

NI, N2PI, P2

PI, P2NI, N2PI, P2, P3N3

N3

N1,N2

PI, P2, P3PI, P2

PI, P2NI, N2N1.N2

NI, N2

PI, P2

NI, N2

Effect +relatedlevel ofdefence 3

PIPIPI

PI, Nl

NlPI

PINlPINl

Nl

N3

PIPI

P3N3N3

N3

P3

N3

Refer-ence

to text

AlA2A2

A3, A4

A3

A3B2A6Bl

AlAl

AllB7B7

B7

A12

The term 'negative' indicates only increased likelihood of loosing certain safety function, barrier or levelof defence; it does not mean the complete loss of this specific element of defence in depth. Theassessment of the effects is only qualitative and based on engineering judgement. This qualification doesnot reflect safety significance associated with the specific design related issues in quantitative terms. Notall items included in this table are fully applicable to each WWER-440/213 plant.

100

TABLE IV. (cont.)

Safety ^~^^^^ Related components ofrelated system- ^~"\-^^^ defence-in-safety related ^~~"~~-~^^ depthdesign features ^^"\ ^

Containment systemFast transition to underpressure after SBLOCALow vulnerability to severe accidentsContainment structure integrity relies on notfully verified bubbler condenser functionsStructural strength of the structure not fullyverifiedRelatively high volumetric leak rateNo adequate measures to control explosivegases under severe accident conditions

Electrical power supply systemOff-site power has to be restored manuallyafter automatic disconnection under accidentconditionsCapabilities of the batteries not sufficient

Primary pressure control systemPressure relief valves (PORV) reliabilityunsatisfactory; PORVs isolation valves notusedNo PR Z code safety valvesPORVs not qualified for water relief

Chemical and volume controlNormal make-up function separated fromsafety functionsPossible use of the system for emergencycontrol of RCS water inventory

Plant control systemIntegrated control based on both neutronflux and thermal-hydraulic parameters withfast plant response

Protection systemFour levels of emergency command signalsfor reactivity controlReactor scram not fully irreversible

Emergency core cooling systemHigh redundancyRelatively good protection against commoncause failuresPotential flooding in ECCS room, nosignalization of room flooding


P4P4

N4

N4N4

N4

N2, N4N1-N4

N2N2N2

P2

P3

PI

PINl

P2

P2

N2

Effect -frelatedbarrier 2

P4P4

N4

N4N4

N4

N3, N4N1-N4

N3N3N3

PI, P2

PI, P2

PI, P2, P3

PI, P2, P3Nl, N2,N3

PI, P2

PI, P2

NI, N2


P3P4

N3

N3N3

N3

N3N3

N2N2N2

P3

P3

P2

P2N3

P3

P3

N3

Referenceto text

A13A13

B8

B8B9

BIO

B23B22

B3B3B4

A8

A8

A9B5

A10

A10

B6

101

TABLE IV. (cont.)

^-^^Safety """--- Related components ofrelated system- ~-\^ defence-in-safety related ""- ^ depthdesign features ^^^~~^^

Service water systemVulnerability to radioactive coolant leak tothe environment due to lack of intermediatecooling systemPump house with associated piping sharedbetween two unitsUnsatisfactory component reliability

Intermediate cooling systemRedundancy of the RCP cooling circuit notsatisfactorySome relevant cooling circuits designed asnon-safety related


N4

N1-N4N1-N4

N3

N2

Effect +relatedbarrier 2

N4

N1-N4N1-N4

N3

NI, N2


N2, N3

N3, N3N2, N3

N2

N3

Referenceto text

1 Related safety functions: 1 - controlling the power level in normal, transient or accident conditions; 2 -cooling the fuel in normal, transient or accident conditions; 3 - preserving the primary circuit integrity;

4 - confining the radioactive material.2 Related barriers: 1 - fuel matrix; 2 - cladding; 3 - primary pressure boundary; 4 - containment.3 Related level of defence: 1 - preventing deviation from normal conditions by conservative design, quality

assurance retaining adequate margins, monitoring plant status; 2 - mitigation of incidents by processcontrol and the use of feedback characteristics; 3 - prevention of accidents by the use of safety systems;4 - preserving the integrity of the confinement, mitigation of on-site consequences.

A10. High redundancy and relatively low inter-train dependency of ECCS are positive features of the213 design. Three independent HPS and LPS trains (3 x 100%) and four CFS trains are designed withrelatively high level of independence, achieved by physical/functional separation of redundant trains andindependent support features [14].

All. The relatively high level of redundancy of the emergency/auxiliary feedwater system is a positivefeature of the plant design [14]. The system includes four feedwater pumps (4 x 100%) providing feedwaterfrom the deaerator tanks (2 pumps) and from water storage tanks (2 pumps); both subsystems are suppliedwith electric power from independent trains of the essential power subsystem. Some shortcomings of thesystem are discussed below (see point B7).

A12. The decay heat removal path through the steam generators based on natural circulation (see A5)has positive effects on plant risk as compared with other PWRs [14]. The common approach in PWRdesign is to circulate the reactor coolant directly in a separate cooling loop not designed for the full RCSpressure, and normally isolated from RCS with double valves. Failure of both valves results in interfacingLOCA that leads to core melt. Elimination of DHRS cooling loop reduces the likelihood of such accidents.

A13. The reactor and its cooling system are contained inside a leaktight containment structure equippedwith steam condensing and pressure suppression devices (both passive and active). The design of the

102

containment system is different from the reactor containments of non-Soviet PWRs, but the design objectiveis similar. Lowering the post accident pressure in the containment below the atmospheric pressure, is a veryattractive feature of the WWER-440 design that compensates to some extent other shortcomings discussedbelow (see B8).

The relatively large volume of the containment, the large heat capacity of the containment walls, and theconsiderable amount of water in the pressure suppression trays are positive features influencing post-accidentconditions.

422. Safety concerns

B3. Some incidents involving the pressurizer safety relief valves (PORV type) have already beenobserved in WWER-440 NPPs. Failure of a PSRV to close (following valve demand during a transient)results in small LOCA and could be a significant initiator to accident sequences leading to core damage.Some concern is expressed with regard to valve control relying on electrical power. Valves controlledmechanically would be more reliable [15]. Non-Soviet PWRs have usually additional isolation valves (PORVblock valves) to be used for isolation of the leak in case of PORV malfunction, and two code safety valveswith a higher setting point for opening. Owing to a much simpler design, mechanically operated code safetyvalves may have a higher reliability than PORVs.

B4. Additional concern is that PORVs used in WWER-440 NPPs are not qualified for water relief [14].This means that RCS is not well protected during periods when the pressurizer is full of water and theprimary circuit is still closed. Replacement of pressurizer PORVs by valves qualified for water relief is oneof the plant backfilling measures now under way.

B5. The reactivily control system that performs the reactor scram uses the rack and pinion mechanismfor control rod drive. The rack and pinion are always coupled. The AZ-1 response, described as non-reversible scram, could be reversed, if electrical power is re-applied to the terminals of the drive motor. Thiscould happen ihrough failure of a swilch or other control element, or through an electrical shortcut [13].This type of failure was assessed in the project as very unlikely owing to appropriate organization of signalsboth in the power supply part and in the functional pari of ihe RPS.

B6. No signalization is provided to warn against flooding in the ECCS compartments [17]. Polentialhazard for ECCS room flooding exists due to pipelines rupture (component cooling system and ECCSborated water storage tank piping).

B7. The reliability of the emergency feedwater system is questionable [14,15]. The main concern is thelack of diversily (all EF/AF pumps are electric motor driven). An additional negative feature is thevulnerability of redundant system components to common cause failures due to physical location (machinehall). An unfavourable feature is the sharing of components between the main feedwater and the auxiliaryfeedwater system (common feedwater header). Some concern is also expressed with regard to the reliabilityof AF and EF pumps [14]. This system is the only one that ensures heat removal from the primary circuitin a majority of transients. Therefore, the above mentioned shortcomings may have a significant influenceon safety.

B8. The containmenl slruclure integrity relies on bubbler condenser performance that was not testedon a large scale [16]. Vendor confidence is based on analysis and testing on a scale that has someuncertainties due to ihe scale factors involved. Structural strength of the condenser trays under DBAaccident conditions was not fully verified [16]. Convincing structural analysis supporting the containmentqualification is missing in the licensing safety documentation.

103

B9. A relatively high volumetric leakage rate is an important feature that affects radiologicalconsequences of LOCAs and severe accidents. Poor Icaktightness of the containment is regarded as aserious shortcoming of the design [13,14,16]. In the case of LB LOCA, containment is overpressurized fora relatively short period of time, but it may be overprcssurized again during severe accidents.

BIO. Another source of concern in the WWER-440/213 containment system is the problem of hydrogenrecombination and hydrogen mixing [15,16]. The latter issue is relevant due to the complex geometricalshape of the containment volume composed of several compartments. Hydrogen burning in the upperplenum of pressure suppression trays may have damaging effects on the tray structure. There are nocombustible gas control devices to control explosive gases as there are in all non-Soviet plants [17].

4.3. INSTRUMENTATION AND CONTROL

Extensive evaluation of instrumentation and control (I&C) design was not included in the scope of theproject since it would require very specialized plant specific information. Because of the high ranking of thesafety issues related to I&C design, this subject has been included in the design evaluation. However,discussion is limited to several issues identified during safety review missions and conceptual design reviewrecently conducted for WWER-440/213 NPPs. The majority of these issues are of a generic type.

It was found that the general concept applied in the design of I&C conforms with the current philosophyapplied in non-Soviet PWRs. However, there are some weaknesses in the quality and performance of I&Cequipment, as well as in the logic of applied automatic systems.

Bll. The reactor protection system and the control system are designed as separate systems. However,full separation or isolation between the control and protection functions of instrumentation is not provided.Reported dependencies include: cross-connections through electrical power supply [15], the use of commonthermocouples and pressure sensors for both control and protection functions, etc.

B12. There are numerous instances where redundancy, physical and electrical separation andindependence of safety related instrumentation channels are not adequate [18].

B13. Some shortcomings are reported in the design of local automatics/controllers of safety relatedequipment, such as steam generator (water level monitoring and control [15]), auxiliary feedwater pump(controller based on flow rate signal instead of charging line pressure signal [17]), etc.

B14. In some cases automatic interlocking has been found to be insufficient to prevent unacceptableoperating conditions or transients [18].

B15. Some shortcomings are pointed out in the area of protection system signais. It would be advisableto include some signals, such as scram on high pressurizer water level (to reduce the frequency of PRZsafety valve opening [18]), protection signal for opening the isolation MOVs on HPS and/or LPS charginglines (to eliminate the operator action when system demand coincides with system testing [17]), etc.

B16. Deficiencies are reported concerning the equipment status monitoring signals [17].

B17. The quality and performance of I&C equipment in certain areas do not meet the currentinternational standards for safety related equipment. Some concern is expressed regarding the low reliabilityof the protection system, including insufficient self-testing capabilities of the system [17]. The lack ofdiversity in the design of reactor protection system instrumentation channels makes this system susceptible

104

to CCFs [17]. Finnish experience [14] with Soviet automatic equipment is also reported to be poor. Somecomponents of the reactor protection system and control rod drwc system were found to be of an outdatedtechnology, caused operational disturbances and needed high maintenance effort.

B18. Some critical comments are addressed to the environmental and seismic qualification ofinstrumentation. Inadequate protection against humid environment or elevated temperature is reported inLoviisa NPP [14]. Unsatisfactory seismic qualification of I&C is pointed out by Siemens [17] (considerableheight of instrumentation cabinets, insuTicient anchor support, etc.) and Belgatom [15].

B19. There is insufficient provision for control room habitability under accident conditions [18].

4.4. ELECTRICAL POWER SUPPLY

The general design concept of the electrical power supply system applied in WWER-440/213 NPPs isevaluated to conform with current international safety requirements. However, some deficiencies arereported regarding this system.

B2Ö. There are some instances where redundancy, physical and electrical separation, and independenceof electrical supply are not adequate [18].

B21. In some cases environmental qualification of electrical equipment is questionable [14].

B22. The capacity of the batteries in the essential DC power subsystem is insufficient [15,17,18].Essential safety related equipment should be supplied with power for a period of 2 - 3 hours following theinitiating event. In some plants this problem has already been solved within the backfitting programmes (e.g.Paks NPP),

B23. Automatic disconnection of the power supply from the external grid following a reactor trip dueto emergency protection signals (AZ-1) places unnecessary demands on the diesel generators and decreasesthe reliability of electrical power supply [18].

B24. Some critical comments are formulated concerning the design of the 380 V house load powerdistribution system (both essential and non-essential) that is composed of a large number of smallerswitchgears. It has been found not to be advisable for assuring appropriate quality of system protection.

4.5. PROTECTION OF EQUIPMENT FROM EXTERNAL HAZARDS

Protection of the equipment from external hazards has drawn relatively little attention in the design ofWWER-440 NPPs [13-15]. The external events that could threaten the equipment are a fire, a flood causedby a large leak in some plant systems, an aircraft impact and seismic loads.

Plant specific analysis of flooding impact is under way. At the moment of publication of this report theavailable information on this subject was neither complete nor final.

Preliminary results of this analysis [19] can be summarized as follows. In general, the effects of potentialflooding events are limited to single train unavailabilities. Simultaneous loss of function of several redundantsafety system trains due to flooding is found to be unlikely. For all potential flooding scenarios beinganalyzed safe shutdown capabilities of the plant are protected. Some uncertainties exist concerning theeffects of directional water streams, spraying and leakage through the room ceilings. Flooding hazard is tobe discussed in other documents prepared within the framework of this project.

105

Seismic related issues are very plant specific and require detailed analysis. Information with regard tothis type of hazard will be provided in a separate document to be issued within the framework of this project.Therefore, these issues are not discussed in this report.

4.5.1. Fire protection

Precise information concerning the fire protection aspects in the Soviet design plants is quite meagre anda basic synthetic document specifying prevention measures, fire hazard analysis, compartment plans (zoning)is missing in the safety documentation of NPPs [13,15]. It is concluded in Ref.[13] that fire hazard has notbeen systematically evaluated and taken into account in the design of WWER-440 NPPs.

Detailed plant specific analysis concerning fire protection in WWER-440/213 NPPs was included as oneof the specific issues covered by the project. So far, only preliminary results of the fire analysis for BohuniceV-2 NPP are available [20], but some relevant safety issues have already been identified.

The most important concerns addressed both in available safety assessment studie« and identified in theproject are listed below.

B25. A considerable quantity of PVC insulation with high ignitability and flame propagation isaccumulated in the plant [20].

B26. All safety assessment studies [13,15,20] point out insufficient separation of redundant equipment,electrical instrumentation and control cables. Specific concerns include the limited level of separation forthe three diesels and the associated circuits. The electrical corridor which contains cabling associated withredundant trains is a single undivided area [13].

B27. The existing fire protection equipment has been found to be unsatisfactory [20]. The efficiencyof the fire protection water sprinkler system is not sufficient, electrical bus cabinets are not provided withlocal halon extinguishing equipment, the existing fire detection system is unsatisfactory, etc.

B28. The combined turbine, electrical and control building is susceptible to a major turbine fire [13,14].The steel frame structure of a typical turbine building is such that a large fire could collapse it in a fewminutes. The most important plant equipment that might be lost as the result of such a fire are the auxiliaryfeedwater system and the main control room. Other relevant safety related systems located in the samebuilding are the electrical power supply system, control system, relief and safety valves of the SGs, manycontainment isolation valves and numerous cooling systems.

4.5.2. Aircraft impact

Several vulnerabilities of WWER-440/213 NPPs are reported concerning aircraft crashes in R^f.[13].This issue is the subject of a detailed investigation within the framework of the project but the analyses arenot completed yet.

B29. The main concern addresses the crash into the reactor building. For a downward directed impact,the aircraft penetrates the roof of the reactor building [13]. Depending on the crash location, this couldinitiate a primary or secondary system LOCA. If the impact is directed at the refuelling pool, the pool wallswill likely be breached allowing water to drain from the pool. Spent fuel assemblies may be directlydamaged by debris fragments. Depending upon the impact point, destruction of the control room may occur,possibly from the effects of fires following an aircraft crash. It has been concluded from preliminaryanalyses performed within the framework of the project that the accident localization volume may probably

106

withstand the aircraft impact as regards both the roof and walls. It should be noted that its destruction isnot crucial, since it does not initiate any serious accident.

B30. In the case of a crash into the turbine building the aircraft will penetrate through the walls andfloors. Although WWER-440 NPPs incorporate two turbine generators per reactor unit, there are criticalcomponents that are common to both turbines. Loss of the feedwater pumps together with auxiliaryfeedwater pumps due to crash induced damage will initiate a complete loss of ultimate heat sink accident.

B31. An aircraft crash into the tall plant ventilation stack may result in its collapsing upon one of theneighbouring buildings, including the accident localization building, the turbine building and the radwastebuilding. Damage to the oil pumps, oil piping, or the oil tank for one turbine as the result of aircraft impactwill preclude continued operation of the turbogenerator, even if there is no damage to other secondarycomponents. In addition, the oil provides a source of fuel for fire. In all cases fire could occur inside theturbine building. Loss of electrical power due to destruction of electrical wiring will result in a partial orcomplete loss of heat sink.

B32. Aircraft impact may destroy the channel that delivers cooling water to the pumping station fromwhich it is distributed to the turbine condensers, and service water system. It would result in total loss ofultimate heat sink for all of the units on the site.

B33. The diesel generators for both units of each plant are housed inside the same building and arevulnerable to the consequences of the aircraft crash.

B34. The reinforced concrete walls have a thickness of approximately 1-1.5 m that is within therecommended limits required to withstand the impact of rigid parts of the aircraft [21]. However, the effectof crash induced vibrations on the building structure requires more careful investigation.

107

5. CLASSIFICATION OF PLANT STATES CONSIDERED IN THE DESIGN

Classification of plant states used in the design of WWERs by the vendor conforms with current safetyphilosophy briefly discussed in Section 2.4. Plant states considered in the design basis are treated differentlydepending on their probabilities of occurrence and their consequences. The following four groups aredistinguished for the use in the design analyses:

5.1. NORMAL OPERATIONAL STATES

They include ail occurrences that are expected frequently or regularly in the course of normal operationof the plant. All operations or occurrences specific to normal conditions of the plant are considered: poweroperation or manoeuvering of the plant, maintenance, testing and refuelling. The occurrences included inthis group do not violate so-called "Operational Limits and Conditions" established for the plant. The mosttypical items of this group are presented in Table V, based on information provided by design organizationsof the Russian Federation. Allowable numbers of occurrences assumed in the design are given in the Table.Frequencies of occurrence for plant states of this group are usually greater than 1 per reactor/year.

5.2. ANTICIPATED OPERATIONAL OCCURRENCES

Plant states classified into this group include all operational processes deviating from normal operation,which are expected to occur once or several times during the operating life of the plant. Generally, theoccurrences of this group do not cause any significant damage to items important to safety nor lead toaccident conditions. The most important plant conditions included in this group, with allowable number ofoccurrences assumed in the design, are listed in Table VI (based on information provided by designorganizations of the Russian Federation). In some WWER-440/213 plants the list of DBA accidents coveredby safety analysis report includes additional initiating events (e.g. Paks NPP).

Frequencies of occurrence for plant states belonging to this group are usually in the range 102 perreactor/year; however, some plant states of this group are estimated to be less frequent (range of 10"2 - 10"4).Conditions classified as belonging to this group are usually included in the list of the design basis accidents(sec Annex II).

5.3. ACCIDENT CONDITIONS

Accident conditions are defined as deviations from operational states which are not expected to occur,but are postulated because their consequences would include the potential for the release of a significantamount of radioactive-material. Design basis accidents (DBAs) are the most drastic accident conditions thatthe plant must be designed against. For these conditions the releases of radioactive materials are kept withinacceptable limits, owing to the appropriate design of the plant. Plant conditions covered by this group aredefined by specifying the initiating event and by describing the appropriate availability of plant systems.Single failure criterion and other general design principles discussed in Section 2.5 arc applied in thisdefinition. Postulated events that initiate the most typical accidents classified as design basis accidents arelisted in Table VII.

Frequencies of PIEs included in this group are usually in the range of W2 - 106 events/per reactor/year.Design basis accidents to be considered in the project are listed in Annex II. An analysis of DBA conditionsis presented in a separate document being issued within the project framework.

108

TABLE V. NORMAL OPERATIONAL STATES CONSIDERED IN THE DESIGN OF WWER NPPs

No. Definition of plant state Allowable number ofoccurrences/plant life

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

Transition from cold shutdown to hot shutdown state

Transition from hot shutdown to nominal poweroperational state

Cooling-down from hot shutdown to cold shutdown

Fluctuations of the reactor power in the range 1% ofthe nominal value due to operation of plant controlsystem

Changes of power level by 2-5% of the nominal valuein the range of 10-105% of Nnom, with minimal timebetween the changes not less than l min.

Gradual change of power level (increase or decrease)by 5-10% of Nnom not exceeding Nnom.

Changes of power level according to daily and weeklyprogramme: - daily decrease of thermal power by25% and subsequent increase of power to previouslevel with maximal decreasing and increasing rate notexceeding 3% of Nnoro per minute, and weeklydecrease of thermal power by 50% with maximalchanging rate not exceeding 3% of Nnom per minute.

Planned shutdown of the plant to hot shutdown state

Water tests of primary and/or secondary circuit withregard to:

- mechanical strength- leaktightness

Tightening of bolts and studs (hermeti/ing andunhermeti/ing of equipment):

- reactor vessel studs- other equipment

130

280

130

unlimited

unlimited

20000

130

30100

10060

109

TABLE VI. ANTICIPATED OPERATIONAL OCCURRENCES CONSIDERED INTHE DESIGN OF WWER NPPs

No.

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.11

2.12

2.13

2.14

2.15

2.16

2.17

2.18

2.19

Definition of plant state

Trip of one RCP out of the six operating

Switching-en one RCP with 5 RCPs operating

Switching-on one RCP with 5 RCPs operating:switching-off after the period of 3 min of operation

Coast-down of all 6 RCPs

Switching-fff one turbine- to house-load power level- to idle operational conditions- turbine trip by closing turbine stop valve

Loss of off-site power

Loss of main feedwater (excluding rupture of feedwaterpipelines)

Rupture of steam generator tube

Spurious injection of cold water to the pressurizer

Malfunction of primary make-up system (CVCS)leading to overfilling of the primary circuit ordecreased boron concentration

Loss of primary circuit make-up

Increase of feedwater flow

Malfunction of feedwater system leading to cold waterinjection into the SG

Increase of steam flow

Spurious opening of SG feedwater isolating valve

Spurious opening of Steam Dump Valves BRU-A orBRU-K

Reduction of steam flow

Closure of steam generator isolating valve

Spurious reactor scram

Allowable number ofoccurrences/plant life

300(50 in each loop)

300(50 in each loop)

30(5 in each loop)

30

100300100

30

30

15

15

30

200

100

10

30

once in each SG

once in each valve

30

30

150

110

TABLE VI. (cont.)

No. Definition of plant state Allowable number ofoccurrences/plant life

2.20

2.21

2.22

2.23

2.24

2.25

2.26

2.27

Small LOCA, compensated by normal make-up

Insertion of control rod or a group of control rods

Loss of power supply to support systems (nonessentialpower supply)

Wrong operation of control rod (system malfunction orhuman error)

Connecting primary system loop containing coldcoolant

Spurious operation of ECCS- under normal power operation- during plant cooling-down- in cold shutdown state- during unit startup

Uncontrolled withdrawal of control rod group undersubcritical conditions or low power level during unitstartup (assuming the most pessimistic reactivitycoefficients and coolant parameters), including spuriouswithdrawal of the control rod or compensating rodduring refuelling

Uncontrolled withdrawal of control rod group duringpower operation

30

30

30

10

once in each loop

305510

10

10

Evolution of an accident sequence classified as DBA may lead to plant states in which the availabilityof plant systems is reduced below the design basis conditions. These accident states exceeding design basisare called beyond design basis accidents (BDBAs). It should be pointed out that in view of appropriatedesign provisions and existing design margins, not all BDBA conditions will necessarily lead to excessradioactivity releases.

5.4. SEVERE ACCIDENTS BEYOND DESIGN BASIS

Accidents in which the releases of radioactive materials exceed acceptable design limits, including thosecausing significant core degradation, are called severe accidents. In current safety philosophy these accidentsare considered in the design in a limited way (as discussed in Section 2.3). According to this approachaccident management measures are established, aiming at the reduction of likelihood of severe accidents orat the mitigation of consequences of these events. Some representative severe accident sequences areselected and analyzed in this context in the project (presented in other documents to be issued within theproject).

I l l

TABLE VII. DESIGN BASIS ACCIDENTS CONSIDERED IN THE DESIGN OF WWER NPPs

No. Definition of initiating event/accident Allowable number ofe ents/plant life

3.1

3.2

3.3

3.4

3.5

3.6

3.7

3.8

3.9

3.10

3.11

3.12

3.13

3.14

3.15

3.16

3.17

Spurious opening of pressurizer safety valve or safetyrelief valve

Spectrum of small break LOCAs caused by postulatedruptures of primary circuit piping

Spectrum of large break LOCAs caused by postulatedruptures or primary circuit piping

Control rod ejection with control rod drive headrupture

Seizure of one RCP

Rupture of SG feedwater pipeline

Spectrum of various steam lines ruptures inside andoutside the containment (including rupture of single SGtube)

Break of the shaft of one RCP

Operation of the unit with fuel element placed inwrong position during refuelling

The most unfavourable accidents during fuelmanipulations inside the containment and in the spentfuel storage

Accidents due to spent fuel container drop

Leakage from or malfunction of gaseous radioactivewastes system

Leakage from or malfunction of liquid radioactivewastes tank

Postulated release of radioactivity due to rupture ofliquid wastes tank

SG collector cover rupture or several SG tubes rupture

Leakages from the primary circuit during unitshutdown or refuelling

Ruptures of impulse tubes or other tubes containingprimary coolant outside the containment

l per each valve

10

l per each piping diameter

l

l

l

1 per each type of accident

1

1

10

112

6. OPERATION OF MULTIPLE UNITS

WWER-440 NPPs are designed usually as four unit plants. Each two units (1,2 and 3,4) are built as"twin units". In the case of Bohunice, the units 1 and 2 are of the 230 type and the units 3 and 4 are of the213 type.

Units belonging to the "twin units" tandem have certain common systems (fully or partially) andbuildings, such as:

- demineralized water system- service water system- cooling water system- reserve 0.4 kV electrical bus (the units are reserve for each other)- hermetic volume ventilation system (ventilation ducts)- diesel generator building- reactor hall.

Systems common for the whole plant include:

- low and high pressure air supply system- fire extinguishing water system- make-up water preparation system- plant control room/plant information center- turbine hall (housing 8 turbines in one hall).

The above mentioned features determine the operational conditions of the plant. They influence alsothe organizational structure of the shift personnel. There are some organizational units that are commonfor two units or for the whole plant. Both advantages and disadvantages of this arrangement have beenrecognized.

6.1. ADVANTAGES

The advantages of multiple unit arrangement are both economical and safety related. The use ofcommon systems, common organizational units, common maintenance and technical support are profitablefrom the economic point of view.

From the point of view of the operational safety, the higher redundancy provided by the use of certainequipment of the other unit as a reserve seems to be an important advantage. For some accidents multiplearrangement profits very much. For instance, in the case of loss of off-site power, the probability of coredamage in a multiple unit is much lower than for a one unit plant.

6.2. DISADVANTAGES

The main disadvantages of multiple unit arrangement are safety related. Existing interconnections maypermit an event that has occurred in one plant to be propagated to another unit. Some events occurring incommon systems may become common cause initiators for two units or even for the whole plant. In certainconditions the units have to be operated with reduced redundancy of systems being shared by two units. Forinstance, when one unit is in a cooldown state, the redundancy of the service water system is decreased,because one SWS train is completely occupied by the cooldown task.

113

Within the upgrading safety programme of WWER-440 NPPs some measures have been taken foreliminating or reducing these disadvantages. System reliability and safety studies have been undertaken tofind appropriate solutions to discount all potential advantages of multiple unit arrangement. These activitiesconcentrated on the following directions:

- Identification and elimination of the most hazardous interconnections, separation of the units.- Reliability improvement in existing common systems.- Installation of new common systems to increase the redundancy and/or the reliability.- Overall plant safety improvement.

Examples of solutions under implementation in Paks NPP are:

- Separation of the common reserve electrical 0.4 kV bus by installing in each unit the additionaltransformer that is supplied from the 6 kV switchgear of the other unit. This decreases the probabilityof transient propagation from one unit to the other.

- Installation of a reserve battery system common to both units, to increase reliability of non-interruptiblepower supply system.

- Installation of an additional 13th diesel generator unit that serves as a reserve for any of the safetysystems.

- Improvement in the area of fire resistance of the turbine hall roof support construction.- Installation of computerized plant information system in the plant information center for use by the plant

supervisor, to provide immediate information concerning the state of the units.

114

REFERENCES

[I] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Basic Safety Principles for NuclearPower Plants, Safety Series No. 75-INSAG-3, IAEA, Vienna (1988).

[2] OPB-82, General Safety Regulations of Nuclear Power Plants during Design, Construction andOperation, Atomnaja Energiya, Moscow 54 2 (1983) 151-160 (in Russian).

[3] PBYa-04-74, Nuclear Safety Regulations for Nuclear Power Plants, Atomizdat, Moscow, 25 March1976.

[4] OPB-88, General Provisions in Enhancing the Safety of Nuclear Power Plants , PNAE-G-1-011-89,Moscow (1989).

[5] PBYa-RUAES-89, Rules for Nuclear Reactor Plant Safety, PNAE-G-1-024-90, Moscow (1990).[6] INTERNATIONAL ATOMIC ENERGY AGENCY, Code on the Safety of Nuclear Power Plants

Design, Safety Series No. 50-C-D (Rev.l) IAEA, Vienna (1988).[7] Instructions for neutron-physical and thermohydraulic safety analysis for occurrences induced by

change of reactivity, Safety of Nuclear Installations, 1/1986, CSKAE, Prague (1986) (in Czech).[8] Instructions for safety analysis of loss of flow accidents in PWRs, Safety of Nuclear Installations,

1/1986, CSKAE, Prague (1986) (in Czech).[9] MISAK, J., Methodology of analysis for loss of coolant accidents (WWER-440/213 reactor), The

WWER-440/213 Safety Assessment - Reference plant: Bohunice NPP (CSFR), internal report, IAEATC/RER/004-A014, 1992.

[10] KYNCL, M., Methodology of analysis for loss of flow accidents (WWER-440/213 reactor), ibid.[II] AMERICAN SOCIETY OF MECHANICAL ENGINEERS, ASME Boiler and Pressure Vessel

Code, An American National Standard, Section III, New York (1976).[12] Overall Plant Design Descriptions of WWER, US Department of Energy, Washington, DC (1987).[13] STRUPCZEWSKI, A., et al., US DOE Team's Evaluation of WWERs Design, Conclusions. Material

prepared for IAEA RER/9/004 Project based on DOE Report DOE/NE-0086.[14] LAAKSONEN, J., Safety of Soviet WWER - Type Reactor, IAEA Information Seminar, Budapest,

29 May 1991.[15] Status Report on the Safety and Licensing Issues Related to the Recommissioning of the Zarnowiec

NPP, Belgatom, Brussels (1990).[16] Safety Review of the Containment of the Zarnowiec NPP under Construction in Poland, 29 April-

4 May 1990, Vienna.[17] Kernkraftwerk Zarnowiec. Wertung Ausgewählter Punkte des Technischen Auslegungskonzeptes aus

Sicherheitstechnischer Sicht: Ausführung durch Siemens AG Bereich Energieerzeugung (KWU),Ausgabe: 03 August 1990.

[18] INTERNATIONAL ATOMIC ENERGY AGENCY, WWER-440 Model 230 Safety ProgrammeReport of the Project Review Meeting II, Vienna, 28 Oct - 1 Nov 1991 (Draft 3).

[19] KIEV STATE RESEARCH AND TECHNICAL INSTITUTE 'ENERGOPROJEKT, Analysis ofinternal flooding hazard and related common cause failures for Rovno Units 1 and 2, internal report,IAEA TC/RER/004-A014, 1992.

[20] KOVACS, Z., Internal Fire Analysis for the Bohunice V2 NPP Unit 3, ibid.[21] HENKEL, P.O., WOLFEL, H., Building concepts against airplane crash, Nucl. Eng. and Design 79

(1984) 397 - 409.

115

Annex ICOMPARISON OF SOVIET SAFETY REGULATIONS WITH

UNITED STATES GENERAL DESIGN CRITERIA

This Annex presents a comparison of the General Design Criteria (GDC) for Nuclear Power Plants Title10 of the Code of Federal Regulations Part 50 [1-1] with the Soviet General Safety Regulations for NuclearPower Plants during Design, Construction and Operation, OPB-82 [1-2].

The comparison has been performed with the intention of providing a better understanding of thesimilarities and differences of the Soviet approach to achieving safety with that used in other countries withwell developed nuclear programmes. The United States regulatory practice, being well known and wellaccepted at an international level, provides suitable reference for this purpose.

The following background information is relevant to understand properly the context of this comparisonand its findings as well as their implications from the point of view of the project objectives.

The OPB-82 specifies top level safety criteria; however, it also contains some technical, procedural andmanagerial requirements. Therefore, the comparison is of US criteria with the Soviet technical requirements.In addition to OPB-82 there are other documents which address the general principles and criteria forassuring safety. OPB-82 is a central document but others play a supplementary role. There are alsofrequent references to IAEA codes for nuclear facilities and it appears that these documents are regardedas a part of safety related guidance to designers and operators.

It should be pointed out that the Soviet system did not contain any documents that are analogous to USNRC Regulatory Guides. Also lacking in the Soviet system were detailed requirements concerning analyses,such as provided in 10 CFR 50 Appendix K (ECCS Evaluation Models).

The comparison provided in this Annex is limited to top level criteria. Therefore, the results of thiscomparison should be considered with care. Existing differences may be associated with a different structureof the regulation system, different responsibilities of organizations involved in the design and licensingprocess, and other factors not being the subject of comparison. The comparison provided in this Annex isbased on comparative evaluation performed earlier by US Department of Energy (DOE) and included asbackground material in the study related to WWER type reactors [1-3].

The latter material contains exact citation of both US General Design Criteria and analogous SovietGeneral Safety Requirements. The comparison also provides a description of the means by which a UStypical PWR satisfies the US criteria.

The comparison presented in the Annex generally follows a similar logic. Table I-I summarizes theresults of the comparison. Information included in this table is limited to reference numbers of appropriatecriteria/requirements; for exact formulation appropriate references should be used [1-1,1-2]. In addition tothis information brief comments are provided on OPB-82 requirements from the point of view of theircomparability to the related GDC 10 CFR 50.

The results of the comparison may be summarized by the following general observations.

Despite different logical structure, the OPB-82 requirements are in many areas comparable to US GDC.

117

The comparison identified numerous areas where OPB-82 requirements are much more general incomparison to US GDC. In several cases OPB-82 requirements refer to a broader group of systems notaddressing the specific system that has been given special attention in US GDC.

In some areas the related OPB-82 rules do not include certain requirements that have been alreadyrecognized as important to safety (e.g. surveillance programme for the reactor pressure vessel, control thecontainment atmosphere for hydrogen, oxygen and other substances).

There are also several areas where the OPB-82 does not contain any requirements comparable to USGDC. The following areas are worth mentioning: fire protection, external hazards, fracture prevention ofreactor coolant pressure boundary, reactor coolant makeup, containment design basis. Some of these areascoincide with design related safety concerns, which have been identified during the course of various reviewscarried out for WWER-440/213 NPPs (see Section 4 of this document).

In some cases the OPB requirements have been found to be judgemental and using language that ispermissive and allows exemptions [Ï-3]. There are several examples of exemptions that are not incorporatedin the US GDC, such as requirements regarding prompt inherent nuclear feedback characteristics, dischargeof radioactive materials from the containment to the environment, multipurpose use of safety systems.

There are also some OPB requirements that appear to have no US counterpart; they are mostly basicprinciples (see [1-3]).

REFERENCES TO ANNEX I

[1-1] NUCLEAR REGULATORY COMMISSION, General Design Criteria for Nuclear Power Plants,10 CFR 50, Appendix A, US Govt Printing Office, Washington, DC (1986).

[1-2] OPB-82, General Provisions for Assuring Safety at Nuclear Power Plants during Design,Construction and Operation, Atomnaya Energia (Moscow) 54 2 (1983) 151-160 (in Russian).

[1-3] US DEPARTMENT OF ENERGY, Comparison of Soviet Safety Regulations with the UnitedStates General Design Criteria (10 CFR 50), DOE/NE-0086, Vol. 4, Appendix D (1988).

118

TABLE I-I. COMPARISON OF GENERAL SAFETY REQUIREMENTS OPB-82AND GENERAL DESIGN CRITERIA 10 CFR 50

110 CFR 50 GDC

1. Quality standards andrecords

2. Design Bases forprotection againstnatural phenomena

3. Fire protection

4. Environmental andmissile design basis

5. Sharing of structures,systems, andcomponents

10. Reactor design

11. Reactor inherentprotection

12. Suppression of reactorpower oscillations

13. Instrumentation andcontrol

2

OPB-82 GeneralSafetyRegulation -relatedrequirements

1.3.5., 1.3.6,137 2132.1.9., 2.2.15.,3.1.6.

2,1.6, 2.1.7.

2.6.11.

2.5.5.

2.1.7., 2.8.3.

2.2.1., 4.1.2.

2.2.2., 2.2.3,2.3.5, 2.3.6,2.3.7.

Same as underGDC 11

Same as underGDC 11 and2.5.2. - 2.5.5.

3

Comments on OPB-82 relatedrequirements from the point ofview of their comparability toGDC 10 CFR 50

Similar content and level ofdetail

Only general requirements; noguidelines given concerningrelated design bases

No direct requirements related tofire protection; the onlyrequirement addresses thenecessity to provide standbycontrol panel

No direct requirements related toexternal hazards

Similar contents and level ofdetail

Detailed specification ofacceptable fuel design limits;more specific prescription ofabnormal events to be consideredin evaluation of fuel design limits(the events referred are only thepart of those defined in 10 CFR50 as 'anticipated operationaloccurrences')

Requirements regarding promptinherent nuclear feedbackcharacteristics (fast powercoefficient of reactivity to benegative) allow exceptions

Similar requirements; lessprescriptive formulationsregarding required scope ofmonitoring

119

TABLE M. (cont.)

114. Reactor coolant

pressure boundary

15. Reactor coolant systemdesign

16. Containment design

17. Electric power systems

18. Inspection and testing ofelectric power systems

19. Control room

20. Protection systemfunctions

21. Protection systemreliability and testability

22. Protection systemindependence

23. Protection systemfailure modes

24. Separation of protectionand control systems

25. Protection systemrequirements forreactivity controlmalfunctions

26. Reactivity controlsystem redundancy andcapability

2

2.4.

2.8.

2.9.1., 2.9.2.

3.7.

2.5.1, 3.4.2.

2.6.1. - 2.6.6.,2.5.5., 3.7.1 -3.7.3.

2.6.7.

2.6.2.

2.3.1. - 2.3.3.

3

More prescriptive in specifyingdesign basis conditions to betaken into account instead ofusing the term 'anticipatedoperational occurrences'

The terms 'localization system'and 'confinement' is used insteadof 'containment'; direct dischargeof radioactive materials ispermitted in individual cases if itis justified in the design

Electric power supply systemsare not specifically addressed;there are only very generalrequirements related to safetysupport systems

Same as under GDC 17

Only general requirement toprovide control room; norequirements concerningpermitted radiation exposure ofcontrol room personnel underaccident conditions

Similar requirements; no specificaddress to protection systemregarding testability (only generalrequirements related to safetyrelated systems)

Similar requirements

Malfunctions of the reactivitycontrol systems as initiatingevents are not specificallyaddressed


120

TABLE M. (cont.)

127. Combined reactivity

control systemscapability

28. Reactivity limits

29. Protection againstanticipated operationaloccurrences

30. Quality of reactorcoolant pressureboundary

31. Fracture prevention ofreactor coolant pressureboundary

32. Inspection of reactorcoolant pressureboundary

33. Reactor coolant make-up

34. Residual heat removal

35. Emergency core cooling

36. Inspection of emergencycore cooling system

37. Testing of emergencycore cooling system

38. Containment heatremoval

2

2.3.4.

2.3.5. - 2.3.7.

Same as underGDC21

Same as underGDC 1 and2.5.6.

3.7.1. - 3.7.3.

2.1.2.

2.1.2., 2.7.1. -274 41^

2.1.9, 2.1.10,3.7.1. - 3.7.3.

2.8.5.

3


Similar requirements; however,less specific prescription ofpostulated reactivity accidentsused as design basis to establishappropriate reactivity limits(instead, erroneous actions ofpersonnel and single failure ofany plant component areexplicitly mentioned)

'Extremely high reliability' toaccomplish related safetyfunction in the event ofanticipated operationaloccurrences required in 10 CFR50 is not addressed explicitly


No comparable requirements

General requirements related toperiodic inspection of safetyrelated systems; no explicitaddress to material surveillanceprogramme for the reactorpressure vessel


Only general requirement toprovide emergency heat removalcapability

Similar requirements; differentformulation of fuel design limits;additional requirements withregard to prevention of normaloperating system to be damageddue to ECCS response

General requirements related tosafety systems; similar contents


121

TABLE I-I. (cont.)

139. Inspection of

containment heatremoval system

40. Testing of containmentheat removal system

41. Containmentatmosphere cleanup

42. Inspection ofcontainment atmospherecleanup systems

43. Testing of containmentatmosphere cleanupsystems

44. Cooling water

45. Inspection of coolingwater systems

46. Testing of cooling watersystems

50. Containment designbasis

51.Fracture prevention ofcontainment pressureboundary

2

Same as underGDC 36 and 37

2.8.1-, 2.8.2.


901 ?Q?


3


Only general requirement toconfine radioactive materials,direct discharge of radioactivematerials to the environment isnot excluded (permitted if it isappropriately justified in thedesign); no direct requirementsto control the concentration ofhydrogen and oxygen and othersubstances in the containmentatmosphere that may impaircontainment integrity


Only general requirements toprovide appropriate support tosafety systems

General requirements related tosafety systems; similar contents(provided that cooling watersystems are classified as 'safetysystems')


122

TABLE M. (cont.)

152. Capability for

containment leakagerate testing

53. Provisions forcontainment testing andinspection

54. Piping systemspenetrating containment

55. Reactor coolantpressure boundarypenetrating containment

56. Primary containmentisolation

57. Closed system isolationvalves

60. Control of releases ofradioactive material tothe environment

61. Fuel storage andhandling andradioactivity control

62. Prevention of criticalityin fuel storage andhandling

63. Monitoring fuel andwaste storage

2

2.8.7, 2.8.8.

2.8.6.

2.10.3.

2.10.2

2.10.1.

2.5.8.

3

Similar requirements concerningtestability; initial containmentleakage rate test requires to beconducted at design pressure, butsubsequent testing is permissibleat lower pressure

Similar requirements to providecontainment isolation valves; lessprecise prescriptions related topermitted types of valves; noexplicit requirements with regardto location, high quality,reliability, protection againstnatural phenomena, additionalprovisions for in-serviceinspection, etc.


Relatively general requirementslimited to spent fuel storage; noexplicit address to basic designrequirements, such as suitableshielding for radiation protection,appropriate confinement andfiltering systems, capability topermit periodic inspection andtesting, prevention of significantreduction of cooling capabilitiesunder accident conditions, etc.


Similar requirements concerningmonitoring and signalizationcapabilities; no explicitrequirements to provide systemsinitiating appropriate safetyactions

123

TABLE M. (cont.)

64. Monitoring radioactivityreleases

2.5.6. - 2.5.8,3.5.3 - 3.5.6.

Similar requirements concerningmonitoring of effluent dischargepaths and the plant surroundings;very general requirements withregard to monitoring plantcompartments; requirement tomonitor the meteorologicalparameters to evaluate andpredict the radiological situationin the plant surroundings; explicitrequirement related tomonitoring radioactivity ofcooling media; specificrequirement to control themovement of all radioactivematerials within the plant

124

Annex IIDESIGN BASIS ACCIDENTS

PROPOSED FOR CONSIDERATION IN THE PROJECT

1. REACTIVITY ACCIDENTS

1.1. Uncontrolled withdrawal of a control group during start-up (cold subcritical, cold critical at zeropower, at 2% power, at 25% power).

1.2. Uncontrolled withdrawal of a control rod group during power operation.1.3. Inoperability of control rods:

(1) one CR stack in the bottom position;(2) one CR stuck in the top position;(3) an unanticipated insertion of a CR into the core from a stuck position.

1.4. Inadvertent connection to the reactor of a cold RCS loop, or of a loop with a lower boronconcentration -3D calculations (at power levels 0, 35, 75%, initial number of operating loops3 or 5).

1.5. Uncontrolled decrease of the boron concentration in the reactor coolant.1.6. Control rod ejection (at zero power, 2% power, full power, beginning of cycle (BOC) - 3 D

calculations, including LOCA aspects).1.7. Sudden release of the boron deposited on reactor intervals.1.8. Drop of one control rod into the core at full power.1.9. Control rod withdrawal during refuelling.1.10. Inadvertent loading and operation of a fuel assembly in an improper position.

2. LOSS OF FLOW ACCIDENTS (LOFAs)

2.1. Inadvertent closure of one main isolation valve (in the cold and hot leg).2.2. Seizure of one reactor coolant pump (RCP).2.3. Break of the shaft of one RCP.2.4. Coastdown of different number of RCPs (starting from a number of operating RCPs, at various

power levels).2.5. Loss of power supply to all RCPs (6, 5, 4, 3 pump, different initial power levels).2.6. Partial blockage of the coolant flow through the fuel assembly at fuel power.

3. LOSS OF COOLANT ACCIDENTS (LOCAs)

3.1. Complete rupture of the main circulation line (cold leg and hot leg) for different values of theflow contraction coefficient. All accident phases should be analyzed:- subcooled decompression,- blowdown,- refill and reflood,

taking into account processes in the circuits, in the core (including thermo-mechanical behaviourof cladding), and in the containment.

3.2. Accumulator line rupture (to the downcomer, to the upper plenum).3.3. Pressurizer surge line rupture (one of two lines rupture and rupture of the common part of the

surge line).3.4. Partial cold leg ruptures with inside diameter from 10 to 200 mm.3.5. Partial hot leg ruptures (two cases for comparison with cold leg ruptures).

125

3.6. Leaks from the pressurizer steam dome - rupture of the steam line upstream the safety valve.3.7. Leaks from the primary to the secondary side of the steam generator (with and without the

main isolation valves):- one steam generator tube rupture;- several steam generator tubes rupture;- primary collector head rupture.

3.8. Reactor venting line rupture and steam generator collector line rupture.

4. LOSS OF INTEGRITY OF SECONDARY CIRCUIT

4.1. Main steam line rupture (at zero power, at full power):- inside hermetic compartments- in the turbine hall various break positions (with respect to the measuring nozzle),

(3 D calculation of the reactor core).4.2. Main steam line rupture coincident with steam generator tube rupture.4.3. Main steam header rupture (at zero power, at full power).4.4. Feedwater line rupture:

- between SG and the check valve;- between the check valve and feedwater header (inside and outside the containment).

4.5. Main feedwater header rupture.

5. LOSS OF POWER SUPPLY

5.1. Change of grid frequency.5.2. Loss of AC external power.

6. PRIMARY CIRCUIT MALFUNCTIONS

6.1. Reactor scram due to the false signal.6.2. Startup of the ECCS due to the false signal during power operation.6.3. Pressurizer spraying by normal make-up system due to the erroneous action.6.4. Inadvertent pressure increase by pressurizer heating.6.5. Pressurizer safety valve stuck open at nominal operation.6.6. Pressurizer safety valve stuck open after its correct opening during corresponding regimes.

7. SECONDARY CIRCUIT MALFUNCTIONS

7.1. Loss of one feedwater pump and failure of the stand-by pump.7.2. Inadvertent full opening of one feedwater control valve.7.3. Inadvertent opening of one by-pass valve of the high-pressure reheaters.7.4. Inadvertent opening of one steam relief valve to the atmosphere.7.5. Stuck open of one steam by-pass valve to the atmosphere after its required opening.7.6. Stuck open of one steam by-pass valve to the condenser after its required opening.7.7. Stuck open of SG safety valve after its required opening.7.8. Inadvertent closure of the feedwater isolation valve.7.9. Inadvertent opening and sticking of one SG safety valve in open position.7.10. One and two turbine trips:

- with by-pass available;- with by-pass blocked.

7.11. Fast load rejection to the house load with closure of fast isolating valves of one or 2 turbines.

126

7.12. Inadvertent closure of the main steam line isolation valve.7.13. Fast turbine load increase by 10% above nominal value.7.14. Malfunctions of the secondary pressure controller.

- steam flow reduction;- steam flow increase.

7.15. Loss of condenser vacuum.

8. FORCES ON REACTOR INTERNALS, COMPONENTS (e.g. VALVES) AND PIPING DURINGSPECIFIC ACCIDENTS

8.1. Medium and large break LOCAs.8.2. Pressurizer safety valve stuck open, with two-phase or liquid flow through the valve.8.3. Anticipated transient without scram leading to opening of the safety valve.8.4. Large primary to secondary system leaks with steam lines filled by liquid.8.5. Loads imposed by concurrent occurrence of the earthquake and large break LOCA.8.6. Large steam line breaks in the secondary circuit.

9. COLD WATER IMPACT ON THE REACTOR VESSEL MATERIAL DURING OVERCOOLINGTRANSIENTS

9.1. Small and medium size LOCA:- fluid-fluid mixing in primary loops and in the downcomer;- impact of the cold tongues on the vessel material (for different number of cold tongues).

9.2. Opening of steam valves (SG safety, steam by-pass, steam relief).9.3. Large steam leaks from the secondary circuit:

- fluid-fluid mixing;- impact on the vessel material.

9.4. Starting of the ECCS due to false signal during operation at minimum power.

10. INTERFACING SYSTEM LOCA

(Loss of coolant from reactor pressure boundary to flow pressure part of the system).

11. ANTICIPATED TRANSIENTS WITHOUT SCRAM (ATWS)

(With exception of the initiating event and failure of the reactor protection and control other systemsare assumed to work correctly).

11.1. Inadvertent control rod withdrawal:- at zero power;- at 102 (full) power.

11.2. Loss of all normal feedwater pumps.11.3. Loss of condenser vacuum.11.4. Inadvertent closure of main steam isolation valves.

12. FUEL HANDLING ACCIDENTS

12.1. Erroneous loading to the core of a fuel assembly with maximum enrichment.12.2. Flooding of the fresh fuel tank with clean water.12.3. Flooding of the spent fuel pool with clean water.

127

12.4. Erroneous loading of the fresh fuel assembly with maximum enrichment to the spent fuel pool.12.5. Flooding of the transport container for spent fuel with clean water.12.6. Erroneous loading of the fresh fuel assembly with maximum enrichment to the transport

container for spent fuel.12.7. Inadvertent withdrawal of the fuel assembly from the spent fuel pool.12.8. Loss of cooling of the spent fuel pool.12.9. Loss of water from the spent fuel pool.12.10. Reduction of cooling of cases with damaged fuel assemblies.12.11. Drop of the spent fuel assembly in the air and under the water.12.12. Drop of the box with fresh fuel assemblies under the water.12.13. Drop of the container with fresh assemblies in the air.12.14. Drop of the container with spent fuel assemblies under the water.

13. ACCIDENTS IN AUXILIARY SYSTEM

13.1. Rupture of the tube in the gas removal or in the radwaste treatment system.13.2. Hydrogen explosion in the hydrogen treatment system.13.3. Leaks from the liquid radwaste system and from the special drainage.

14. ACCIDENTS DUE TO EXTERNAL EVENTS

14.1. External and internal missiles:- internal missiles (e.g. turbine);- aircraft crash.

14.2. External explosions and release of toxic gases.14.3. Fires.14.4. Earthquakes.14.5. Flooding.

Note. The list provided above has been agreed upon by the project participants as the list of DBA thatshould be taken into consideration in the design verification task. It corresponds with the contents of atypical safety analysis report (SAR) in its DBA part. Considerable number of accident initiators listed abovealready have been included in existing SARs of WWER-440/213 plants. The list was used hi the project toselect the most representative accidents for detail evaluation using advanced thermal hydraulic codes (theresults of this task are presented in other documents to be issued within the framework of the project).

128

Annex IIIREQUIREMENTS IN STRENGTH ANALYSIS OF NPP EQUIPMENT AND PIPING

COMPARISON OF SOVIET AND UNITED STATES PRACTICE

III-l. SCOPE OF COMPARISON

Material presented in the Annex provides detailed comparison of Soviet NPP design practice with thatapplied in the USA. The comparison addresses all important logic elements of strength analysis, such asscope of analysis and related types of calculations, initial data, categories related to plant conditions, strengthmargins, brittle fracture analysis, calculation of defects detected during operation. The information is basedon the following sources: Soviet national standards - PNAE-G-7-002-86 [III-l], and US standards - ASME,Boiler and Pressure Vessel code [HI-2, III-4]. Detailed comparison is provided in Table III-I. Symbols andabbreviations used in the presentations of strength analysis procedures are given in Section HI-2.

IH-2. SYMBOLS AND ABBREVIATIONS

P - pressure;[PJ - allowable external pressure at hydrotest temperature;T - calculated temperature;[a]> Sm - nominal allowable stresses for equipment and pipeline components;(a)j Pm - reduced general membrane stresses;(°)2?B - reduced stresses determined by sums of components of general or local membrane and

general isotropic stresses;(a)RV - range of reduced stresses determined by sums of components of general or local

membrane, general and local bending, general temperature and compensating stresses(a)rk - range of reduced stresses determined by sums of components of general or local

membrane, general and local bending, general temperature stresses and stresses forcompensation of membrane, torsional and bending stresses;

(a)jw - average tensile stresses over the cross-section of bolt or stud due to mechanical loads;(a)3w - average tensile stresses over the cross-section of bolt or stud due to mechanical loads and

temperature effects;(a)4w - reduced stresses determined by sums of components of average tensile stresses over the

bolt or stud cross-section and general bending stresses due to mechanical loads andtemperature effects, as well as torsional stresses;

Rm - minimum value of ultimate strength;Rp,0.2 - minimum value of yield point;NOJ2 - safety margin by ultimate strength;K, - calculated stress intensity factor;Klc - critical stress intensity factor;TK - brittle-to-ductile transition temperature of material;TKO - brittle-to-ductile transition temperature of material in initial state;ATT - a shift of brittle-to-ductile transition temperature due to temperature ageing;ATN - a shift of brittle-to-ductile transition temperature due to cyclic damaging;ATF - a shift of brittle-to-ductile transition temperature due to neutron exposure;AF - radiation embrittlement coefficient;N; - number of loading cycles under i-conditions of operation:[NJ - allowable number of cycles for i-conditions of operation;S - thickness of component wall;a - depth of design thickness;

129

cHTSSEOONOCOBEhw

large semi-axis (semi-length) of calculated crack;hydrotest;safe shutdown earthquake;operation occurrence;normal operating conditions;operating basis earthquake;hydrotest;stud.

TABLE III-I. COMPARISON OF STRENGTH ANALYSIS APPLIED IN THE DESIGN OF NPPEQUIPMENT AND PIPING IN THE FORMER USSR AND THE USA

No. Soviet practice American practice

1. Calculation Categories

1.1 Basic dimensioning the same

1.2 Checking calculation the same

1.2.1 Static strength calculation the same

1.2.2 Stability calculation the same

1.2.3 Cyclic strength calculation (low cycle fatigue) the same

1.2,4 Brittle failure strength calculation the same

1.2.5 Seismic effects calculation, calculation of seismicforces included

the same

2. Initial Data

2.1 Design pressureMaximum excess pressure used in basic dimensioningstrength calculation at which the manufacturerpermits operation of equipment or pipeline atcalculated temperature under normal operatingconditions (NOC)

Assigned internal or externaldesign pressure values should benot less than the largest pressuredifference between inside andoutside of the component at presetnormal working conditions.Internal design pressure shouldinclude pressure fluctuationtolerances.

2.2 Design temperatureWall temperature equal to maximum mean arithmeticvalues of temperature on its outer and inner surfacesin one section under NOC (for components of nuclearreactor vessels calculated temperature is estimatedwith regard to internal power as mean integral valueof temperature distribution through the vessel wall).

Assigned calculated temperatureshould be not lower than the actualmaximum metal temperature atpreset normal working conditionsfor whole volume of thecomponent under consideration.When the component is subject toheating at the expense of work-coil,enclosing into a jacket or internalheat generation, then turn on ofsuch a heater shall be taken intoaccount by established calculatedtemperature.

130

TABLE III-I. (cont.)


2.3 Hydrotest pressure for equipment and pipeline shallnot be lower than one determined by formula

Ph = 1.25 P[o] Th / [a] T

(lower boundary), and not higher than the pressureat which the stresses in the structure under the testare equal to one of the two limiting values

<?! = 1.35 [o]Th or a2 = 1.7 [a] n (upperboundary),

where P is design pressure during manufacturertests or operating pressure during tests following theassembly and during operation. For componentsloaded with external pressure the condition

Ph < 1.25 [P]

should be also satisfied.

Hydro test pressure is determined as:

Ph = 1.25 P

where P is design pressure duringtests prior to the assembly.

During the tests following theassembly and in the course ofoperation P is defined as nominaloperating pressure and coefficient1.25 used in the formula dependsupon Th (it decreased with increaseofTh).

2.4 The theory of maximum tangential stresses isapplied in the calculations.While calculating brittle failure strength the theoryof highest normal stresses is applied.

the same

the same

131

TABLE HI-I. (cont.)


3. Categories of conditions

Three categories of conditions are considered inchecking calculation:

- normal operating conditions (the conditions ofoperational regimes, envisaged by planned scheduleof NPP operation and the conditions of water testsfor strength and tightness;

- operational occurrences (any deviation fromnormal operating conditions by pressure,temperature, loads etc. that requires reactorshutdown in order to avoid emergency core coolingsystem actuation;

- accident (any deviation from normal operatingconditions the consequences of which can result insuch disturbances in reactor core operation thatemergency core cooling system operation will berequired).

When taking into account the seismic inputs variousload combinations are considered depending on thecategory of equipment:

Category 1

a) combination of loads under normal operatingconditions and safe shutdown earthquake(NOC + SSE);

b) combination of loads under normal operatingconditions and design basis earthquake (NOC +DBE);

Category 2- combination of loads under normal operatingconditions and design basis earthquake (NOC +DBE)

Four categories of conditions areconsidered in the calculations:

- normal conditions (any conditionsthat appear during the system start-up,power variations within design interval,testing, heating due to failedequipment and system shutdownexcept those classified as operationaloccurrences, accidents, disasters);

- operational occurrences (deviationsfrom normal conditions) are assumedto take place quite frequently, so thatthe structure should possess ability tobe restored to normal operationwithout any damage;

- accidents (rare cases) are deviationsfrom normal conditions and require ashutdown to change the conditions orrepair the system;

- conditions of disaster (partialdestruction) are a combination ofconditions connected with a very lowprobability, the consequences of whichare such that the integrity andoperability of a nuclear power plantmay be affected to an extent when itbecomes problematic to ensure healthand safety of people.

132


No. Soviet Practice American Practice

4. Strength margins

4.1 Strength margins while determiningthe nominal allowable values ofstresses for equipment and pipelinecomponents loaded with internalpressure arc:

[o] = miu 0.2

'0.2 "m

n0,2 = nm = 2.6

For elements loaded with externalpressure exceeding the internal onen0.2 = 1.5; nm = 2.6Additionally, for these elementsstability calculation is performed.

= min

For austenitic steels

20°c „r „2û°c rjf\._. *»•« *^Tt n *? -* »i n°7m m p,\}.L pjj.2.

= 1.5; Sm = 0.9<0.2

but not more than

For components loaded with external pressure stabilitycalculation is performed with component wall thicknessvariation.

4.2 For bolts and studs from pressureand forces of tightening

[0L = / «0.2

= 2

,20'c „rs =mi

nn, = 3

133



5. Allowable stresses are determined according to stress categories

5.1 Equipment components under normaloperating conditions

(o), * [o]

(a)2<1.3[a]

(a)RV < (2.5-Rp,0VRTra) RT

PW

but not more than 2Ri

For operational occurrences theallowable values(a) j and (a) 2 are increased by20%, for accidents by 40%

P,. ^ 1-5 SmPL + Pb < L5PL + Pb + Pe Q < 3 Sa

For conditions of operationaloccurrences and accidents theapproach is the same

5.2 Pipelines under normal operatingconditions

(o)2<= 1.3 [o]

but not more than

For operational occurrences theallowable values (a)1 and (o)2 areincreased by 20%.

S <3Sn

134



5.3 Bolts and studs under normaloperating conditions

(°)iw <=[<>]].(a)3w < = 1.3[o]w(o)4w < = 1.7 [a]w

For operational occurrencesallowable values of (a)lw, (a)3w and(a)4w, are increased by 20%, foraccidents by 40% (for reactorvessels only).

(0)3. < 3Smw

(a)4w < 3Sraw

normal operating conditions andaccidents included.

5.4 For equipment and pipelinescomponents the calculation of cyclicstrength (low-cyclic fatigue ) isperformed using the stress marginna = 2 and the margin number ofcycles n^ = 10

Margins na = 2 and nN =20 areused.

6. Brittle fracture resistance calculation

6.1 Normal operating conditions areconsidered, the conditions of watertests, operational occurrences andaccidents are included.

Ditto

6.2 Characteristics of material andallowable values of stress intensitycoefficients [K,]„ Kk, TK.

To estimate Klc the correlation isplotted between [KJ, and reducedtemperature (T - TK) that is a linebending over two curves. One ofthese curves is obtained by dividingthe ordinales of initial curve KIc bystrength margin ratio nK, the otheris obtained by displacement of initialcurve K,c along x-coordinate bytemperature margin AT.For normal operating conditions(i = 1) nK = 2, AT = 30°C; foroperational occurrences and watertests (i = 2) nK = 1.5, AT = 30°C,for accidents (i = 3), % = 1,AT = 0° C.

R, RT NDT

The lower limits of Kt critical values,corresponding to static and dynamicloading as well as to the moment ofstopping the growth of crack are laidas the basis of curveK1R = f(T - RTNDT)

135

TABLE HM. (cont.)


63 Critical temperature TK isdetermined by formula

= TKO ATT + ATN + ATF

While determining TNDT the factorsrelated to operational effects (ageing,irradiaton) are taken into account.

ATF = (FN/F0)'/3,

Fn - neutron fluence with energyE > 0,5 Mev, FO = 1022 1/m2.The formula holds true when1022 < Fn < 3 * 1024 1/m2.

The values of TKO, TT, AF areprovided in appraisal reports onmaterials (base metal and weldedjoints).

6.4

6.5

While considering the normaloperating conditions and hydrotests,surface semi-elliptic crack of deptha = 0.25S with semi-axes is assumedas a design defect. For this use thedesign wall thickness of componentsof equipment and pipelines does notinclude the thickness of corrosion-resistant cladding.Coefficient K, is determinedanalytically, numerically orexperimentally.

Under normal operating conditionsdesign coefficient K, for the designdefect mentioned above, shall notexceed [K,]^ The calculation isperformed up to reducedtemperature (T -TK)*, the maximumvalue of which on the plot [K] = f(T- TK) corresponds to the value [KJ,,determined by formula [K,)i* =0.35RTp,0.2(S1000)1/2.

For cross-sections (102-305)mm thickthe depth and the length of designdefect are equal to 0.25S and 1.5Srespectively (correlation of is a/c =1/3). For cross-sections semi-axesexceeding 305 mm the defect is definedas that used for S = 305 mm. Forcross-sections less than 102 mm thedefect 25.4 mm in depth is postulated

For normal conditions and operationaloccurrences the following inequalityshould be met:

2K I b +K I [ <K I I

136



6.6 For operational occurrences andaccidents the following conditionsshould be met:

K, < [K,]2K, < [ICJj

The calculation is performed forthe spectrum of cracks with depthdown to 0.2 S and for each designcrack the above mentionedconditions should be met.

For accidents and severe accidents eachsituation is recommended to beconsidered separately. The principlesdescribed in Appendix G of AS ME,Boiler and Pressure Vessel Code [HI-2]may be used wherever possible for anypostulated loads, dimensions of defectsand materials viscosity that may takeplace under considered circumstances.

6.7 For each component adetermination of water testtemperature is performedproceeding from the conditionKI = [K,]2, i.e. reducedtemperature is determinedTR = (T-TK), at a specified valueofTh l = TR + TK

Water test temperature (Thl) fortests performed before mountingand during operation is determinedin the same way.

Before-mounting water test temperature(minimum pressurization temperature)should be not less than RTNDT + 33°CFor tests performed during operation theinfluence of operational factors on TNDTis taken into account.

137



7. Calculation of defects detected during operation

The calculation is performedaccording to [HI-3]. The defectsfound out are displayed graphicallyand their parameters aredetermined (orientation, depth,length, distance from componentsurface). Then the growth of designdefects dimensions is determined atgiven cyclic stresses and number ofloading cycles (AaN or ACN).Based on ultimate state calculationsthat take into account all operatingconditions allowable crack isdetermined for which the conditionK < [K] is satisfied.

The dimensions of the crackobtained are denoted [a]] and fc]t.The dimensions of design defect(taking into account the growth)should be less than [a]j and [c]a.While determining [K], strengthmargins are introduced that arehigher than in brittle fractureresistance calculations at the stageof designing [III-l]; the followingvalues are recommended:- for normal operationing

conditionsnk = 3; AT = 30°C;

- for operational occurrences andwater tests nk = 2; AT = 20°C;

- for accidents nk = 1.4;AT = 10°C.

The assumption that the crack doesnot start to grow is the basis of themethod.

Defect indexing analysis is given inAppendix A of ASME Code Part XI[HI-4]. The defects found out are alsodisplayed in graphical form and thegrowth of defects by the end of servicelife (a,) is determined. Further theminimum critical dimensions of thedefect for normal operating conditionsis determined, operational occurrences(ac) are included.

The defect is determined using theconcept of fracture viscosity at crackstopping (KIa).

For emergency conditions theminimum critical defects for start-up ofcrack growth are determined.After that the criteria of acceptabilityaf<0.1ac and af <0.5a, are checked up.

REFERENCES TO ANNEX III

[III-l] Standards applied in strength analysis of NPP equipment and piping, PNAE G-7-002-86,Moscow, Energoizdat (1989), (in Russian).

[III-2] AMERICAN SOCIETY OF MECHANICAL ENGINEERS, ASME Boiler and PressureVessel Code, An American National Standard, Section III, New York (1977).

[HI-3] Methodological approach for material defects evaluation applied forNPP equipment andpiping under operational conditions, M-01-88, Moscow (1988), (in Russian).

[III-4] AMERICAN SOCIETY OF MECHANICAL ENGINEERS, ASME Boiler and PressureVessel Code, An American National Standard, Section XI, New York (1977).

138

Annex IVTECHNICAL DATA ON MAIN STRUCTURAL MATERIALS USED

FOR MANUFACTURE OF EQUIPMENT AND PIPING IN WWER NPPs

IV-1. GENERAL INFORMATION

The use of structural materials in the manufacture of equipment and pipelines of WWER NPPs isregulated by the State standards "Rules for Construction and Safe Operation of the Equipment and Pipelinesfor NPPs" (PNAE-G-7-008-89) issued by the former USSR State Commission for Supervision of NuclearPower Safety.

A brief overview of structurai materials and their applications in manufacture and erection of NPPcomponents is provided in Table IV-I.

Welding and build-up (anticorrosive cladding and strengthening building-up) applied in manufacture,erection and repair of NPP components is regulated by the document "Equipment and Pipelines for NuclearPower Plants, Welding and Building-up, Principal Regulations" (PNAE-G-7-009-89). Requirements relatedto the methods and scope of inspection as well as quality assurance of welded joints and weld-cladding itemsare provided in the document "Equipment and Pipelines for Nuclear Power Plants, Welded Joints andBuilding-up, Inspection Rules" (PNAE-G-7-010-89).

Steel making process and fabrication of semi-finished items made of the structural materials listed inTable IV-I are carried out by using special technologies developed in close co-operation with scientificresearch institutes.

Structural materials used for fabrication of NPP equipment are produced with special attention to assurelow concentration of detrimental impurities (especially sulphur, phosphorus, copper and other non-ferrousmetals), gases (hydrogen, nitrogen) and non-metallic inclusions (oxides, silicates, sulphides, etc).

Required quality of materials is achieved by using special blending materials, appropriate fabricationprocess, current methods of out-of-furnace processing and vacuum casting.

Making process, grade chemical composition and guaranteed mechanical properties of structuralmaterials listed in Table IV-I are presented in Section IV-2. This material is solely provided by theKurchatov Institute, Russian Research Center, within the framework of the project.

IV-2. TECHNICAL SPECIFICATIONS

Basic information concerning fabrication process, grade chemical composition and guaranteed mechanicalproperties of the main structural materials are given in the following sections, each of them devoted to onetype of material.

Generally, standard Soviet designation of steel and alloys is followed in this presentation. However, thereare some modifications in the use of letters that show the presence of certain elements. The following letterdesignations are used for the chemical components:

H - chromiumN - nickelM - molybdenum

139

W - tungstenF - vanadiumT - titaniumA - contains nitrogen

A one or two digit number in the front of the entire designator indicates the content of carbon in tenthsof a percentage point. A number following a letter specifies the content of the given element in wholepercentage points. For instance, the steel 08H18N12T contains 0.08% carbon, 18% chromium, 12% nickel,and below 1% titanium.

The letter 'A' at the end of a designation indicates 'improved quality'. The letters VD at the end of adesignation indicate that the method of manufacture was vacuum arc remelting. The letter K at the end ofa designation of plain carbon steel indicates the boiler application (e.g. 20K refers to boiler steel containing0.20% carbon).

IV.2.1. Chrome-molybdenum-vanadium steel 15H2MFA and 15H2MFA-A

The steel 15H2MFA is made in the basic furnaces and is subject to out-of-furnace refining and degassingwith machining. Both the acid open-hearth furnace duplex-process and the basic electric-arc furnace processare acceptable.

The chemical composition and mechanical properties of steel satisfy the requirements specified in TablesIV-II and IV-III, respectively.

The coefficient of radiation embrittlement (AF) of steel 15H2MFA-A irradiated at a temperature of270°C does not exceed 12 (according to "Norms for Strength Analysis of NPP Equipment and Piping",PNAE-G-7-002-86).

1V22. Chromium-nickel austenitic steel 08H18N10T and 08H18N10T-VD

To fabricate the plant components (as listed in Table IV-I) the steel is used in the form of forged-rolledblanks, sheets, slabs, forging and tubes.

The steel 08H18N10T is made in the electric-arc furnaces. The steel 08H18N10T-VD is made in thesame way but with subsequent remelting in the vacuum-arc electric furnaces.

The melt chemical composition of steel 08H18N10T for tubes, forged-rolled blanks, sheets, slabs andforging, as well as for forging made of steel 08H18N10T-VD, should satisfy the requirements specified inTable IV-IV (according to the COST 5632-72 standards). Mechanical properties of blanks are determinedby the requirements provided in Table IV-V.

IV.2.3. Chromium-nickel austenitic steel 08H18N12T

The steel is made in the electric-arc furnaces. The chemical composition of steel satisfies therequirements given in the GOST 5632-72 and is presented in Table IV-VI. Mechanical properties of thetube metal after heat treatment are given in Table IV-VII.

140

IV.2.4. Zirconium alloy N-l

N-l alloy is fabricated according to a special technological process and its grade composition isproprietary information.

Mechanical properties of the tube metal after annealing during short term tension is provided in TableIV-VIII.

IV2.5. Carbon quality steel 22K

The steel is made in the open-hearth furnace or electric-arc furnace and is subject to out-of-furnacerefining and degassing with machining. Steel making is either by acid open-hearth furnace duplex-process,basic electric-arc furnace process or by the methods of electroslag remelting (ESR) or vacuum-arc remelting.Basic open-hearth furnace process is permitted when casting the ingots of not more than 10 t to be used forfabrication of sheets with a thickness not exceeding 60 mm. Ingots with mass exceeding 16.3 t to be usedfor fabrication of sheets are produced by the use out-of-furnace refinement and degassing with machiningor by arc remelting eventually electroslag remelting. Sheets with thickness exceeding 160 mm are fabricatedof metal made either by using arc remelting or electroslag remelting.

The chemical composition and mechanical properties of steel 22K should satisfy the requirementsspecified in Tables IV-IX and IV-X, respectively.

TV2.6. Structural alloy steel 38HN3MFA

The steel is fabricated in accordance with the requirements specified in the COST 4543-71. Chemicalcomposition and mechanical properties of the steel should satisfy the requirements given in Tables IV-XIand IV-XII, respectively.

IV.2.7. Iron-nickel alloy HN35WT-VD

The alloy is melted in the electric-arc furnaces with subsequent vacuum-arc remelting.

The melt chemical composition and mechanical properties of the material satisfy the requirementsspecified in Tables IV-XII1 and IV-XIV.

IV.2.8. High-alloy martensitic-ferritic steel 14H17N2

The steel is melted in electric-arc furnaces. Melt chemical composition should satisfy the requirementsgiven in Table IV-XV (according to the GOST 5632-72). Mechanical properties of steel should meet therequirements specified in Table IV-XVI.

141

TABLE IV-I. PRIMARY CIRCUIT STRUCTURE MATERIAL GRADES

Components

1.

1.1.

1.2.

1.3.

1.4.

1.5.

1.6.

2.

2.1.

2.2.

2.3.

2.4.

3.

3.1.

3.2.

3.3.

4.

5.

Reactor

Reactor vessel

Reactor vessel top head

Internals

Fuel element cladding

Instrumentation nozzles

Studs of main joint

Steam generator

Vessel

Tube bundle

Coolant header

Main fasteners

Pressurizer

Vessel

Nozzles

Fasteners

Pressurizing system piping

Main coolant piping

Material grade

15H2MFA, 15H2MEA-A+ anticorrosivebuilding-up

15H2MFA-A - core shroud

15H2MFA + anticorrosive building-up

08H18N10T

zirconium alloy N-l

22K + anticorrosive building-up

38HN3MFA

22K-VD

08H18N10T

08H18N10T-VD

HN35WT-VD

22K + 08H18N10T or anticorrosivebuilding-up

22 K + anticorrosive building-up

38HN3MFA

08H18N10T

08H18N12T

142

TABLE IV-I. (cont.)

Components Material grade

6. Reactor coolant pump

6.1. Casing

6.2. Shaft

6.3. Operating wheel

6.4. Auxiliary wheel

7. ECCS tank

7.1. Vessel

7.2. Nozzles

8. ECCS pipelines

08H18N10T

14H17N2

08H18N10T

08H18N10T

22K + 08N18N10T or anticorrosivebuilding-up

22K + 08N18N10T or anticorrosivebuilding-up

08H18N10T

143

TABLE IV-II. CHEMICAL COMPOSITION OF CHROME-MOLYBDENUM-VANADIUM STEEL

Steel

grade

15H2MFA

15H2MFA-A

Mass content of elements (%)

C

0.11-0.18

0.11-0.18

Si

0.17-0.37

0.17-0.37

Mn

2.5-3.00

0.30-0.60

Cr

0.60-0.80

2.5-3.00

Mo

0.60-0.80

0.60-0.80

V

0.25-0.35

0.25-0.35

Ni Cu Co As S P Sb Sn

not more than

0.40

0.40

0.30

0.10

0.025

0.025

0.040

0.010

0.020

0.015

0.020

0.012

-

0.005

-

0.005

TABLE IV-III. MECHANICAL PROPERTIES OF CHROME-MOLYBDENUM-VANADIUM STEEL

Test temperature t = 293K

Ultimatetensilestrength

Rm, MPa

Yieldstrength

Rp,o.2, MPa

Relativeelongation

A» %

Relativenarrowing

Z, %

Impactstrength

KCU, J/cm2

Test temperature t = 623K

UltimatetensilestrengthRm, MPa

Yieldstrength

Rp,0.2,MPa

Relativeelongation

AS.%

Relativenarrowing

Z, %

not less than

540-735 430 14 50 49 490 390 14 50

Brittle-to-ductiletransition temperature, K

not more than

273

TABLE IV-IV. CHEMICAL PROPERTIES OF CHROMIUM-NICKEL AUSTENITIC STEEL

Steel grade (type of blank)

08H18N10T, (tubes)

08H18N10T, 08H18N10T-VD(forged-rolled blanks, sheets,slabs, forgings)


C Mn Si

not more than

0.08

0.08

1.5

2.0

0.8

0.8

Cr Ni Ti

17.0 -19.0

17.0 -19.0

10.0 11.5

9.0 - 11.0

5xC -0.60

5xC -0.70

Co Cu N S P

not more than

0.05

0.025

0.30

0.30

0.05

-

0.020

0.020

0.035

0.035

TABLE IV-V. MECHANICAL PROPERTIES OF CHROMIUM-NICKEL AUSTENITIC STEEL

Steel grade (of type blank)

08X18H10T, 08X18H10T-VD(forged-rolled blanks, sheets,slabs,forgings

08X18H10T (tubes)

Test temperature t = 20°C

Ultimatetensilestrength Rm,MPa

YieldstrengthRp,o.2, MPa

RelativeelongationAj,%

RelativenarrowingZ, %

Test temperature t = 350°C

Ultimate tensilestrengthRm, MPa

Yield strengthRp,o.2, MPa

RelativeelongationA5, %


not less than

490

549

196

-

35

35

40

-

353

-

176

196-343

25

-

40

-

Note. Values of mechanical properties are related to longitudinal specimens.

TABLE IV-VI. CHEMICAL COMPOSITION OF CHROMIUM-NICKEL AUSTENITIC STEEL 08H18N12T

Steel grade

08H18N12T


C Si Mn

not more than

0.08 0.8 2.0

Cr

17.0 - 19.0

Ni

11.0 - 13.0

Ti

5xC - 0.6

Fe

base

S P

not more than

0.020 0.035

TABLE IV-VII. MECHANICAL PROPERTIES OF TUBE METAL IN HEAT-TREATED STATE

Steel grade

08H18N12T

Test temperature, °C

20

325

Ultimate tensilestrength, MPa

Yield strength, MPa Relative elongation, % Relative narrowing, %

not less than

491

353

196

177

40

-

55.0

50.0

Thickness ofmandrel d" atbending test ofspecimen withthickness of "a"

d = 2a

TABLE IV-VIII. MECHANICAL PROPERTIES OF TUBES MADE OF ZIRCONIUM ALLOY N-1

t = 380±5

Test in longitudinaldirection

Yield strengthRp.o.2, MPa

Test temperature, °C

t = 20-10/+!5 t = 38(T5/-5

Test in transverse direction

Ultimate tensilestrength Rm MPa


Relative elongationA5,%

Ultimate tensilestrength Rm, MPa


Relative elongationA5, %

not less than

78.4 272 204 28 145 127 33

TABLE IV-IX. CHEMICAL COMPOSITION OF CARBON QUALITY STEEL

Steel grade

22K, 22K-ESP,22K-VD

Mass Content of Elements, %

C Si Mn Cr Ni Cu S P N As

not more than

0.19 - 0.26 0.20 - 0.40 0.75 - 1.00 0.40 0.30 0.30 0.025 0.025 0.008 0.080

TABLE IV-X. MECHANICAL PROPERTIES OF CARBON QUALITY STEEL

Type of blank

Forgings,blanks ofparts made ofrolled metal

Slabs, sheets,sheet formedblanks

Forgings,blanks ofparts made ofrolled metal,sheets, sheetformed blanks

Steel grade

22K

22K - ESP

22K- VD

22K

22K - ESP

22K

22K - ESP

Strengthcategory MPa

KII215

KII215

KII250

KII270

KII280

Wall thicknessor cross-sectiondimension,mm

not more than400

not more than600

not more than1000

20- 160

20-480

40-200

40-150

40- 120

Test temperature + 20 %

Ultimatetensile strengthRm, MPa

YieldstrengthRpA2, MPa

Relativeelongation,AS, %

Relativenarrowing, Z, %

ImpactstrengthKCU, kJ/m2

not less than

430 - 620

430 - 620

435 -635

470 - 635

480 - 645

215

215

250

270

280

21

20

45

45

685

685

685

TABLE IV-X. (cont).

Grade ofsteel

22K

22K - ESP

22K-VD

22K

22K-VD22K - ESP

22K22K - ESP

Categoryofstrength,MPa

215

215

KII250

KII 270

Wallthicknessor cross-sectiondimension,mm

up to 200

above 200up to 400

above 400up to 600

up to 200

above 200up to 1000

20- 160

20-280

up to 200

up to 150

Mechanical properties at test temperature depending on thickness of cross-section wall for heat treatment

Test temperature t = 270° C

Ultimatetensilestrength,Rm,MPa

YieldstrengthRp0 2MPa

RelativeelongationAy %


Test temperature t = 350° C

UltimatetensilestrengthRffi,MPa

YieldstrengthRp^MPa

RelativeelongationA5)%

RelativenarrowingZ,%

Aftermechanicalageing

Impactstrength(averagevalue)KCU,kJ/m2

not less than

335

355

390

420

195

195

185

195

185

195

195

230

240

18

18

18

18

45

45

45

45

355

355

380

410

185

185

220

230

18

18

18

45

45

45

-

295

295

Blanksectionor wallthicknessmm

20-200

above200 upto 600

Bnttle-toductiletransitiontemper-atureT ° C1ko' t-

not above

40

50

TABLE IV-XI. CHEMICAL COMPOSITION OF STRUCTURAL ALLOYED STEEL 38HN3MFA

Steel grade

38HN3MFA

Content of elements (%)

C

0.33 - 0.40

Si

0.17 - 0.37

Mn

0.25 - 0.50

Cr

1.20 - 1.50

Ni

3.0 - 3.5

Mo

0.35 - 0.45

V

0.10 - 0.18

Cu S P

not more than

0.30 0.025 0.025

TABLE IV-XII. MECHANICAL PROPERTIES OF FASTENERS (BOLTS, STUDS, NUTS) MADE OF STRUCTURAL ALLOYED STEEL 28HN3MFA

Temperature of heattreatment, ° C

Hardening

850° C, oilor water

Tempering

620 - 695

620 - 650

«680

«680

Strengthcategory,

MPa

KII640

KII685

KII785

KII880

Test temperature

t = + 20° C

YieldstrengthRp,o.2> MPa

637 - 804

686 - 853

784 - 951

882 - 1078

Ultimatetensilestrength,Rm, MPa

RelativeelongationA* %


ImpactstrengthKCU, J /cm2

not less than

686

784

882

980

15

15

14

11

40

40

40

35

59

59

59

59

Yieldstrength at350° C,Rp.o.2 MPa

490

539

637

735

Brittle-to-ductiletransitiontemperatureT ° r1kO> *-

not above

-10

-10

-10

-10

TABLE IV-XIII. CHEMICAL COMPOSITION OF IRON-NICKEL ALLOY

Alloy grade

HN35VT-VD

Mass Content of Elements, %

C Si

not more than

0.12 0.60

Mn

1.0 - 2.0

S P

not more than

0.010 0.025

Cr

14.0 - 16.0

Ni

34.0 - 36.0

W

2.8 - 3.5

Ti

1.1 - 1.5

Cu Mo Al

not more than

0.25 0.3 0.5

TABLE IV-XIV. MECHANICAL PROPERTIES OF IRON-NICKEL ALLOY

Alloy Grade

HN35VT-VD

Strengthcategory

KII392

t = +20°C

Ultimate tensilestrengthRm, MPa

Yield strengthRpjo.2, MPa

RelativeelongationA5, %


Impact strengthKCU, kJ/m2

Brinell hardnessHB, MPa

not less than

735 392 15 25 588 2030

Note. The values of mechanical properties are related to longitudinal specimens.

TABLE IV-XV. CHEMICAL COMPOSITION OF HIGH-ALLOY MARTENSITIC-FERRITIC STEEL 14H17N2

Steel grade

14H17N2


C

0.11 - 0.17

Si Mn

not more than

0.8 0.8

Cr

16.0 - 18.0

Ni

1.5 - 2.5

Fe

base

S P

not more than

0.025 0.030

TABLE IV-XVI. MECHANICAL PROPERTIES OF HIGH-ALLOY MARTENSITIC-FERRITIC STEEL 14H17N2

Steel grade

14H17N2

Test temperature t = + 20° C

Ultimate tensilestrengthRra, MPa


Relative elongation,A5,%

Relative narrowing,Z, %

Impact strength,KCU, J/cm2

not less than

735 590 8 25 20

Note. Mechanical properties are related to longitudinal specimens.

ABBREVIATIONS

AC alternating currentAF auxiliary feedwaterAPS auxiliary feedwater systemALARA as low as reasonably achievableANS American Nuclear SocietyASME American Society of Mechanical EngineersATWS anticipated transient without scramAZ protection system signal (Russian abbrev.)BDBA beyond design basis accidentBOC beginning of cycleBRU-A steam dump valve to the atmosphereBRU-K steam dump valve to turbine condenserBRU-TK steam dump valve to process condenserBWST borated water storage tankCCF common cause failureCFS core flooding systemCFR Code of Federal RegulationCHF critical heat fluxCRD control rod driveCVCS chemical and volume control systemDBA design basis accidentDC direct currentDG diesel generatorDHRS decay heat removal systemDNBR departure to nucleate boilingDOE Department of EnergyECCS emergency core cooling systemEF emergency feedwaterEFS emergency feedwater systemEOC end of cycleESAS engineered safeguards actuation systemESG electroslag remeltingFFS fresh fuel sectionFW feedwaterGDC general design criteriaHP high pressureHPI high pressure injectionHPR high pressure recirculationHPS high pressure injection/recirculation systemICCS intermediate component cooling systemI&C instrumentation and controlIE initiating eventINSAG International Nuclear Safety Advisory GroupLB large breakLOCA loss of coolant accident

153

LOFA loss of flow accidentLP low pressureLPI low pressure injectionLPR low pressure recirculationLPS low pressure injection/recirculation systemMDBA maximum design basis accidentMFW main feedwaterMOV motor operated valveNPP nuclear power plantPC process condenserPIE postulated initiating eventPORV power operated relief valvePPCS primary pressure control systemPSRV pressurizer safety relief valveQA quality assuranceRBSS reactor building spray systemRC reactor coolantRCP reactor coolant pumpRCS reactor coolant systemROM reactor power controllerRPS reactor protection systemRPV reactor pressure vesselRTD resistance thermometer deviceSB small breakSDHR secondary decay heat removalSDHRS secondary decay heat removal systemSG steam generatorSIT safety injection tankSPCS secondary pressure control systemSRV safety relief valveSWP primary coolant purification systemSWS service water systemUS NRC United States Nuclear Regulatory CommissionVI twin unit No.l of the Bohunice NPP (units 1 and 2)V2 twin unit No.2 of the Bohunice NPP (units 3 and 4)

154

SYMBOLS USED IN PIPING AND ELECTRICAL DIAGRAMS

fa-$h-Ä-

-N-

HX-

«i

Pump

Ejector pump

Tank

Heat exchanger

Deaerator

Steam dump valve

Motor operated valve

Air operated valve

Manual valve

Check valve (arrow designate allowable flow direction)

Safety valve

Turbine generator

Diesel generator

Transformer

Circuit breakers (open and closed)

Rectifier, battery charger

DC/AC converter

Battery

155

Documents

Design basis and design features of WWER-440 model 213 nuclear