Anticipated Transients Without Scram (ATWS) are accident sequences involving a non-LOCA transient of moderate frequency (about 1.0/ year, e.g. turbine trip) or infrequent incidents (about 3× 10-2/year, e.g. reactivity events) and failure of automatic reactor scram. Major objectives of ATWS analyses are to demonstrate that the pressure boundary of the reactor coolant will not fail, the pressure suppression system will not fail, safe long term shutdown is reached and heat removal capacity is sufficient. The ATWS are commonly considered as design basis accidents or as accidents to be dealt with in the licensing process for Western reactors. For RBMK reactors ATWS are not design basis accidents and no previous analyses of such accidents were performed. The ATWS studies in the Ignalina SAR are the first of the kind for RBMK reactors. These analyses have a different purpose from DBA studies. The purpose of the ATWS studies in this project is to identify the need for possible future design modifications to the shutdown system, to determine the minimum time available for accident mitigation and to make a step towards developing accident management measures and procedures. The ATWS scenario can lead to unacceptable consequences. The failure probability of the overall scram system is the major concern at Ignalina NPP. According to the assessment the failure probability may be 4× 10-4 per demand or higher. The magnitude of this failure probability highlights the importance of the ATWS issue for Ignalina NPP. Four different Anticipated Transients Without Scram were addressed in SAR:
The analyses were carried out using the following initial and boundary assumptions: All systems that affect the reactor power and are not active during normal reactor operation are assumed unavailable. This applies to the 24 FASS rods, 24 LSR rods and the CPS operation modes BAZ and AZ-1. All systems active during normal operation remain functional during the accident as long as they are not affected by the consequences of the accident, e.g. LAC system, pressure and level controllers. Systems that do not affect the reactor power and are poised to be activated by the accident, e.g. relief valves, ECCS, are assumed available. The base-case simulations is performed until one of the following conditions is reached:
Results provided by the base-case simulation include list of all available scram actuation and power set-back signals as well as the minimum time available for accident mitigation. The issues addressed in the analysis include:
The following conclusions were drawn regarding the ATWS sequences for the Ignalina NPP. Continuous withdrawal of one control rod with ATWS from full power are controlled by local automatic control/protection system. Total reactor power is kept nearly constant, while the maximum local power excursion at full power was 175 %. Detector coverage is such that the reactor setback or trip signals are generated within about 10 and 16 seconds of the start of rod motion for star-up and full power levels, respectively. Redundant trip signals are generated within a short time span, so single failure of trip signal are inconsequential. At powers below the normal operating range acceptance criteria in fuel channels are not violated.
Failure of one MCP is inconsequential because the flow from the operating pumps compensates for the trip of 1 out of 3 MCPs in one circulation loop. The local automatic control/protection system maintains the plant within a safe range of operation. Flow instability is not encountered even when the power is not reduced. The acceptance criteria for fuel and pressure boundary are met. This conclusion applies to the whole normal operation range from 1000 MW to 4200 MW. There is adequate time for operator action.
During reactor operation at full power a turbine trip with loss of main heat sink leads to failure of the pressure boundary within about 3.5 minutes (likely between core outlet and MCP suction header) because steam production exceeds the steam removal capacity of 2 SDV-A and 12 MSRVs. Total reactor power is maintained nearly constant by local automatic control/protection system. However, eight different power reduction signals were identified before pressure boundary failure. Effective operator intervention, i.e. manual scram is possible. If this ATWS were to occur at some steady state operation power level higher than 2650 MW, the sequence of event will remain the same, only there will be more time available for operator intervention. The relief capacity is sufficient at reactor power level below 2650 MW, so the manual scram is a highly probable terminator of transient, since long delay can be tolerated.
Loss of preferred AC power results in constant reactor power due to functioning of the local automatic control/protection system. Due to costdown of the MCPs and loss of main feedwater steam production rises considerably and will be in excess of the steam removal capacity of the 14 discharge valves (2 SDV-A and 12 MSRVs). Flow instability could occur after 10 seconds and dangerous cladding and pressure tube wall temperatures after 40 seconds. The acceptance criterion for main coolant circuit pressure of 10.4 MPa is violated after about 1 minute. Multiple pressure tube ruptures are likely to occur. Although the operator may be able to manually insert control rods, this may not prevent a pressure boundary failure.
The results of ATWS studies demonstrate the lack of inherent safety features in the RBMK design. The power is not reduced by means of inherent physical processes such as steam generation. The reactivity loss due to fuel temperature rise (Doppler effect) is not effective enough to prevent major damage of the core. The local automatic control/protection system assumed available under analysis rules turns out to be detrimental in some cases since it tries to maintain the power level.
The apparent lack of the effective inherent safety features in RBMK reactors leads to one high priority recommendation, that a second fast acting, independent and fully diverse reactor shutdown system needs to be installed. The second shutdown system has to be designed to ensure its functionality at conditions prevailing during and after the accident, and to provide safe long term reactor shutdown. Development of second reactor shutdown system is under progress, but its implementation requires 3-4 years. Compensatory measures which have the potential to reduce the overall risk are implemented at Ignalina NPP until a second shutdown system is in place.