Why INSAG has still got it wrong

In 1986, the IAEA’s International Safety Advisory Group released INSAG-1, its report on the causes of the accident at Chernobyl. Seven years later the group’s revised report on the accident, INSAG-7, appeared (see NEI May 1993). Seven years is long enough to study a lot of research and to formulate an opinion. But how much closer to the truth does INSAG-7 bring us?

SUBCOOLING OF THE COOLANT

For eight years now the erroneous assumption has been going the rounds that because of the high coolant flow rate, coolant subcooling at the core inlet was reduced, boiling began right at the bottom of the core, and this led to thermohydraulic instability. I pointed out the falsity of this assumption back in 1987, in a letter addressed to the Director General of the International Atomic Energy Agency.

• INSAG-7 (para 2.9): “These conditions led to the onset of boiling at or near the bottom of the core.”

According to the Regulations, subcooling is the difference in water temperature in the drum separators and at the core inlet. It certainly does fall with an increase in coolant flow rate, but when this happens the pressure at the core inlet rises, and so also does the boiling temperature (see Figure 1). At low reactor power, boiling begins beyond the core anyway, in the steam-water communication (SWC) line pipework, and the location of boiling moves down gradually as power rises (Figure 1). The greater the flow rate, the higher the starting point for boiling. Specifically, on 26 April (the date of the accident), at a reactor power level of 200MW (power level in core centre channel around 160MW), boiling was beginning right at the top of the 7m high core (see Table 1 and Figure 2).

• INSAG-7 (para 5.2.3): “The reactor was operated with boiling of the coolant water in the core and at the same time with little or no subcooling at the pump intakes and at the core inlet. Such a mode of operation in itself could have led to a destructive accident . . .in view of the characteristics of positive reactivity feedback of the RBMK reactor."

The reactor is operated only in boiling mode, and, according to the regulations, may be operated with minimal or even zero subcooling – see Regulations, Chapter 9. This condition is obligatory, since such operating conditions cannot be avoided in principle – they occur with any rise in power, when the pressure falls in the separators.

The stance taken by the experts here is an interesting one: they explain the destructive effect of positive feedback to the station staff. Fine – the operators will know why they died or were maimed; but it would have been better had the reactor conformed to its design norms. If the reactor explodes under operating conditions it is not possible to avoid, there is only one answer – to prohibit operation. What need is there for explanation?

On 26 April subcooling was roughly 1 degree and pressure was slowly building (see Table 2).

MAIN CIRCULATION PUMPS

The INSAG experts have reanimated the long-discreted theory of pump breakdown, due to loss of head and pump cavitation. But there was no circulation breakdown. If the pumps did not break down during pressure decrease, why did they break down during a rise in pressure? The monitoring system recorded proper operation of the pumps right up to the sudden power surge. Pumps powered by a generator that was running down could not in any way have suffered breakdown. There are no reasons why they should. The first to be switched off, though, were those very “running down” pumps (see INSAG-7, Annex I, Table I-I), then, powered from the back-up supply. This indicates that the cause of the cessation of coolant delivery was a sharp surge of power.

There is further evidence, but if this is not sufficient for the experts, I suppose nothing is going to convince them.

This reactor really did explode when the main circulation pumps were stopped. But this could have happened when the steam lines ruptured, on opening and failure to reseat of the main safety valves, during the maximum design accident. . .The only people that can be blamed for this, though, are the reactor designers.

Just to conclude the subject of the main circulation pumps:

• INSAG-7 (para 2.8): “Furthermore, since there is not much change in fluid temperature between the coolant pumps and the core inlet, the temperature of the water in the pumps and at their intakes is near boiling if the subcooling is very small.”

This is a strange sort of explanation instead of the straightforward and obvious one: the temperature at the pump intake approaches boiling point at a high coolant flow rate because of the lower level of cooling of it by the fee water and the increase in loss of pressure head in the downcomer (see Figure 1).

• INSAG-7 (para 2.9): “When the turbine was tripped, the four pumps it was powering began to slow down as the turbine speed was reduced and the associated generator voltage fell. This reduced rate of core flow caused the void content of the core to rise and caused an initial positive feedback of reactivity, which was at least in part the cause of the accident.”

The fall by 10% in flow rate over the 36 seconds of rundown of the turbine caused a rise in reactivity which the automatic regulator was able to handle. There was no increase in power; it is sufficient to look at the power graph submitted to the IAEA in 1986. This is discussed in Annex I of INSAG-7 (para I-4.6.2). If that is not enough, I could ask E. V. Burlakov of the Kurchatov (one of the expert advisors to INSAG), and he could present the 1986 calculations of his colleague A. Apresov (see Table 2).

During the rundown period, the coolant density altered by 6 kg/m³, giving a rise in reactivity of the order of 24 x 10^-5; under real conditions the rate of change of reactivity can be several times greater.

Thus an idea that is true in principle can lead, if factual data and even the most basic calculations are ignored, to false conclusions.

Questions concerning coolant subcooling, breakdown and rundown of main circulation pumps, and equally too the question of turbogenerator rundown itself, therefore have no bearing on the accident. If at the very last moment it had been decided not to carry out the experiment, the result would have been just the same.

It is now clear that we had been on the verge of disaster several times before. Following triggering of the emergency protection, operators had on occasions noticed emergency power overshoot (AZM) and fast rate of power rise (AZS) signals. They should not have been there and they were taken as spurious because they could not be explained. But in reality these were power surges caused by the emergency protection, which were not recorded by the SKFRE (power density physical monitoring system) automatic recorder because of the slow response time of the silver transducers used. AZM and AZS signals were possible because these originated from ionisation chambers with a faster response time. But these unfortunately had no automatic recorder to go with them. Compare with 26 April: at 23 minutes 40 seconds the emergency protection was dropped using a button (AZ-5), and three seconds later the AZM and AZS signals appeared.

This is the place to state the following. In Annex II of INSAG-7, para II-2.5.3, it says that none of the calculation models reproduces a reactor power excursion where signals exceeding the set values for power and rate of power rise appear within three seconds of triggering of AZ-5. Maybe, but we need to look at not three, but almost four seconds, since the discreteness of recording is one second. Then look at Fig II-11, in Annex II, and there is no contradiction. To clarify the above: between two events in 1994 and 1995 the time interval could be either two hours or two years minus two hours.

OPERATING REACTIVITY MARGIN

The RBMK reactor designers, and also the IAEA experts along with them, just keep piling onto the operating reactivity margin (ORM) parameter one function after another:

1. The potential for power manoeuvring.

2. Fuel burnup compensation.

These are functions natural to all reactors, and they are described in books and in regulations.

3. Controlling power density over the volume of the reactor.

Also a sort of natural function, on the basis of the “continuous” fuel reloading cycle and large size, although the RBMK is not the only large reactor.

4. A guarantee that the reactor protection operates properly. At the same time the restriction is imposed not on the maximum, which would be natural, but on the minimum (?).

5. Not only is proper operation ensured at a certain operating reactivity margin, but a given rod configuration must continue to be maintained.

This, however, is just a nonsense, and in violation of all design norms. The designers made an obvious error in rod design when the rods introduce reactivity of differing signs when moving in a single direction. Immediately after the accident the rods were acknowledged by everyone, including the reactor designers, as no good. But amazingly the designers were supported by the INSAG experts.

• INSAG-7 (para 5.1): “A particular configuration of control and safety rods was necessary for the positive scram to occur. . .”

There are a large number of such “particular configurations”, but the reactivity overshoot occurred solely as a result of the erroneous design of the rods. With a normal design there are no “particular configurations” and cannot be any.

Question: why did the experts feel the need to defend a point that has long since been refuted?

6. And finally, yet another function of ORM: keeping the steam void coefficient of reactivity within set limits.

• INSAG-7 (para 4.2): “In the discussion of the scenario, the operators seemed not to be aware of the other reason for the importance of the ORM, which was the extreme effect it could have on the void and power coefficients."

True, the staff did not know – where could they have got to know about it, if the reactor designers did not know? A. Abagyan, Yu. Cherkashov and others “out of absentmindedness” forgot to mention this when they became aware of it.

Here the alteration to the operating reactivity margin occurs through poisoning of the reactor, in other words the appearance of xenon is compensated by rod withdrawal. Although the influence on the breeding ratio is of the same order, however, the effect on the void coefficient is not identical. And that is by no means obvious.

But let us examine the effect anyway. The regulations give a magnitude for the operating reactivity margin of from 30 to 15 rods. A reduction to 15 rods cannot be blamed on the operators, because in fact there is no other way to operate. The operators overlooked (there was no means of observing) a fall in the operating reactivity margin to eight rods. So, they have 7 rods on their conscience. In an article by N. Laletin (Atomnaya Energiya, 1993, Vol 74, No 3), a change in the operating reactivity margin by 25 rods alters the void effect by 0.5%. Thus seven rods added 0.14%. That was bad, but it was not this addition that played the fatal role, it was the existing void effect of reactivity (2.5-3.0%). You definitely do not have to be a top ranking international expert to understand this.

After the accident, 80 additional absorbers were located in the core. Each additional absorber is equivalent to a control and safety system rod in terms of its influence on the void effect of reactivity. But even 80 was too few, and it was not possible to fit in more, since they are installed in the fuel channels and therefore reduce the number of fuel assemblies. Solely from necessity the operating reactivity margin was raised to 43-48 rods with the fall in the margin restricted to 30 and no less. This margin is not needed for operation, and anyway the operator is forbidden from using it; he has 15 rods at his disposal, as before the accident. A large reactivity compensated by operational systems is a fairly odd way of improving safety. Strange how things are managed with the RBMK reactor. Before the accident it was the only reactor in the world which was especially nuclear-hazardous with a small reactivity margin.

VOID COEFFICIENT

Both in the INSAG experts’ report and in other documents there is mention of the void coefficient of reactivity, whereas what should have been mentioned is the void coefficient of inadmissible magnitude. It turns out that after the accident at the Leningrad power station in 1975, the Scientific and Technical Council of the Ministry took a decision to set this at no more than 0.5%, a fact which the creators of the reactor “successfully managed” to forget. They were quite happy with the calculated curve 1 in Fig II-12 of INSAG-7 Annex II (curve 1 of Figure 3 in this article).

A few comments on this figure.

Curve 1 does not guarantee safety – the reactivity overshoot with a change in density to 0.4 g/cm³ is 2ß_eff. The error is the same as for a change in reactivity compensated by the control and safety system rods – only the extreme states are considered.

Curve 2 of Figure 3 is shown in INSAG-7 as the actual dependence at the same time of the accident on 26 April. This is a Jesuitical approach – neither a lie nor the truth. A similar void effect existed at all RBMK reactors, and not only on 26 April. The curve was obtained several years prior to the accident by an employee of the Kurchatov Institute, V. Ivanov, and was subsequently confirmed by measurements. The administration did not believe Ivanov. They understood that an explosion threatened, but they did not check this out either by calculation or by experiment. So there you have it. One might ask why Ivanov did not squeal? Only one person squealed, and that was V. I. Volkov, who was quickly disposed of with an invalidity pension.

The INSAG experts too employ some dubious approaches.

• INSAG-7 (para 4.2): “Under the circumstances of the accident, the void coefficient increased to such an extent that is overwhelmed the other components of the power coefficient, and the power coefficient itself became positive.”

The sense of the phrase – on 26 April some sort of special conditions were in play, so who brought them into being – is understandable. The operators made the power coefficient positive because the operating reactivity margin was 8 rods. Really? Maybe the experts had no information, like in 1986? But they did have some.

In Annex I to INSAG-7, page 36, we read: “Second generation plants with the RBMK-1000 reactor (Leningrad units 3 and 4, Kursk units 3 and 4, Chernobyl units 3 and 4, Smolensk units 1 and 2) were loaded from the beginning with fuel enriched to 2% in uranium-235. However, even with that fuel enrichment, as fuel burnup increased to 1100-1200 MWd/t per fuel assembly, and with an authorised operating reactivity margin (ORM) corresponding to 26-30 manual control rods, the void coefficient of reactivity approached +5ß_eff. There were similar fuel burnups at Chernobyl unit 4 before the accident.” Further, at such a void coefficient of reactivity, the power coefficient is +0.6 x 10^-4ß_eff/MW at a power greater than 50%. At lower power levels it is more positive still.

In the article by N. Laletin referred to above, it says: “It is significant that the void effect for a core with even burnup is roughly twice as great as for a core with the same average burnup but distributed over the fuel channels from zero up to roughly double the mean value. It follows from this that the state of the reactor at the end of the transition phase, when all additional absorbers are removed, is more hazardous than its state when reload fuel is installed, although this fuel is comparable in terms of mean burnup”.

(At the first fuelling of the reactor with fresh fuel assemblies, 240 additional absorbers are put into the core to take up the surplus reactivity.)

The core of unit 4 was in fact at the end of the period: 1 additional abosrber; 1 unfuelled channel; 1659 assemblies with an average burnup of 1180 MWd/assembly. The bulk of the assemblies (75%) were first-charge assemblies with a burnup of 1150-1700 MWd/assembly.

The void effect may be said to have been greater than +5ß_eff, although that itself would have been quite enough for an explosion.

And one question for the experts: was it the operators who “made” the fast power coefficient positive, or was it the designers?

• INSAG-7 (para 2.1): “Thus, although the void coefficient of reactivity varied over a wide range from negative to positive values as a function of the composition of the core and the operating regime of the reactor, the fast power coefficient remained negative under normal operating conditions. At the time of the accident, the void and power coefficients of reactivity were both positive.”

If it is not there to provide justification for the designers, then why is this phrase included at all?

According to the regulations, normal operating conditions were taken to be all power levels from minimum monitorable to rated, and the operating time was not restricted anywhere.

If the experts were trying to say that the power coefficient remained negative at rated power, that is true, but it is not nearly enough. The design norms require this for all operating and accident conditions.

FURTHER COMMENTS ON INSAG-7

• INSAG-7 (para 4.1): “The scram just before the sharp rise in power that destroyed the reactor may well have been the decisive contributory factor.”

The experts are saying, in other words, that a reactor power excursion had to occur, and that the staff either foresaw this, or else, quite by chance, dropped the protection rods immediately before the excursion, and thus either accelerated or even created the conditions for the disaster.

This is something new. Why did the experts not tell us the cause of the preceding power excursion, or at least make a stab at it?

Not one of the commissions have ever found the cause.

I would like to state the following, as a witness to the event: the protection button was pressed in calm circumstances. There is also the evidence of G. Metlenko and A. Kukhar’. Annex I of INSAG-7 says that the commission could find no reasons why the emergency protection rods were dropped. There was actually one reason for dropping the protection rods: a wish to shut down the reactor when work was finished.

Dropping the protection did not “facilitate” the destruction of the reactor, it caused it.

• INSAG-7 (para 4.1): “Failure of a fuel channel would have been a cause of a sudden local increase in void fraction as the coolant flashed to steam; this would have led to a local reactivity increase which could have triggered a propagating reactivity effect.”

This reactor had many more “traps” lying in wait for the staff than listed by the experts. Channel rupture (one or two channels) is not among them.

On channel rupture, the amount of water in the core will increase, and it will not matter whether it is in the form of steam or liquid. The water will also cool the graphite. Both mechanisms will lead to a fall in reactivity.

• INSAG-7 (para 5.2.1): “The statement was made that there was a proscription on continuous operation of the reactor at power levels below 700 MW(th). This statement was based on incorrect information. There should have been such a proscription, but there was none at the time.”

This reactor “managed to” explode even at 700 MW. There was no safe power level for it. There were only more or less hazardous levels. On the other hand a reactor meeting design norms does not need a restriction of this kind.

There is no technical safety case for power levels over 700 MW. It took on what can only be called a mystical aura (obliging academicians and scientists to make misleading statements before the whole world) solely in order to place blame on the staff.

I set the 700 MW level when I drew up the experimental programme at Chernobyl, and it was based on incidental considerations. At the time the programme was drawn up, it was assumed that we would be checking the main safety valves, for which considerable power was needed – the capacity of a single valve is 725 t/h of steam. Since performance of the turbogenerator rundown programme was placed right at the end (because of having to place most of the mechanisms on reserve power – these are the safety measures which the programme was criticised for lacking), and the reactor was being shutdown for this, in order not to have to wait for a fall in power, the level for the proposed preceding work was entered.

After the unplanned reactor power dip, I took the decision to keep to a rise to 200 MW in view of the adequacy of this, and not because of impossibility. Surely it is obvious that with a positive fast power coefficient there are no limitations on raising power?

Of course it was borne in mind in taking this decision that 200 MW is the usual power level permitted by the regulations.

No-one could say that accident situations and operational data had not been analysed. Following the accident at Leningrad unit 1, for example, a commission (consisting of E. Kunegin et al) issued the following recommendations in 1976:

• Void coefficient to be lowered.
• Design of control and safety system rods to be altered.
• Fast-acting emergency protection to be installed.

The situation was similar when it was discovered that the protection introduced positive reactivity. In December 1984 a new rod design was even prepared. There were other proposals too.

All this, however, was determinedly ignored by the Soviet administration, including some of the experts recently advising the IAEA: Yu. Cherkashov, V. Sidorenko and A. Abagyan. And this, to answer a point raised by James Varley (Editor of NEI) in his May 1993 article on INSAG-7, is why there has been so little benefit from the inclusion of senior officials among the INSAG experts, despite the fact that they had access to equipment, computers, details of reactor characteristics etc.

In view of the fact that the Soviet nuclear administrators chose to ignore obviously hazardous physical characteristics, both built into the design from the start and identified during operation, the RBMK reactor was condemned to explode.

CAUSES OF THE ACCIDENT

The reactor did not meet the requirements of over 30 statutes in the design norms – which was more than enough to cause an explosion.

Or let us look at it another way. Before the protection rods were dropped, the reactor was in the state of an atomic bomb, yet there was not so much as a warning signal. How could the staff have found out what was happening – by smell, or touch?

The accident happened on 26 April because of the combined effect of the emergency protection, with its faulty rod design and the positive fast power coefficient of reactivity. In other situations, each of these factors on its own could have led to an accident.

There is no sense in talking about the control and safety system rods, that is clear enough already.

But something must be said about the power coefficient. First and foremost, there is sense in considering the void effect in connection with N. Laletin’s article (cited above). Second, the RBMK reactor was at its most hazardous at power levels up to roughly 40%, depending on coolant flow rate, because of the large positive fast power coefficient. Variations in coolant density, and in reactivity too by association, are much greater in relation to a unit of power at lower power levels than at levels closer to rated power (see Figure 4). It is not, of course, possible to infer a direct dependence between the reactivity variation and density, but its nature will remain the same.

Before the accident, this was not mentioned in any document about the reactor. It was only after the accident that study of this at low power levels too began – see, for example, the Kurchatov Institute report of September 1990 (accession number 33R/1-1007-90). After all the measures taken to bring the void coefficient of reactivity down to +0.8ß_eff, the power coefficient at 200 MW is minus 6 x 10^-7ß_eff/MW. What was it at a void coefficient of +5 ß_eff? Moreover, despite the assertions of the experts, the lower the coolant flow rate, the greater the hazard.

ACTIONS BY STAFF

Before talking about the guilt the staff must bear, stop and think: the reactor was blown up by the emergency protection!

If Varley drew his conclusion that it was not fair to blame the staff on the basis of the factual material in the Annexes to the report, then he was right. If however one looks at the comments of the INSAG experts themselves, this does not follow at all. In fact, the opposite is more the case.

In 1986, for example, V. Legasov and A. Abagyan did not report the fact that the emergency protection had introduced positive reactivity. Presumably because this was considered unpalatable. The experts write that if they had known, the conclusion would have been different. They found out. And they came to a conclusion: they effectively blamed the staff for dropping the protection rods (see INSAG-7 para 4.1, as quoted above). This sort of thing was not done even at the time when the staff were being most virulently blamed.

In para 6.6 of INSAG-7 the experts write: “Yet INSAG remains of the opinion that critical actions of the operators were most ill-judged.”

Not let us consider a reactor that meets design norms. Which operator actions are ill-judged, or critical? How and why should the operators have compensated for design errors they did not know about?

It was only because there was not legal basis for blaming the staff that V. Legasov and A. Abagyan were forced to resort to making the misleading statements they made in 1986. What is amazing is the promptness with which the INSAG experts grasped these incorrect statements and made their stand as public prosecutor.

Before the whole world, they accused people of violating documents that they themselves have never even seen. Bound by their 1st report, the INSAG experts were forced to keep to the same line in their 2nd.

INSAG-7, like the first report, gives an inaccurate and simply false reading of events and processes, and in the tendentiousness of its exposition turns essentially true statements into false ones. It can have no positive role to play.

Nevertheless, INSAG should be thanked for publishing, as their Annexes, the 1991 Shteinberg Commission report on the accident and the 1991 report by a Working Group of USSR Experts. The factual material in these two Annexes is accurate, and for specialists certainly valuable. But care must be taken in reading the conclusions and assessments. In Annex II, for example, we read: “These characteristics of the reactor plant … made for reliable and effective operation of the RBMK under all regulation conditions and ensured safety for the entire list of design accidents in accordance with the ratified design documentation.” That this is not so does not need saying. But for the sake of completeness:

• The designer missed something off this list (and he’s clean?).
• At the maximum design accident the reactor exploded.

Author Info:

In his role as Chernobyl deputy chief engineer, Anatoly Dyatlov drew up the programme for the fateful turbine generator rundown tests on 26 April 1986. He was in the control room on the night of the accident and sustained 35% burns and a dose of around 600 rem. He was imprisoned in December 1986 and released in October 1990 on health grounds. When this article was published in NEI(September 1995, p17), he was then aged 64, and lived in a flat in Kiev, where the picture above was taken (in July 1995). He always argued that he and the other operators have received an unfair share of the blame relative to the plant designers, who appear to have gone almost entirely unpunished. See also his previous article in NEI (November 1991, p43).

FilesTable 1
Table 2


External weblinks
Nuclear Engineering International is not responsible for the content of external internet sites.

Focus on Chernobyl