Olkiluoto compliance 395/1991

Compliance with the general regulations for the safety of nuclear power plants (Decision 395/1991)

The Olkiluoto plant


EXECUTIVE SUMMARY

This document outlines a safety review concerning the Olkiluoto nuclear power plant. The review is based on the safety level defined in the Decision 395/1991, the general regulations on nuclear power plant safety, and in relevant YVL Guides. The review outlines general principles, radiation safety, nuclear safety and on operation of the nuclear power plant.

The conclusion of the Radiation and Nuclear Safety Authority (STUK) is, that Olkiluoto plant meets the provisions set forth in Decision 395/1991. Since the nuclear power plant in question was already operating when Decision 395/1991 was issued, the provisions presented in Sections 11, 12, 17 and 18 are applied to such extent as reasonable considering technical solutions, operating experience and safety research of the nuclear power plant as well as development in science and technology.

Following matters have been stated as significant improvement issues in the safety review:

  • quality assurance, taking into account the changed requirements and improvement needs identified in an independent review
  • increased efficiency of preparedness for severe accidents
  • development of validation system for non-destructive in-service inspections improvement of safety related modifications design as well as steering and supervision of the design purchased from outside the Teollisuuden Voima Oy (hereinafter TVO).

CONTENTS

EXECUTIVE SUMMARY

1 INTRODUCTION

2 GENERAL PRINCIPLES

2.1 General objective

2.2 Safety culture

2.3 Quality Assurance

2.4 Demonstration of compliance with the safety regulations

3 RADIATION SAFETY

3.1 Limitation of radiation exposure

3.2 Radiation safety of nuclear power plant workers

3.3 Limit for normal operation

3.4 Limit for an anticipated operational transient

3.5 Limit for a postulated accident

3.6 Limit for a severe accident

4 NUCLEAR SAFETY

4.1 Levels of protection

4.2 Technical barriers for preventing the dispersion of radioactive materials

4.3 Ensuring fuel integrity

4.4 Ensuring primary circuit integrity

4.5 Ensuring containment building integrity

4.6 Ensuring safety functions

4.7 Avoiding human errors

4.8 Protection against external events and fires

4.9 Safety classification

4.10 Monitoring and control of a nuclear power plant

5 OPERATION OF A NUCLEAR POWER PLANT

5.1 Technical specifications and plant procedures

5.2 Operation and maintenance

5.3 Personnel

5.4 Monitoring releases of radioactive materials

5.5 Operating experience and safety research

5.6 Nuclear power plants in operation


1 INTRODUCTION

According to the Section 8 of the Nuclear Energy Law (990/87), the use of nuclear energy is prohibited without a license that is in accordance with the Nuclear Energy Law. The current operating license of the Olkiluoto plant was granted on the 15 of December 1988 and will expire at the end of 1998. The license covers the use of the Olkiluoto plant unit 1and Olkiluoto plant unit 2 plant units as well as the use of spent fuel storage and storage of intermediate and low active nuclear waste.

Teollisuuden Voima Oy (TVO) has applied for a new operating license from the beginning of year 1998 for an uprated power level. The application will be treated by the Ministry of Trade and Industry, who has asked STUK for a statement regarding the application. This safety review report is an appendix to the STUK's statement. The safety review was made on the basis of the safety level defined in Decision 395/1991 (395/1991) and relevant YVL Guides.

The modernisation project of the Olkiluoto plant, executed by Teollisuuden Voima Oy, was taken into account when safety review was drawn up. The objectives of the modernisation project were to enhance plant's capacity and safety features and to ensure a long operating life for the plant units. To enhance capacity, the reactor powers of both units are to be risen from 2160 MW to 2500 MW. The plan is to carry out the power uprating without adding any susceptibility to production disturbances of the plant units.

Uprating the thermal power of the Olkiluoto plant reactors required modifications to the function and reliability of the systems that cause anticipated operational transients and participate in their management. The most important modifications are the modernisation of the frequency converters of the electric drives for the main circulation pumps and the modernisation of the turbine pressure governors. By the means of these modifications, TVO aims at improving management of disturbances caused by the failure of the aforementioned equipment and to decrease frequency of disturbances so, that the disturbances can also be prepared for, by using smaller safety margins than the current ones in reactor loading and operation without lowering the safety level of the plant.

Measures for operating the plant units at the uprated power level were taken, by making the required modifications in control and protection systems of the processes mostly in the 1998 outages. The modernisation of the turbine pressure governor was completed at both units, but the realisation of the new frequency converters of electric drives for the main circulation pumps is incomplete. TVO has modified the frequency converter of four main circulation pumps at both plant units and assembled fly wheels as a reserve energy source for these pumps. These modifications allow the reactors to be used at 2500 MW power. Rest of the pumps will be modernised in the 1999 maintenance outages.

Both plant units have been operated at uprated power levels, that are lower than the final power levels, after the maintenance outages in 1996 (Olkiluoto plant Unit 1) and in 1997 (Olkiluoto plant Unit 2). The test operations were continued at the final power level after the maintenance outages in 1998.


2 GENERAL PRINCIPLES

2.1 General objective

The general objective is to ensure nuclear power plant safety so that nuclear power plant operation does not cause radiation hazards which could endanger safety of workers or population in the vicinity or could otherwise harm the environment or property. (Section 3 of Decision 395/1991)

General provisions that were set to ensure the attainment of the general objective are presented in Decision 395/1991. The compliance with these provisions is assessed further on.

2.2 Safety culture

When designing, constructing and operating a nuclear power plant, an advanced safety culture shall be maintained which is based on the safety oriented attitude of the topmost management of the organisations in question and on motivation of the personnel for responsible work. This presupposes well organised working conditions and an open working atmosphere as well as the encouragement of alertness and initiative in order to detect and eliminate factors which endanger safety. (Section 4 of Decision 395/1991)

The concept of the safety culture was presented by the IAEA's International Nuclear Safety Advisory Group (INSAG) soon after the Chernobyl accident. In 1991 the concept was defined more accurately by the same group in their report INSAG-4 “Safety Culture”. To assess the status of safety culture, IAEA published so-called ASCOT Guidelines, which outline concrete features of an advanced safety culture.

According to the principles of a safety culture it is important, that all those organisations whose activities affect safety put an adequate emphasis on the factors affecting it in all their actions. A good safety culture consists of the measures of organisations as well as of the attitudes of individual people.

The significance of the safety culture as an important factor that affects the safety was widely acknowledged in the 1990's. Upgrading of the safety culture is a continuous learning process which varies slightly between different power companies and nuclear power plants due to their own backgrounds. Principles and practices that illustrate the advanced safety culture have been applied in Finnish nuclear power plants already before the concept was presented. The advanced safety culture has many common objectives with the quality assurance program and with the development of management practices and working atmosphere.

TVO was originally founded as a nuclear power company. Its corporate culture was developed from approaches that have been available since the beginning of 1970's for producing nuclear energy in a manner that emphasises safety factors. The technical personnel who was employed to the company immediately after its foundation and who has since then had a crucial role in developing the company, received its education and prior work experience within the area of nuclear technology. This background has significantly promoted the emphasis on safety issues in all of their actions.

Asea-Atom AB (later on ABB AB), the supplier of the plant, had also a favourable impact on the improvement of the TVO's safety culture. The responsibility for practical safety solutions in the development of nuclear technology, was clearly left to the industry in Sweden, and safety authorities set forth only general requirements. Asea-Atom AB acknowledged its responsibility for the safety, and developed many solutions that were later adopted in other countries as well. TVO received all essential approaches needed for safe operation of the plant from its plant suppliers and developed them further.

In 1995 TVO drew up a safety and quality policy document signed by the Managing Director. The document contains the principles of safe and high quality performance as well as the principles of the good safety culture. In the policy document the company management commits to create the means for maintaining and developing a high quality safety culture.

TVO has conducted several measures to maintain and develop its safety culture. Related to this, the safety culture was self-assessed by the company management in 1992. Review was based on the principles and questions presented in the INSAG 4 Report. Review concluded that TVO's measures are well in-line with the measures and characteristic features, defined in the INSAG 4 Report, of a company that has a high level safety culture.

Sweden conducted two comprehensive safety culture studies in 1995. TVO assessed the results of the reviews from the standpoint of its own actions. Several findings requiring development actions were made on the basis of the reviews, but no new significant issues surfaced.

TVO conducted an internal review of its actions during the year 1996 and the beginning of the year 1997 by using the objectives and criteria presented by the WANO (World Association of Nuclear Operators). In connection with the review, several issues requiring improvements were found. The planning of these measures has been initiated. TVO has purchased an review from the WANO for the year 1999.

In the spring of 1997 TVO conducted a review directed to the quality of operation and maintenance actions, to chart the strengths and weaknesses of actions for finding issues for further improvement. Processing of the recommendations from the review is underway.

STUK has assessed the prevailing safety culture and its development in the TVO by reviewing how the company has promoted safety culture and its development, and also on the basis of findings made in connection with the inspection and supervision work.

According to STUK's review TVO has actively promoted the development of the safety culture and identified areas where development measures will be especially needed. Such areas are e.g. preparedness for and practices in design, execution and steering of the plant modifications.

The conclusion is that TVO maintains a safety culture that meets the provisions set forth in the Section 4 of Decision 395/1991.

2.3 Quality assurance

Advanced quality assurance programmes shall be employed in all activities which affect safety and relate to the design, construction and operation of a nuclear power plant (Section 5 of Decision 395/1991)

Detailed requirements that concern the quality assurance and that are based on the Section 5 of Decision 395/1991 are presented in the YVL Guides 1.4 and YVL 1.9 published by STUK. The YVL Guide 6.7 concerns the quality assurance of nuclear fuel.

The Olkiluoto plant uses a documented quality system. The safety and quality policy of the company has been defined by the Managing Director of the TVO, and it defines those principles related to the quality of performance and to the safety, which the company management considers important, to which the management itself is also committed, and to which it expects everyone working at the power plant to commit.

Requirements concerning the quality assurance of Olkiluoto plant are presented in the Quality Assurance Manual for Operation and procedures related to it as well as in a Manual concerning the procurement, design, fabrication and transportation of nuclear fuel. TVO has kept its procedure system updated.

TVO's Quality Assurance Manual for Operation contains requirements that are related to the quality assurance, organisation, personnel training and qualification, documents, computer software and records control, procurement and storage, inspection and testing actions, operation actions, maintenance, outage actions and modifications, handling of deviations and shortcomings, security and emergency preparedness arrangements, fire and radiation protection as well as the related follow-up inspections.

A safety organ that is independent from operation action, is defined in the Management Rules as the Safety Group which must, among other duties, observe the quality assurance of operation actions and give recommendations and statements for developing these actions. The Safety Group reports its actions to the company management. STUK has reviewed the minutes of the meetings and assessed the performance of the Safety Group within its Periodical Inspection Programme. As a result of inspections, attention was paid to the fact that no experts from outside the TVO were nominated to the Safety Group. Accordingly, TVO has begun a study for possible supplementation of the Safety Group. In other areas, the inspections haven't found anything wrong in the actions of the Safety Group.

Effectiveness and comprehensiveness of the quality assurance program is assessed within the framework of the Auditing Programme . The Quality Assurance Unit conducts audits to different areas of technology and actions, within the framework of the annually drawn up auditing programme at the Olkiluoto plant. In the long term these audits cover all main activities presented in the Quality Assurance Manual. Correspondingly, the audits cover the companies that offer services and supply goods, taking into account the significance of these actions to the safety and availability. The performance and comprehensiveness of the quality assurance actions are assessed annually by a separately nominated evaluation group composed of experts that are independent of operation and quality assurance actions.

In addition to the Auditing Programme the quality assurance actions were assessed during the 1997 as a part of a more comprehensive review of internal actions. This review was conducted by complying with the systematics developed by the World Association of Nuclear Operators (WANO).

TVO has renewed its Quality Assurance Manual regularly and submitted the updated versions to STUK for approval. Other procedures of the utility guidance system were sent to STUK for information in the required extent. Work permits as well as work and operating orders used for steering different work activities were assessed in connection with the inspections conducted by the STUK officials on site.

The Periodical Inspection Programme conducted by STUK was developed in a such way, that each inspection included in the program aims, for its part, at clarifying the level of the quality assurance at different sectors. The quality assurance actions are a separate inspection issue. Periodical inspections endeavour to ensure, among other things, that the quality assurance has been conducted according to the requirements set forth by the regulatory body and that it is in accordance with the utility quality assurance program.

An independent quality assurance review of the TVO's performance was conducted by a third party organisation during the year 1997 due to STUK's request. Discovered improvement needs relate especially to the use of performance indicators for identifying improvement needs and for setting and recording the objectives as well as to the project management. Improvement needs in the utility activities and organisation result, among other things, from the general development in quality assurance thinking and techniques as well as from the extended use of contractors other than the plant supplier in the design and implementation of plant modifications. Improvement needs also result partially from TVO's partial transition from an organisation operating the plant to an organisation designing the plant instead of ABB Atom AB. The results of the review are in compliance with the findings that STUK made in its own inspections. In order to respond to the improvement needs, TVO has initiated a comprehensive program to improve actions, one part of which is the development of the quality assurance approach. Detailed action plans will be revised during the year 1998.

During the past years the general requirements for the quality assurance have changed, due to the introduction of different standards, in a way, that, according to the STUK's review, hasn't been taken fully into account in TVO's actions. Bringing the quality assurance to meet the higher requirements requires, that TVO's actions and organisation are developed based on the surfaced improvement needs.

The conclusion is that TVO's quality assurance meets the provisions set forth in the Section 5 of Decision 395/1991. Quality assurance should, however, be developed, taking into account the changed requirements and the improvement needs found in the aforementioned review.

2.4 Demonstration of compliance with the safety regulations

If compliance with the safety regulations cannot be directly ascertained, fulfilment shall be demonstrated by the necessary experimental and calculational methods.

Nuclear power plant safety and the design of its safety systems shall be substantiated by accident analyses and probabilistic safety analyses. Analyses shall be maintained and revised if necessary, taking into account operating experience, the results of experimental research and the advancement of calculating methods.

The calculating methods employed for demonstrating the meeting of the safety regulations shall be reliable and well qualified for dealing with the events in question. They shall be applied so that the calculated results are, with a good confidence, less favourable than the results which are considered best estimates. Furthermore, analyses which picture the likely course of transients and accidents shall be conducted for the purpose of probabilistic safety analyses and for the development of emergency operating procedures. (Section 6 of Decision 395/1991)

Detailed requirements of the Section 6 of Decision 395/1991 for safety systems concerning the demonstration by calculational methods have been presented in the Guide YVL 2.2 which also covers the requirements concerning the reliability and validation of calculation methods. The analyses needed for demonstrating the fulfilment of criteria concerning especially fuel, have been described in the Guide YVL 6.2. Requirements concerning probabilistic safety analyses have been presented in the Guide YVL 2.8.

The compliance with the safety regulations in different transient and accident situations of the plant is demonstrated by the means of calculatory analyses. These analyses clarify both the course of transient from the initiating event to the point where the plant reaches a safe state and the frequency of the transient (event frequency). In the first case the transient and accident analyses are in question, whereas transient frequency is the subject of probabilistic safety analyses. In practice both analyses are often used parallel to each other, because frequency estimates affect both the selection of transient situations to be analysed in detail and the approval criteria to be applied to the results of transient and accident analyses.

Transient and accident analyses

Transient and accident analyses as well as analysis methods describing the operation of the Olkiluoto plant units 1 and 2 have been maintained and developed during the entire time of plant operation. The analyses concerning the operation of Olkiluoto plant units 1 and 2 have been completely renewed during the modernisation project currently in progress. In addition to the uprated power level the analyses have taken into account e.g. the changed reactor power/flow rate area and the structural modifications of fuel rods and reactor internals. To ensure that the scope of analyses is adequate TVO has conducted a failure consequence analysis, where consequences of the transients caused by system and equipment failures have been considered from the standpoint of plant operation. Based on the review, the available transient and accident analyses cover well the transients caused by system and equipment failures that may surface in plant operation.

In connection with the modernisation project, new analysis methods for description of accident situations have also been taken into use together with the new systems. The analysis of transient situations has been improved by the means of a new computer code capable of three dimensional modelling of the reactor core, due to which e.g. the reactor stability and the course of reactivity accidents can be observed more accurately than before. A completely new tool has been developed for the analysis of reactor shutdown through the boron system by connecting the thermohydraulics of the computer code used for the analysis of loss-of-coolant-accidents with the neutronics of the model describing the aforementioned reactor core. Computer codes developed especially for the description of severe accidents have been also used in the analyses.

The performed analyses and the methods used in them have been described in the Safety Analysis Report, related topical reports and in the pre-inspection documents of the systems.

STUK has inspected the essential parts of the analyses and applied methods described in the Safety Analysis Report, related topical reports and pre-inspection documents. STUK itself has also conducted or purchased comparison analyses, by the means of which both the applicability of analysis methods to the description of different transients, and the sensitivity of analysis results to the parameters describing the plant status, course of an accident or functioning of the models has been clarified.

STUK's review is that the plant behaviour in different transient and accident situations has been analysed comprehensively and that the methods used in the analyses are properly validated to describe the operation of the Olkiluoto plant.

The conclusion is that the transient and accident analyses concerning the Olkiluoto plant have been conducted according to the manner meant in the Section 6 of Decision 395/1991.

Test operations

An essential part of the modernisation and power uprating projects at the Olkiluoto plant units has been the test operation. The objective of the test operation is to demonstrate planned and safe operation of modified systems and the plant integration made up of these systems in normal operating conditions and in certain probable transient conditions. Test operation has also been used as a part of design, when such modifications have been made to the systems of the plant units and set limits of the control systems that enabled the operation of the units at the uprated power level and improved their transient behaviour and mitigated sensitivity for the transients.

Test operation included system related tests, plant unit related transient tests and so-called long-term test operations, during which the reactor was operated at an uprated constant power for a longer period of time. Test operations were conducted in stages at different power levels under STUK's supervision and within the frames permitted by STUK. Before uprating the reactor power to a higher power level STUK conducted a safety review concerning the test operation for the power level in question and asked the Nuclear Safety Advisory Committee for a statement concerning the review before granting the test operating license.

Test operation programs that included the entire plant units and were drawn up by the TVO, were based on the original test programs that were ran through during the start-up phase and that were modified taking into account the test requirements caused by the modernised systems. One principle was also to minimise the loads to structures and equipment caused by the test operation, due to which the different transient tests concerning the behaviour of the entire plant units were evenly distributed, when possible, to both plant units.

For the long-term test operation of the plant units the reactor powers were uprated step by step from the nominal power of 2160 MW to 2500 MW. The test operation begun at the Olkiluoto plant unit 1 after the 1996 refuelling outage, when the reactor power was uprated to a 105% level from the nominal power of 2160 MW. In 1997 the test operation was continued at the Olkiluoto plant unit 1 unit and was begun at the Olkiluoto plant unit 2 unit at a 109% level on both units. The reactor powers were uprated to the final level of 115.7% (2500 MW), designed in the modernisation, after the 1998 annual maintenance outage.

The most significant plant transient tests of the test operation were the load tripping test, turbine scram test and the by-pass test of the high-pressure preheaters. Furthermore, tripping tests of condense and feed water pumps were conducted. In addition to the plant transient tests the functioning of the most important control systems was tested in separate pressure, power and feed water transient tests. During the long-term tests following matters, for example, have been monitored: the behaviour of the reactor core, the functioning of condensate and reactor water clean-up systems, erosion and corrosion effects, vibration levels of pipelines and turbine generator, temperatures of rooms and electric appliances, radiation levels in systems and rooms of the reactor plant.

As a preliminary view of the test operation it can be said, that no such matters have thus far emerged in the test operation that might form an obstacle to a continuos and safe operation of the plant units at the 2500 MW reactor power level. Based on the observations made during the test operation, several modifications were made to the plant systems to complement the plant and the system design that were conducted in connection with the modernisation or to repair deficiencies. Some of the observations were made only after a longer period of lower power level test operation. Since many factors that are followed in the long-term tests and that significantly affect the functioning of the plant units require a long-term follow-up, STUK considers it necessary to continue the test operation at the 2500 MW power level for at least two months. After this STUK gives an review on the preconditions of continuing the operation of the plant units at the 2500 MW power level.

Probabilistic safety analyses

By the means of probabilistic safety analyses (PSA) the effects of different initiating events—plant transients, fires, internal floods, harsh weather conditions and earth-quakes—to the plant safety are assessed.

PSA describes the course of the accident from the initiating event to the reactor core damage and assesses the probability of failure to manage the transient caused by the initiating event and the initiating event itself. The objective is to model plant systems and their operation so accurately that the effect of accident and transient situations, equipment failures as well as operation and maintenance errors to the plant operation can be clarified.

A so-called accident sequence is determined by the accident's initiating event and failures in the safety systems as well as failures in operator actions. The probabilities of initiating events that initiate an accident are assessed on the basis of both plant-specific and world-wide operating experience. The functions of the safety systems and the actions of the plant personnel to prevent the damage of the reactor core are analysed by the means of e.g. thermohydraulic analyses, system analyses as well as operation and emergency procedures. The failure probability of these actions is assessed by the means of gathered operating experience. A special attention in the analyses is paid to the common cause failures, which can simultaneously cause the inoperability of several safety systems. When the core damage probabilities of different accident sequences are connected, the result is the core damage probability for the entire plant, which is one of the measures describing the plant's safety level.

In 1984 STUK required that TVO shall conduct a comprehensive probabilistic safety analysis (PSA) referring to Olkiluoto plant units 1 and 2, with the objective to clarify plant related “risk topographies” and to train the personnel to understand more profoundly the plant and its behaviour as a whole in different accident situations. In the first part of the PSA, TVO was to analyse the probabilities of accident sequences leading to a reactor core damage (level 1). In the second part of the PSA, TVO was to observe the damage mechanisms of the reactor core and the course of an accident as well as to group the accident sequences to release categories according to the amount of radioactive substances released to the environment, release mode and timing of release, and to assess the occurrence probabilities of these release categories (level 2).

TVO delivered the level 1 PSA, for the part of analysis of internal initiating events, to STUK in the summer of 1989. The analysis contained an review of risks caused by different plant transients, ruptures of cooling piping and disturbances of electrical network (internal initiating events). After the analysis, improvements were made e.g. on emergency and operation procedures, which endeavour to ensure the supply of excess water to the tanks of the auxiliary feed water system and to the condenser, electrical supplies from the diesel generators of the neighbouring unit as well as the manual depressurisation of the reactor conducted from the relay room. Furthermore, modifications that affect the damage probability of the reactor core were conducted in connection with the modernisation, for example

  • two valves that apply to both the steam and water blow-ups were added to the reactor over pressure protection system
  • turbine control and protection system was modernised
  • plant's grid connections were improved by installing a parallel start-up transformer and a connection from the hydro power plant.

Due to the modifications, the probability of a core damage caused by internal initiating events has dropped from the 1989 value of 4 × 10–5 to 6.3 × 10–6 p.a.

Fire risks at the plant were assessed in an analysis completed in 1991. According to the analysis the probability of reactor core damage caused by a fire was approximately 1 × 10–5 p.a. To reduce the fire risks improvements were made e.g. in fire protection and separation of cables important to safety, in plant's fire compartments and in the protection of the 6 kV electric bus. According to the new results the probability of core damage caused by fires at the Olkiluoto plant is 3.2 × 10–7 p.a.

Outage risks were assessed in an analysis completed in 1992. The probability of reactor core damage during an outage was assessed to be approximately 3.6 × 10–6 p.a. The most significant outage risk proved clearly to be the bottom leakage of the reactor vessel caused by a maintenance error of main circulation pumps. To reduce the risk the instructions of maintenance work were improved and the Technical Specifications were modified in such a way that the lower personnel hatch is kept closed during the maintenance of main circulation pumps. These measures have reduced the risk of a core damage during an outage to 2.7 × 10–7 p.a.

As a part of the PSA, TVO analysed also the risks caused by internal floods. According to a study conducted in 1994 the core damage frequency caused by floods is approximately 1.4 × 10–6 p.a. Recently conducted plant modifications haven't significantly affected this value.

A limited weather risk analysis was conducted to assess the risks caused by the severe blizzard and the frazil ice experienced in the beginning of 1995. Severe blizzard and frazil ice were found to be very significant risks. The probability of reactor core damage caused by them was at that time assessed at approximately 2 × 10–5 p.a. Following plant modifications were made to reduce the risks:

  • To improve the reliability of emergency electrical supply, automatically opening dampers based on the pressure difference operation, were installed in the diesel generator system during the 1996 annual maintenance outage, so that the combustion air can be taken directly from the rooms.
  • A system that supplies warm water, when necessary, to plant units' sea water inlet was built for the plant to reduce the risk caused by frazil ice. The system secures the supply of condenser water to the plant by preventing the blockage of the sea water canal caused by icing.

By the means of modifications the risk of a core damage caused by weather conditions has been reduced to 9 × 10–7 p.a.

The most recent level 1 PSA risk analysis, concerning earthquakes, was completed in 1996. Especially direct-current systems and accumulators were found to be sensitive to minor earthquakes. To reduce the risks, modifications have been made to support the accumulators in the direct-current systems that are important to safety and to anchor rectifier/inverter cabinets to the load bearing structures. After the modifications the probability of a core damage caused by an earthquake is approximately 5 × 10–6 p.a.

Overall probability of core damage is approximately 1.4 × 10–5 p.a. when all aforementioned factors are taken into account. The internal initiating events form most of the risk.

TVO also delivered to STUK the level 2 PSA, in which the durability of the containment and the releases of radioactive materials to the plant vicinity are assessed. According to the analysis the probability of a release to the environment is 4 × 10–6 p.a., which is approximately one decade smaller than the probability of core damage. The risk of release is greatest during the operation at power. The biggest threats to the integrity of the containment are caused by the delay of flooding beneath the reactor and overpressurisation following the burst-out of the reactor pressure vessel.

STUK has inspected the analyses that TVO supplied by the means of a PSA-program it has developed. The inspection showed that, in its analyses, TVO applied generally approved methods in modelling the transient and accident situations of the plant as well as in obtaining and handling of the reliability data. In the level 2 PSA, the specification of results requires further development of the models describing the course of an accident.

STUK's review is that TVO demonstrated the plant safety and plant's safety related technical solutions by probabilistic safety analyses and by using appropriate methods according to the Section 6 of Decision 395/1991.


3 RADIATION SAFETY

3.1 Limitation of radiation exposure

Radiation exposure arising from the operation of a nuclear power plant shall be kept as low as reasonably achievable. A nuclear power plant and its operation shall also be designed so that the limits presented in this decision are not exceeded. (Section 7 of Decision 395/1991)

Section 7 of Decision 395/1991 contains the ALARA principle of the radiation protection and the requirements that concern the consideration of limits that relate to releases of radioactive materials.

More precise requirements relating to the Section 7 can be found in Guides YVL 7.1 and YVL 7.9. Detailed requirements concerning the limitation of radiation exposure to nuclear power plant workers and population can be found in Guides YVL 7.2, YVL 7.3, YVL 7.8, YVL 7.10, YVL 7.11 and YVL 7.18.

Collective radiation exposure of population in the plant environment

The Olkiluoto plant uses efficient systems to process liquid and gaseous releases so that the releases to the environment are very small during normal operation. The effect that the releases have on the radiation exposure of people living in the plant vicinity is so small that it can only be assessed calculatorily. For example, the calculatory radiation exposure arising from the 1997 releases to the population living less than 100 km away from the plant had a magnitude of approximately 0.001 manSv, which is less than one millionth of the radiation exposure arising from natural background radiation and radiation used for medical purposes in a similar time span. The increase that the releases cause to the background value of long life radioactive materials is very small, which means that even in the long run the releases do not increase the doses received in the plant environment.

One part of the Olkiluoto modernisation project is to reduce water releases by the means of recovering reactor water during fuel replacement and by making more efficient the particle filtration of waters to be released.

Radiation and Nuclear Safety Authority (STUK) has approved a procedure concerning the monitoring of releases and a method used for calculating the radiation doses of population, which are included in the Olkiluoto plant operating procedures. TVO supplies to STUK an annual summary concerning the releases and calculatory doses, and reports the results of radioactivity measurements conducted in the environment. In inspections conducted regularly at the plant STUK makes sure that the actions of TVO are reliable.

Neutron radiation activates the oxygen in the reactor water and short-life nitrogen-16 isotope is produced. In the boiling water reactors this activity drifts with the steam to the turbines, which causes an ascent in radiation levels of the environment. This radiation is clearly perceivable in the Olkiluoto plant area and its immediate vicinity. When the reactors operate at full power, the ascent of radiation levels caused by this is within the same magnitude with the natural background radiation.

The conclusion is that the Olkiluoto plant fulfils the requirements set forth in the Section 7 of Decision 395/1991 as far as the environmental radiation safety is concerned.

Collective radiation exposure of workers

According to the Guide YVL 7.9 the objective is to limit the collective radiation exposure of the nuclear power plant workers to 2.5 manSv/GW nominal electric power, calculated to one reactor unit as an average of two consecutive years. According to the Guide the limit for the Olkiluoto plant is 3.6 manSv p.a. on both units together, calculated on the nominal power levels preceding the power uprating.

The radiation safety of workers depends on the structure and maintenance of the plant and on the radiation protection conducted in connection with work. In addition to the integrity of nuclear fuel and the functioning of clean-up systems, the radiation safety at the plant is affected by e.g. executions of rooms, functions, radiation shielding and measurements. The most important administrative measures of the radiation protection are the areal zones based on radiation levels and related limitations, work permit practice, the radiation protection training and the radiation protection instructions related to it. Doses are monitored by the means of a dosimeter that is read monthly and by an indicating dose meter, whose measurements are followed concetratedly by an automatic operating system.

The combined collective doses of workers at both units of the Olkiluoto plant have varied annually from 1 to 2.8 manSv depending on the amount and extent of outage works. The amount of exposure is clearly smaller compared to the average information gained from the boiling water plants of the same vintage and falls clearly below the limit set in the Guide YVL 7.9.

Inspite of comprehensive modernisation work no rise has been observed in the annual collective doses of workers at the Olkiluoto nuclear power plant. The collective doses of the last three years have been smaller than the doses in the beginning of the decade. Radiation exposure has been reduced by e.g. improving the water chemistry of reactors. Working methods that relate to the radiation protection of workers have also been continuously improved.

STUK's review is that the limitation of personnel's radiation exposure has been arranged appropriately at the Olkiluoto plant. Measures for limiting radiation exposure shall be continued according to the ALARA principle. In design and implementation of actions, measures must be taken to prepare for changes in the radiation level of the plant and for the amount and difficulty of maintenance and repair work caused by the ageing of the plant.

The conclusion is that the radiation protection of the workers at the Olkiluoto plant meets the provisions set forth in the Section 7 of Decision 395/1991.

3.2 Radiation safety of nuclear power plant workers

A nuclear power plant's design and operation shall be implemented so that radiation exposure to workers can be limited as separately enacted. (Section 8 of Decision 395/1991)

The valid dose limits for workers are included in the Radiation Decree (1512/1991). The dose limit of an individual worker due to the radiation exposure is 50 mSv p.a. It is also required that the radiation exposure of an individual occupied with radiation work is limited so that the dose doesn't exceed 100 mSv during a five year period.

At the Olkiluoto plant the radiation dose monitoring of workers and reporting of measured data to STUK's dose registry has been developed during the plant operation according to the Guides YVL 7.9 and YVL 7.10. Authorities responsible for radiation safety in Finland and Sweden agreed already in 1983 on a practice, according to which the radiation exposures received in the other country are reported to the national registry of the worker's home country. Radiation doses received elsewhere in the world are reported to STUK by the means of a special dose passport, use of which is regulated also by the EC enactment.

The radiation doses of the Olkiluoto plant workers have been clearly below the enacted dose limits. The biggest annual radiation dose of an individual worker at the Olkiluoto plant has typically been under 20 mSv, whereas the average annual dose has been under 4 mSv. In 1997 the biggest radiation dose of an individual worker at the plant was 15 mSv. During the period 1993–1997 the biggest five year dose of a Finnish nuclear power plant worker, who had also worked at the Olkiluoto plant, was 54 mSv.

The conclusion is, that the radiation dose monitoring of the Olkiluoto plant workers has been implemented according to the manner set forth in the Section 8 of Decision 395/1991. In the future special attention shall still be paid to the dose control of workers, who work at several nuclear power plants in areas requiring radiation protection.

3.3 Limit for normal operation

The limit for the dose commitment of the individual of the population, arising from normal operation of a nuclear power plant in any period of one year, is 0.1 mSv. Based on this limit, release limits for radioactive materials during the normal operation of a nuclear power plant are to be defined. (Section 9 of Decision 395/1991)

The provision included in the Section 9 of Decision 395/1991 concerning protection of individuals shall be implemented together with the ALARA-requirement concerning the limitation of radiation exposure (item 3.1). Guides YVL 7.2 and YVL 7.3 present detailed requirements for calculation methods, which are used for assessing the radiation exposure of the population.

Release limits of radioactive materials at the Olkiluoto plant have been defined in the Technical Specifications concerning the operation of the plant units. Limits were defined separately for radioactive inert gas and iodine releases to the atmosphere and for releases to the water. In addition to the overall limit concerning the water releases a nuclide related release limit has been set for tritium. The purpose of the release limits is to limit the annual radiation exposure, arising from the operation of the plant units, to an individual of the population in the environment clearly under the limit 0.1 mSv set forth in the Section 9. The power company shall continuously follow the releases and the radioactive materials occurring in the plant environment and report unusual situations immediately to STUK.

In the environment of the Olkiluoto nuclear power plant the calculatory dose commitment of the most exposed individual in 1996, reported by the Teollisuuden Voima Oy, was under 0.001 mSv, which falls clearly below the limit presented in Decision 395/1991. Comparison calculations conducted by STUK resulted in a similar value. The calculatory dose has been in the same magnitude in recent years, but will decrease in the future due to measures that will decrease liquid releases from the Olkiluoto plant.

The conclusion is that the Olkiluoto plant meets the provisions set forth in the Section 9 of Decision 395/1991.

3.4 Limit for an anticipated operational transient

The limit for the dose of the individual of the population, arising, as the result of an anticipated operational transient, from external radiation in the period of one year and the simultaneous radioactive materials intake, is 0.1 mSv. (Section 10 of Decision 395/1991)

In cases where operational transients can cause a release of radioactive materials, the radiation doses in the environment of the plant, arising from the release, shall be assessed. Detailed requirements concerning the analyses of the anticipated operational transients are presented in the Guide YVL 2.2. Requirements concerning the methods used in assessing radiation exposure are presented in Guides YVL 7.2 and YVL 7.3.

The analyses concerning anticipated operational transients have been presented in the Safety Analysis Reports concerning the Olkiluoto plant units 1 and 2. According to the results of the analyses, anticipated operational transients do not cause fuel damage, but potential releases to the environment consist only of radioactive materials that normally exist in primary circulation water or clean-up systems. The biggest releases, from the analysed situations, were caused by the simultaneous impairment of moderation tanks of exhaust gas system and coal filters. The resulted radiation doses outside the plant area are, however, less than half of the limit specified in Decision 395/1991.

The conclusion is that the Olkiluoto plant meets the provisions set forth in the Section 10 of Decision 395/1991.

3.5 Limit for a postulated accident

The limit for the dose of the individual of the population, arising, as the result of a postulated accident, from external radiation in the period of one year and the simultaneous radioactive materials intake, is 5 mSv. (Section 11 of Decision 395/1991)

Detailed requirements concerning the analyses on postulated accidents are presented in the Guides YVL 2.2, YVL 7.7 and YVL 7.3.

The biggest releases, from the postulated accidents analysed for the Olkiluoto plant, are caused by a complete blockage of the fuel channel, which leads to a partial melt-down of one fuel rod assembly. The analysis postulates that inert gases are released fully from the failed assembly to the primary circuit, and that correspondingly approximately 25% of iodine and caesium is released. It has been assessed that an accident would, at most, cause a dose of approximately 1 mSv outside the plant area, which falls clearly below the limit presented in Decision 395/1991.

The conclusion is that the Olkiluoto plant fulfils the requirements set forth in the Section 11 of Decision 395/1991.

3.6 Limit for a severe accident

The limit for the release of radioactive materials arising from a severe accident is a release which causes neither acute harmful health effects to the population in the vicinity of the nuclear power plant nor any long-term restrictions on the use of extensive areas of land and water. For satisfying the requirement applied to long-term effects, the limit for an atmospheric release of cesium-137 is 100 TBq. The combined fall-out consisting of nuclides other than caesium-isotopes shall not cause, in the long term, starting three months from the accident, a hazard greater than would arise from a caesium release corresponding to the above-mentioned limit.

The possibility that, as the result of a severe accident, the above mentioned requirement is not met, shall be extremely small. (Section 12 of Decision 395/1991)

The application of the Section 12 of Decision 395/1991 to the nuclear power plants in use is regulated in the Section 28 and detailed requirements related to it are presented in the Guides YVL 1.0 and YVL 2.8.

When Olkiluoto plant units 1 and 2 were built, a sufficient safety level was considered as one that could be obtained by designing the plants so that they can overcome anticipated operational transients and postulated accidents without comprehensive damage to the fuel in the reactor. The requirement, that the plants should also overcome severe accidents, where the reactor core is partially or completely melted, was introduced only after the plants were built. This has made it necessary to modify the plants afterwards by changing the method of application of some systems and by installing some completely new systems. The biggest plant modifications were conducted during 1988 and 1989, when e.g. filtered pressure suppression system, through which steam and non-condensable gases can be blown out of the containment to prevent an uncontrolled overpressurisation of the containment, was installed on both plant units.

Releases and their dose consequences arising from severe accidents at Olkiluoto plant units 1 and 2 have been assessed in situations where the containment maintains its integrity and in situations where the integrity of the containment is lost through the overheating of structures, slow overpressurisation or a sudden pressure shock.

Accident analyses, presented in the Final Safety Analysis Report, that describe the function of the containment in different accident situations, have looked at the course of a severe accident in a situation where the accident management systems function as designed. When the containment maintains its integrity, the pressure inside the containment rises until steam and non-condensable gases are blown out. The pressure suppression is carried out through a filter that absorbs efficiently all radioactive materials except inert gases and organic iodine. Due to this, the long-term effects of a release remain small and fall clearly below the aforementioned limit 100 TBq. Nor do the releases cause immediate harmful health effects, although according to calculations based on the most conservative assumptions, the effective doses measured near the plant are notably high, but fall below the 0.5 Sv dose, which causes immediate health effects. The biggest portion of the dose is made up of an external dose received from inert gas releases.

The analyses, conducted by the TVO, have assumed that the portion of organic iodine from the overall quantity of iodine is small because of chemicals that are added to the water sprayed to the containment. Since the spray system wasn't originally designed for severe accidents, STUK has also required TVO to analyse situations where chemicals can't be fed to the containment. If it turns out that the absence of chemicals results in exceeding the release limits, a feeding of chemicals will be backed up.

According to the results presented in the Safety Analysis Report the current accident management systems can't ensure the integrity of the containment in situations where the primary circuit has a leak and hydrogen production is abundant during the core damage. The releases arising from these accident sequences were not calculated in the analyses, but it can be estimated that they exceed the release limits, specified in Decision 395/1991, for severe accidents.

The reliability of accident management systems has been examined in the probabilistic safety analysis drawn up by the TVO. For the purpose of the analysis mechanisms that may lead to rupture of the containment were clarified and the extent of failure arising from each mechanism was assessed. The analysis assessed both the probable occurrence of the aforementioned mechanisms and the quantity of releases arising from the possible failure.

According to the results of the probabilistic safety analysis the frequency of an accident, in which a considerable part of the reactor core is melt-down and the integrity of the containment is lost so that the releases arising from the accident exceed the aforementioned 100 TBq limit, is approximately 4 × 10–6/reactor year. This frequency estimate exceeds the designed objective, set for the new reactors in the Guide YVL 2.8, approximately by a factor of 10. According to the results of the analysis the biggest risk is caused by the delay of flooding in the space beneath the reactor or by overpressurisation following the burst-out of the reactor pressure vessel.

Based on the conducted studies TVO has launched a project, which endeavours during 1998 to clarify the means for ensuring the management of severe accidents and to reduce the probability of releases that exceed the release limits.

The conclusion is that due to the executed plant modifications and modifications currently under consideration, the Olkiluoto plant meets the provisions set forth in the Section 12 of Decision 395/1991 as well as practically possible taking into account the provisions set forth in the Sections 27 and 28.


4 NUCLEAR SAFETY

4.1 Levels of protection

In design, construction and operation proven or otherwise carefully examined high quality technology shall be employed to prevent operational transients and accidents (preventive measures).

A nuclear power plant shall encompass systems by the means of which operational transients and accidents can be quickly and reliably detected and the aggravation of any event can be prevented. Accidents leading to extensive releases of radioactive materials shall be highly unlikely (control of transients and accidents).

Effective technical and administrative measures shall be taken for the mitigation of the consequences of an accident. Counter-measures for bringing an accident under control and for preventing radiation hazards shall be planned in advance (mitigation of consequences). (Section 13 of Decision 395/1991)

Detailed requirements relating to the Section 13 of Decision 395/1991 are presented in the Guides YVL 1.0, YVL 2.8 and YVL 7.4.

Prevention

Olkiluoto plant has continuously utilised the experience and data, that the plant supplier, Asea-Atom AB, gathered in connection with design, construction and operation of the Swedish plants. The solutions implemented by TVO have, for the most part, been similar to the ones in corresponding Swedish plants, which has enabled the deployment of Swedish plants as a reference also in modifications implemented after the plant construction. When different technical solutions have been assessed in connection with modifications, TVO's policy has been to take into use only such systems, whose reliability and maintenance can also be assessed on the basis of operating experience.

New technology, such as control systems that use programmable automatisation and that don't come with the extensive operating experience that is usually available for modifications, has been installed to the plants in connection with the modernisation project. Due to the relative meagerness of operating experience special attention has been paid to the design and testing of systems. The biggest modifications, such as the modernisation of the electric drives in the main circulation pumps and the modernisation of the turbine control system, have been conducted in stages on different plant units. The modifications have also, according to possibilities, been taken into use in stages and by using the traditional analogous wired technology as a backup. According to the experience gained from the commissioning, special attention shall be paid to the forthcoming design and validation of systems that utilise new technology.

Management of operational transients and accidents

Olkiluoto plant units are equipped with measuring systems that continuously monitor the state of the processes to detect operational transients and accidents. An alarm limit, which, when exceeded, causes a transmission of an alarm signal to the control room, has been set for a large part of the measurements. When protection limits, which have, in addition, been set for the most important measurements, are exceeded, the protection system monitoring the measurements shuts down the reactor or reduces its power. If the measurements indicate a leak in the primary circuit, the system also starts the emergency cooling of the reactor and close the isolation valves of process pipelines penetrating through the containment wall. To ensure the reliability of functions, the protection system has been realised by four independent subsystems, where the function of two subsystems initiates the needed protection functions. According to the conducted analyses the measuring systems and protection systems are adequate for detecting transients in the plant operation.

TVO has continuously developed the process computer system that is operated by the control room personnel and that is responsible for gathering information from the measuring systems and transmitting it to the control room. A big modification, from the standpoint of accident management, was implemented in 1992, when the Safety Panel Display System (SPDS), in which the main measured variables related to different transients are grouped into their own entities, was taken into use. TVO implemented the modification so that the Display System supports the emergency instructions used by operators as well as possible.

To increase the efficiency of transient control, modifications, arising mainly from the changed reactor use at the new power level, to the protection system have been designed and executed in connection with the modernisation project. The tightened requirements concerning the management of a failed reactor scram have also caused some modifications to the protection system.

To develop the management of severe accidents at the Olkiluoto plant units, a containment building monitoring system, which is independent from other monitoring systems and normal electrical supply, has been taken into use. The task of the system is to ensure that information concerning the accident course is gained even in a situation, where all normal measuring systems are lost.

STUK's review is that the Olkiluoto plant units have such systems available, by the means of which both the transients and accidents can be detected and their aggravation prevented. Sections 3.6 and 4.5 present an review on how TVO meets the requirements concerning the probability of a large release.

Mitigation of consequences ´

TVO has taken steps to mitigate the consequences of an accident by planning the actions of the control room personnel in advance and by drawing up related instructions (emergency procedures), by ensuring the transmission of data from the control room to other parts of the organisation and to the regulatory body by the means of the process computer and by planning and exercising in advance the actions of the entire organisation for emergency preparedness situations.

A simulator, by the means of which exercising the management of different transient situations in realistic conditions is possible, was used in the preparation of emergency procedures and in the training of operators. The applicability of the emergency procedures was assessed e.g. in connection with the probabilistic safety analyses, when the probability and the consequences of operator errors were examined.

To ensure the transmission of data also in accident situations the process computer connection has, in addition to the control room, been arranged to the commander centre and air-raid shelter of the power plant as well as to STUK. The data transmission connection makes it possible to follow the state of the plant almost in real time also from outside the control room. The operation, by utilising the connection, has been tested in emergency preparedness exercises. Experience shows that an on-line connection facilitates the communication between the regulatory body and the power company, and reduces the risk of acting on false or insufficient information.

An emergency preparedness plan, that e.g. defines the emergency preparedness organisation with its responsibilities and duties used in accident situations and presents detailed instructions on how to organise the operation and to inform from it in accident situations, has been drawn up against accidents. Operation in accident situations shall be exercised regularly.

STUK's review is that TVO has taken proper measures to mitigate accident consequences.

The conclusion is that the Olkiluoto plant fulfils the provisions set forth in the Section 13 of Decision 395/1991.

4.2 Technical barriers for preventing the dispersion of radioactive materials

Dispersion of radioactive materials from the fuel of the nuclear reactor to the environment shall be prevented by means of successive barriers which are the fuel and its cladding, the cooling circuit (the primary circuit) of the nuclear reactor and the containment building. (Section 14 of Decision 395/1991)

Detailed provisions concerning the functioning of technical barriers are given in the Sections 15, 16 and 17 of Decision 395/1991.

The operation of a nuclear power plant produces radioactive materials from fuel pellets fabricated of uranium dioxide mainly as a result of fission of uranium nuclei. Uranium dioxide matrix as such forms the first barrier against the dispersion of fission products. Under normal operating conditions, when temperature of the uranium dioxide doesn't become exceptionally high, the majority of fission products remain inside the pellet (in the matrix).

Since a small part of the fission products, produced from the fuel, drifts outside the fuel matrix even during normal operation, the excursion of fission products outside the reactor core has been prevented by embedding the fuel pellets into gas-tight cladding. The cladding material is, due to its properties, well suited for the conditions existing in the reactor and also meets the exceptional endurance requirements set by the high temperatures. According to the operating experience gained from the manufacturer and the results of laboratory researches, the oxide layer, arising from corrosion, on the cladding surface remains within acceptable limits and the ductility properties of the material remain adequate during the fuel's operating life. These observations were also verified in inspections, directed at spent fuel, that were conducted at the plant.

The basis for the design of the plant is that the releases to the environment shall remain within the set limits, even if approximately one percent of the fuel rods (after the power uprating approximately 45 000 fuel rods at the Olkiluoto plant unit 1 and approximately 41 000 fuel rods at the Olkiluoto plant unit 2) contained by the core lose the integrity of the cladding during normal operating conditions. The water treatment system of the reactor primary circuit is equipped with filters, which allow an controlled gathering and removal of fission products—once released into the cooling water—and corrosion products activated by the neutron radiation. Operating experience has shown that fuel leakage are rare and that systems are adequate for keeping the activity concentrations of the primary circuit within acceptable limits.

Oxidation, that is above the normal level, has been observed in the fuel rod cladding material of some production lots under the interlattices of fuel assemblies at the Olkiluoto plant unit 2. Indications from the phenomenon were received from the Swiss Leibstadt plant. According to the preliminary results the oxidation of claddings has, however, been considerably slower in Olkiluoto than in Leibstadt. Additional inspections, by the means of which the decision on possible follow-up measures is to be made, for the type of fuel in question, were conducted during the spring of 1998 and will be conducted in the next refuelling outage. The fuel type prone to oxidation will, according to current plans, be removed from use after the next few operating periods.

The next barrier, after the fuel (uranium dioxide matrix and the surrounding gas tight cladding), against the dispersion of radioactive materials is the pressure retaining boundary of the primary circuit. The reactor pressure vessel is manufactured from the low alloyed steel generally applied in western countries and its inner surface is lined with the stainless steel. The pipelines connected to the pressure vessel are manufactured either from stainless steel or low alloyed steel. Current requirements related to the basic dimensioning of the primary circuit are for the essential parts same as during the plant construction.

The last barrier, that surrounds the reactor pressure vessel and part of the connected pipelines, is a cylindrical, gas tight containment building, built out of prestressed concrete, having bottom and upper slabs manufactured from concrete and on the top also a removable steel cupola for opening the reactor pressure vessel. The containment building is designed and dimensioned according to the requirements set during the plant construction.

The conclusion is that the Olkiluoto plant is equipped with the technical barriers, that are meant in the Section 14 of Decision 395/1991, against the dispersion of radioactive materials.

4.3 Ensuring fuel integrity

The probability of significant degradation of fuel cooling or of a fuel failure due to other reasons shall be low during normal operational conditions and anticipated operational transients.

During postulated accidents, the rate of fuel failures shall remain low and fuel coolability shall not be endangered.

The possibility of a criticality accident shall be extremely low. (Section 15 of Decision 395/1991)

Detailed requirements related to the Section 15 of Decision 395/1991 are presented in the Guides YVL 1.0, YVL 2.2, YVL 2.8 and YVL 6.2.

A starting point in ensuring the fuel integrity is that the properties of the fuel are known accurately enough, so that the plant operation and management of transient situations can be planned with the objective that fuel does not fail in any design bases situation. To ensure the properties of the fuel, maximum limits have been set for e.g. fuel burn-up and for the quantity of fission gases released during operation from the fuel pellet inside the rods. The limits have been set so that their fulfilment can be demonstrated already in connection with the design by the means of calculatory analyses and measurements conducted by the fuel manufacturer. At Olkiluoto plant the fulfilment of the set limits, for the part of fuel types used so far, has also been demonstrated by measurements performed to the spent fuel.

The preservation of fuel integrity, under power variation situations that relate to normal operation of the reactor, is ensured by limits that concern power variation speeds and that are based on research on test reactors and on operating experience gained from the Swedish plants and elsewhere. The modernisation project doesn't have a significant effect on the limits concerning the power variations.

The effects of the modernisation project to fuel integrity in anticipated operational transients and accidents have been assessed by calculatory analyses, which have taken into account the plant modifications conducted at the plant in connection with the power uprating. A margin, that must be maintained between the power obtained from the fuel and the maximum cooling capacity that corresponds with the operating condition in question, is defined on the bases of the analysis results.

During the modernisation project measures have been taken to improve the preparedness for two transients that have earlier set the margins for operation: loss of electricity of the main circulation pumps and malfunction of the turbine pressure governor.

A transient, that is caused by a simultaneous tripping of the main circulation pumps—caused by a loss of electricity—is mitigated by adding a rotating mass to the electric drives, due to which the pumps stop at a longer delay. The delayed shutdown of the main circulation pumps limits the reactor power in a controlled manner before the loss of electricity causes the reactor to be shutdown by control rods.

In the modernised system, the steering of the pump shutdowns is conducted by the means of a programmable automation system. In addition, there is a separate protection logistics, which is based on constantly wired technology. Modifications concerning this system are still, for some parts, incomplete. At the moment both plant units are provided with new control systems for the four main circulation pumps. The modifications for the other two pumps of both units are scheduled for the outages in the summer of 1999.

Another transient that has before limited the power level of the plant is the malfunction of the turbine pressure governor. The pressure governor steers e.g. the steam flow to the turbines, and so the failure of the governor may cause a sudden stop in the steam flow to both the turbine and pass the turbine to the condenser. The pressure of the primary circuit rises when the flow stops, which results in the fall of the steam content in the reactor. As the steam content falls the reactor power tends to rise, and if the operational margins between the reactor power and the cooling capacity are not adequate, the power can locally rise so high that the fuel overheats. Although the cooling becomes adequate again as the pressure of the circuit falls, when the safety and pressure relief valves of the primary circuit open and the control rods shut down the reactor, the transient may, at this point, cause fuel failures in a limited part of the reactor.

The modernisation of the pressure governor, conducted in connection with the modernisation project, has aimed at reducing the failure frequency of the system so, that the pressure transient caused by a failure is no longer an anticipated operational transient but a so-called postulated accident, which enables the application of milder criteria in preparing for the transient. The failure of the turbine pressure governor still remains, however, as the transient that limits the power level, because preparing for it requires higher safety than preparing for other postulated accidents, such as a pipe break or a control rod drop. Pipe break accidents and control rod drop accidents have been analysed separately, and according to the analysis results the Olkiluoto plant units fulfil the underlying requirements in both cases.

The modernisation of the turbine control and protection system, which is also responsible for pressure control, has been completed on both plant units. According to the operating experience thus far, both systems have functioned as designed. A final review on the transient liability improvements attained by the means of the system, can be made only after several years of experience has been gained from the use of the system at the current power level.

The change of the reactor operating mode may cause the stability characteristics of the reactor to weaken. Instability causes the reactor power to oscillate, possibly even with a growing amplitude. To avoid such situations and possible fuel failures resulting from them, certain modifications, that have an positive effect on the reactor stability, have been made at the Olkiluoto plant units 1 and 2. Steam separators above the reactor core have been replaced by new separators that have a smaller throttling of pressure. Limits have been set for the reactor power distribution in such areas of the reactor mode, that are the most limiting from the standpoint of stability. Furthermore, along with the power uprating TVO begins the use of new, more stable fuel types. Stability control has also been ensured by increasing the efficiency of the partial scram .

The demand, that measures must be taken to prepare for a complete inoperability of the reactor scram system—a situation where control rods can't be pushed into the core by the means of the hydraulic scram system nor by electric motors—has also been taken into account in connection with the modernisation project. In order to escape the complete loss of the scram system without fuel failures, the reactor power must be quickly limited at the plant by controlling the feed water flow and main circulation pumps and by pumping boron solution into the reactor. To ensure the power limitation, modifications have been made in the protection system to the reduction of reactor pressure and to the operation of the feed water, main circulation and boron pumps. The capacity of the boron system has also been improved by increasing the concentration of the boron solution and the capacity of the pumps.

The objective is to keep the probability of a criticality accident adequately low during the outages and the refuelling by strict technical and administrative limits. The prevention of inadvertent criticality has also been taken into account in the storing and handling systems of the plant fuel.

The conclusion is that the fuel integrity of the Olkiluoto plant has been ensured according to the manner meant in the Section 15 of Decision 395/1991 after the aforementioned modifications, that are planned for the year 1998 have been made.

4.4 Ensuring primary circuit integrity

The primary circuit of a nuclear reactor shall be designed so that the stresses imposed upon it remain, with sufficient confidence, below the values defined for structural materials for preventing a fast growth crack during normal operational conditions, anticipated operational transients and postulated accidents. The possibility of a primary circuit break due to other reasons shall be low, too. (Section 16 of Decision 395/1991)

The primary circuit of the Olkiluoto plant units 1 and 2 includes the reactor pressure vessel, the internal main circulation pumps with heat exchangers as well as the pipelines and their accessories from the reactor pressure vessel up to the outer isolation valves of the containment. The requirements concerning the construction plan of the primary circuit components are presented in the Guides YVL 2.4, YVL 3.1, YVL 5.3 and YVL 5.4. The components that fall into the safety class 1 have been designed according to the standard ASME Boiler and Pres-sure Vessel Code, Sec-tion III.

The integrity of the primary circuit in the nuclear power plant may be threatened, if, at the plant, there is a transient that causes the circuit pressure and the loads arising from local thermal expansion of material to exceed the values used in design, or if, as a result of plant ageing, the structural materials of components degrade uncontrollably due to changes in structural properties, thinning of wall thickness, fatigue of metal or cracking.

In addition to the conditions that prevail during operation, anticipated operational transients and postulated accidents have been taken into account in the design of the primary circuit. During operation the circuit is loaded by the temperature changes that arise from the start-ups and shutdowns of the plant units as well as from operational transients that cause changes to the stress state of the structures and metal fatigue. Loads arising from plant operation are monitored continuously and cumulative loads are compared to the values used in design. The loads arising from operation thus far, have been smaller than designed, and so, making an review based on this, the accumulation of primary circuit loads does not limit the designed operating life of the plant. On the other hand, it is possible that the accumulation rate of the loads increases in the future, if the plant becomes more sensitive to transients due to the power uprating. The accumulation of the loads at the new power level can be assessed reliably only after several years of operating experience at the uprated power level and with the modernised systems.

Two new safety valves have been installed on both plant units to maintain the pressure loading, arising from possible operational transients and postulated accidents to the primary circuit, below the values used in design also after the power uprating conducted in connection with the modernisation project. The new valves are different from the safety valves already at the plant, and so the modification has also made it possible to improve the reliability of the entire system. The pressure control of the cooling system has been implemented according to the accident and reliability analyses in a such manner, that no significant risk of circuit rupture, resulting from overpressurisation, is related to the transient situations.

The properties of the base material and weld seams in the primary circuit may degrade during operation due to changes in the structural properties of the material that are caused by neutron radiation, thinning of wall thickness caused by corrosion or initiation and propagation of cracks resulting from e.g. thermal stresses or stress corrosion.

Embrittlement of the pressure vessel is not a similar general problem at boiling water reactors as in old pressurised water reactors, because the dose of fast neutrons directed at the wall of the reactor pressure vessel is considerably smaller in boiling water reactors than in pressurised water reactors due to a longer distance between the core and the wall. Due to the character of boiling water reactors, a parallel existence of high thermal stresses and stresses caused by pressure is also not possible. Due to these reasons the embrittlement of the reactor pressure vessel does not limit the operating life time of the Olkiluoto plant.

Effects of corrosion have been prevented already in advance by e.g. material selections during the plant construction. The reactor pressure vessel is made out of low-alloyed MnMoNi steel, that has been layered with austenitic stainless steel weld except for the pump housing, which has a low operating temperature. The heat exchangers of the primary circulation pumps, and steam lines with their valves are of carbon steel while the other components are of high alloyed carbon steel or mostly of austenitic stainless steel. Due to the high alloyed steel, dry steam or low operating temperature, a general corrosion that reduces the wall thickness is either rare or non-existent. The erosion speed of steam lines is monitored by measuring the wall thickness of the lines regularly. No significant thinning has been observed, nor is the corrosion expected to speed up during the future operation.

Intergranular stress corrosion, which has occurred in the heat affected zone of the austenitic stainless steel base material beside the weld seam, is a problem for boiling water reactors. A narrow defect or a crack may initiate in a structure even if the thickness of the surrounding wall doesn't become any thinner. A stress corrosion mechanism like this requires the parallel existence of three factors: a high tensile stress, sensitised material and aggressive environment. Tensile stresses to material are generated by welding, which causes residual stresses that could, at the worst, be in the same magnitude with the material's yield strength. Welding arrangements can be used to affect residual stresses, and this has also been done when pipelines have been replaced to materials that have a better resistance against stress corrosion. Sensitising refers to the degradation of corrosion properties of material's grain boundaries e.g. as a result of thermal effect arising from welding. This means that a chromium poor zone liable for corrosion, is left in the vicinity of chromium carbide precipitates at the grain boundaries. The aggressive effect of the water in operating temperatures is aggravated especially by oxygen, which is always present in the water of a boiling water reactor due to radiolysis. An environmental effect can also be aggravated by other impurities in the water. Strict requirements have been set for water purity and the amount of impurities is monitored continuously.

The intention has been to design the processes in a such manner, that the lines do not become loaded uncontrollably, when flows of different temperatures get mixed. The elimination of some mixture items was not possible and they are under special monitoring. The condition of the primary circuit is monitored in periodical non-destructive inspections (section 5.2), which enable the detection of possible cracks already in their initiating phase. Furthermore, the material properties and the wall thickness of primary circuit lines at the Olkiluoto plant are such, that instead of a fast break a rupture will probably take place gradually, so that it can be observed on the basis of measurements as a leakage from the primary circuit to the internal space of the containment.

STUK's review, based on the experience gained from the ageing of nuclear power plants, is that the risk of a primary circuit break, caused by degradation of material properties or by growth or accumulation of loads, is not likely to increase significantly in the future. Since, at the moment, there is relatively little experience at hand from the operation of boiling water plants, that are over 30 years old, the effects of ageing can't be reliably assessed far to the future.

The conclusion is that the integrity of the primary circuit at the Olkiluoto plant has been ensured according to the manner presented in the Section 16 of Decision 395/1991.

4.5 Ensuring containment building integrity

The containment shall be designed so that it will withstand reliably pressure and temperature loads, jet forces and impacts of missiles arising from anticipated operational transients and postulated accidents.

Furthermore, the containment shall be designed so that the pressure and temperature created inside the containment as a consequence of a severe accident will not result in its uncontrollable failure.

The possibility of the creation of such a mixture of gases as could burn or explode in a way which endangers containment integrity shall be small in all accidents.

The hazard of a containment building failure due to a core melt shall also be taken into account in other respects in designing the containment building concept. (Section 17 of Decision 395/1991)

Detailed requirements relating to the Section 17 of Decision 395/1991 are presented in the Guide YVL 1.0.

Anticipated operational transients and postulated accidents have been taken into account in the design of containments for Olkiluoto plant units 1 and 2 by dimensioning the structures—according to the practice applied in the western countries—on the basis of loads arising from a sudden and complete break of the biggest primary circuit line. To condensate the exhausting steam from the primary circuit, the containment is provided with a condensing pool, to where the steam is directed by natural mechanisms, and with a spray system that is automatically turned on in accident situations. To remove the heat, that is released from the reactor core during an accident, from the containment the plant units are provided with the necessary intermediate cooling and sea water circuits, by the means of which the heat can be removed from the containment to the final heat sink, the sea.

The containments of the Olkiluoto plant units 1 and 2 have a steel concrete structure and their outer walls, in addition, have a prestressed structure. The integrity of the containment in a design basis accident is ensured by fitting a steel liner, which is, for all parts, protected from jet forces and flying objects considered possible in accident conditions, inside the containment wall. To minimise the releases arising from possible seal leakage of the penetrations, the containment has been placed inside the reactor building. The reactor building is provided with a ventilation system that enables the underpressurisation of the reactor building in relative to its environment and thus a controlled collection and filtering of the radioactive substances leaking from the primary containment in accident conditions.

In postulated accidents part of the fuel cladding material may become oxidised and cause also a hydrogen release. Also the radiation inside the reactor causes the water molecules to breakdown to oxygen and hydrogen. To eliminate the fire and explosion risk caused by the hydrogen, the containments of the Olkiluoto plant are inerted by nitrogen during normal operation at power except for short periods of time during start ups and shutdowns. Furthermore, the containment is provided with a separate hydrogen burn-up system, by the means of which the hydrogen released during the accident can be controllably burned back to water.

Design criteria that concern the containment and relate to the anticipated operational transients and postulated accidents have not changed after the construction of the Olkiluoto plant. The uprating of reactor powers at the plant units has, however, required some modifications to the containment systems. The uprating of the power level affects mostly the functioning of emergency heat transfer chain, because the magnitude of the decay heat power, to be transmitted during the accident, depends directly on the normal power level of the plant. Due to the power uprating currently under consideration, the capacity of the emergency heat transfer chain has been raised by increasing the capacity of heat exchangers. Nevertheless, the temperatures of the containment water pools rise over the originally designed values during a pipe break accident. The effect that the temperature rise has on the functioning of the containment has been analysed by calculatory means, and according to the conducted clarifications the temperature rise doesn't significantly increase the risk of loosing the containment leaktightness during an accident.

As the power of the plant increases, also the radiation level during an accident increases in the reactor, due to which more hydrogen and oxygen is released in a design basis accident. In order to prevent the growth of hydrogen fire risks due to the accelerated generation of hydrogen and oxygen during an accident, the limit of the oxygen content, that prevails during normal operation, has been reduced in the containment. According to the performed analyses, the modification is adequate for ensuring, that the contents of oxygen and hydrogen in the containment remain below the fire limit for 20 hours from the beginning of the accident without special measures, and that the capacity of the hydrogen burn-up system is adequate for preventing the initiation of uncontrolled fires from here on.

The effects that the plant ageing has thus far had on the containment and its systems have been relatively small. In the regularly conducted tightness tests of the containment no such increase of leaks has been observed that would indicate a degradation of sealing materials. The amount of preventive maintenance work, concerning mostly the sealing of expansion joint between the dry and wet well space of the containment, has, however, been relatively big, which is why TVO is at the moment clarifying the possibility of a structural modification, that would allow the reduction of maintenance need for the sealing of construction joint, prevention of possible tightness problems arising from ageing and possibly the improvement of sealing reliability in accidents more severe than the original design basis accident.

The starting point for design during the construction of Olkiluoto plant units 1 and 2 was, that by dimensioning the containments against pipe break accidents, their integrity could be ensured by an adequate certainty also in accidents, where the reactor core suffers substantial damage or even melts completely. The Harrisburg accident demonstrated that the loads arising from a pipe break accident on structures can't be considered commensurable with the possible loads arising from a core melt down accident especially in containments, where measures against the pipe break accidents include different steam condensing systems. The Harrisburg accident launched several new inspections, whose objective was both to clarify the character and magnitude of loads arising from a severe accident and to find means for controlling the loads. The inspections led to plant modifications, whose implementation was accelerated by the 1986 Chernobyl accident, which concretely demonstrated the importance of a functioning containment.

The most significant deficiencies at the Olkiluoto plant containments, from the standpoint of controlling severe accidents, have been the small size of the containment, which may cause the containment to pressurise due to the hydrogen and steam generation during an accident, and the location of the reactor pressure vessel inside the containment, which is such that the core melt erupting from the pressure vessel may expose the structures and penetrations, that ensure the tightness of the containment, to pressure loads and thermal stresses. To eliminate these deficiencies the containment is e.g. provided with a pressure suppression system, by the means of which gases that pressurise the containment can be removed through a filter designed for the purpose, if the pressure inside the containment threatens to grow too much. The part of the containment underneath the reactor pressure vessel can be flooded with water in order to protect the containment bottom and penetrations from the thermal effect of core melt. Some penetrations of the containment have been protected from the direct effect of core melt also by structural means. To ensure the cooling of reactor debris the plant units are also provided with a water flooding system, by the means of which the water level inside the containment can be raised all the way to the same level with the upper edge of the reactor core.

The means for managing severe accidents had to be adjusted to the existing systems, and so an optimal implementation of all chosen solutions was not possible.

The cooling of reactor core melt and the protection of containment penetrations requires that the lower dry well of the containment is flooded in such an early state of the accident, that if the pressure vessel bursts the erupting core melt falls into a deep water pool. When the core melt falls into the water tank a so-called steam explosion, which causes a strong and quickly propagating pressure wave in the water pool, may occur. A lot of research has been done on steam explosions, but it is still uncertain, how probable the explosion is, when the core melt and water meet, or how powerful the explosions may be. Based on inspection results and experience gained from e.g. metal industry, the possibility of a powerful explosion, that causes a pressure wave strong enough to rupture the structures of containment penetrations or personnel hatches, can't be ruled out. During 1998 TVO will examine the possibilities to strengthen the containment structures so, that the explosions would not cause a significant danger to the integrity of the containment during an accident.

According to the conception that existed, when measures to control severe accidents more effectively were designed, iodine occurs in the containment during accidents mainly as aerosols, which absorb effectively to the condensing pool of the containment and to the filter of the pressure suppression system. The Chernobyl accident and the tests conducted after it have, however, demonstrated that in unfavourable conditions iodine may also form organic compounds, that do not easily absorb to the containment or to the filter of the pressure suppression line. Such conditions may occur at the Olkiluoto plant, if the water inside the containment acidifies due to chemicals released during the accident. Organic iodine may also be generated in the primary circuit, if iodine reacts with the hydrocarbons, that are released, when the boron carbide contained by the control rods becomes oxidised during the core damage. During 1998 TVO will examine the possibilities to ascertain the absorption of iodine to the containment and to the filter of the pressure suppression line.

The conclusion is that the Olkiluoto plant fulfils the provisions set forth in the Section 17 in the extent that can be justifiably required from a plant, that was already operating when the regulations came into force. TVO is, at the moment, examining the possibilities to increase the efficiency of preparedness for severe accidents and will, after that, implement the plant modifications required by the Section 27 of Decision 395/1991.

4.6 Ensuring safety functions

In ensuring safety functions, inherent safety features attainable by design shall be made use of in the first place. In particular, the combined effect of a nuclear reactor's physical feedback shall be such that it mitigates the increase of reactor power.

If inherent safety features cannot be made use of in ensuring a safety function, priority shall be given to systems and components which do not require an off-site power supply or which, in consequence of a loss of power supply, will settle in a state preferable from the safety point of view.

Systems which perform the most important safety functions shall be able to carry out their functions even though an individual component in any system would fail to operate and additionally any component affecting the safety function would be out of operation simultaneously due to repairs or maintenance.

A nuclear power plant shall have on-site and off-site electrical power supply systems. The execution of the most important safety functions shall be possible by using either of the two electrical power supply systems.

Safety systems which back up each other as well as parallel parts of safety systems shall be separated from each other so that their failure due to an external common cause failure is unlikely.

In ensuring the most important safety functions, systems based on diverse principles of operation shall be used to the extent possible. (Section 18 of Decision 395/1991)

The most important safety functions of a nuclear power plant are 1) reactivity control, 2) decay heat removal from the reactor to the final heat sink and 3) functioning of the containment. Detailed requirements concerning the design and implementation of systems responsible for these functions are presented in the Guide YVL 1.0.

Reactivity control

The Olkiluoto plant reactors and their loading, operation and control has been designed and implemented so, that the combined effects of inherent, reactor physical feedbacks are always negative or, in other words, mitigate the increase of reactor power in all operating conditions of the reactor. Due to this power oscillations become smaller even without any functioning of active systems. The stability of the reactor has also been ensured by the means of e.g. a partial scram function, which has been designed to trip early enough to prevent fuel failures, even if the reactor, for some reason, would act unstably.

Reactor can be shutdown either by the control rods, that are operated by a pressurised nitrogen/hydraulic system and by electric motors, or by the boron system, which is used to pump boron solution into the reactor. The systems function on different principles and are independent from each other. Both systems receive automatic commands from the reactor protection system, but can also be tripped by the operators.

The loading of Olkiluoto plant units 1 and 2 has been designed and the reactors ordinarily operated so, that the reactor shutdown can be carried out both hydraulically and electrically, even if the most efficient control rod group from the fourteen groups is not functioning. Furthermore, it has been demonstrated by analyses that the pressure of the hydraulic system is adequate for the shutdown of the reactor, even if none of the relief and safety valves opened. Both the reactor protection system and the scram system have been designed while taking into account the single failure criterion.

Plant modifications, which ensure that the reactor can be shutdown by the boron system alone (see section 4.3), have been designed to prepare for a complete inoperability of control rods. The single failure criterion has been applied in the design of boron system as well.

The shutdown systems of the reactor have been designed so that in a situation, where electrical operating power is lost, the reactor is shutdown by the hydraulic system, which pushes the control rods into the reactor core. Control rods alone are adequate for keeping the reactor subcritical in all other operating conditions except possibly in severe accidents.

In a severe accident the control rods melt before the fuel rods, and so the reactor may go back to the power, if the core cooling during the core damage starts to work again. According to the conducted analyses the reactor power exceeds the capacity of decay heat removal systems after the cooling starts to work again in the most unfavourable conditions. To prevent this from occurring requires, that the reactor is kept shutdown by pumping boron solution into it. The modifications made in the boron system, such as the increase of boron concentration and pumping capacity, improve the capability to control reactivity also in severe accidents. The capacity increase is, however, still not adequate for ensuring the reactivity control in a situation, where the reactor core cooling begins to work again after the control rods have melted and the boron pumped into the pressure vessel escapes because of leaks or an error in adjustment of the surface level. It can be assumed that leaks underneath the core are produced mostly during the maintenance of the main circulation pumps. TVO has reduced the core damage risk arising from the aforementioned issues by modifying work related instructions and the Technical Specifications. The risk arising from the adjustment error of surface level can, on the other hand, be reduced by ensuring the measuring of the surface level. TVO is participating in a project, whose objective is to develop a surface level measuring system that is parallel to the current system but based on different principles. After the implemented and designed modifications the reactivity control can be considered adequate also for the part of severe accidents.

Decay heat removal

The decay heat removal at the Olkiluoto plant has been designed so, that the decay heat released in accident conditions moves as water steam from the primary circuit through the pressure relief system to the wet well of the containment, which can, in an early stage, store alone the decay heat released from the fuel. Sooner or later the heat must be removed from the containment with active equipment by circulating the containment water in the spray system, from where the heat is transferred through the heat exchangers to the intermediate cooling system and sea water system and then to the final heat sink, the sea.

A controlled decay heat removal in accident conditions requires, that the pressure of the primary circuit and the water level in the reactor can be controlled by the means of the measurements as well as by the feed water, emergency cooling water and pressure relief systems. These systems have been designed according to a principle, that it must be possible to carry out a safety function also in a situation, where any single device is inoperable and simultaneously any another device affecting safety is not in use due to repair or maintenance. This requirement has been fulfilled by implementing the process and measuring systems, in question, by four redundant sub-systems. Electrical power is supplied to each subsystem from four separate and independent diesel-backed alternating current buses. Subsystems are ordinarily situated in different rooms to hinder common cause failures. An exception is made by certain premises of the reactor building, where two parallel subsystems are situated in a same room contrary to the requirements set forth in the Guide YVL 1.0. The objective has been to locate the systems as far from each others as possible and separate them with distinct shields in such places, where ensuring the separation has been seen as necessary. In order to improve especially the fire safety, TVO has also considered the replacement of the sprinkler and fire alarming systems of the main transformer and in-house transformers.

Systems that take part in controlling the pressure and surface level of the primary circuit have been designed mainly by following the diversity principle, according to which crucial safety functions shall be ensured by systems, whose operating principles or technical solutions differ from each other. Water level measuring system, where all measurements are made with the same techniques, is an exception. TVO follows the research and development work—done in the field—whose objective is to create a functioning and reliable surface level measuring system that is based on an alternative technique.

Severe accidents were not taken into account in the original design basis for controlling the water inventory and the pressure of the primary circuit. Ensuring the pressure control in severe accidents is particularly important, in order to avoid the pressure vessel melt-through and the loads arising from it to the containment, when the pressure of the circuit is high. During the outage in 1998 TVO has made modifications, which ensure that the valves of the over pressure protection system stay open also in severe accidents.

The original design basis for the heat removal of the containment did not require the fulfilment of the diversity principle, and the Olkiluoto plant doesn't fulfil the aforementioned requirement at the moment. There are no such technical solutions in the immediate sight, that would make it possible to equip the Olkiluoto plant with decay heat removal systems that are separate from the current systems and that are based on a different functioning principle. Continuous research work is, however, being done in the field to develop new-fashioned active and passive systems.

Containment

The task of the containment is to prevent the dispersion of fission products, that may escape from the fuel during an accident, to the environment. The precondition for stopping the dispersion of fission products is that the containment can be isolated in an accident so, that it forms a gas and water tight boundary between the fuel and the environment, and that the containment maintains its leak-tightness during the entire accident.

The containments of the Olkiluoto plant are designed so, that in an accident the process penetrations going through the containment walls can be closed with isolation valves. There are usually two isolation valves: one outside and the other inside the containment. Certain penetrations, that are not connected to the primary circuit or directly to the inner space of the containment as well as instrumentation lines, where the possibility of a leak is, in addition to the isolation valve, also limited by transmitters that can endure the pressures and temperatures generated in severe accidents, are provided with one isolation valve.

Some of the outer isolation valves of the containment are motor-operated, and so they do not fulfil the requirement, set forth in Decision 395/1991, concerning the fail-safe principle as a consequence of the loss of operating power. Ordinarily isolation valves are, however, not motor-operated valves, and so the isolation system fulfils the requirement as a whole.

Loading mechanisms that may occur during severe accidents haven't been taken particularly into account in the original design of containments at the Olkiluoto plant units, but the containments are dimensioned based on pipe break accidents. Due to this there has been and still is, despite the performed plant modifications, some deficiencies in the design of containments at the Olkiluoto plant concerning the preparedness for severe accidents. These deficiencies have been handled already earlier in the section 4.5 in connection with the designed plant modifications.

The conclusion is, that after the designed modifications the Olkiluoto plant meets the provisions set forth in the Section 18 of Decision 395/1991 to the extent, that is justifiable taking into account the technical solutions, operating experience and safety research of the nuclear power plant as well as the advancement of science and technology.

4.7 Avoiding human errors

Special attention shall be paid to the avoidance, detection and repair of human errors. The possibility of human errors shall be taken into account both in the design of the nuclear power plant and in the planning of its operation so that the plant withstands well errors and deviations from planned operational actions. (Section 19 of Decision 395/1991)

It is not possible to avoid human errors completely. The possibility of errors can, however, be reduced by appropriate procedures, measures and training as well as by efficient quality assurance.

To acknowledge the possibility of human errors and to clarify their consequences TVO has conducted a probabilistic safety analysis (PSA) as a part of a larger examination concerning these matters. Latent maintenance and testing errors have been clarified in connection with the system analyses related to the PSA. In addition to the experts on human errors also experienced experts from operating and maintenance personnel have participated in assessing the possibility of errors. The identified error possibilities have been classified into groups according to their importance and the most important ones have been modelled to clarify the risks related to errors.

The reliability of operator actions conducted during accident conditions was assessed as a part of the analysis. The diagnostic errors that may be made in connection with accidents have also been assessed. Based on the results of the analyses concerning the human errors, few additions and modifications have been made on the emergency and operating procedures of the plant.

In order to avoid human errors, it is important that the operational events of the plant are carefully examined, and the procedures or the plant are developed, if necessary, to avoid similar errors. TVO has developed the utilisation of operating experience and conducts so-called root cause analyses from significant events.

Errors related to the maintenance actions have been examined and measures have been developed to avoid corresponding errors.

When the plant is started up after an outage, tests and inspections, which try to find possible errors, are conducted on systems that are important to the plant safety.

If necessary, the protection systems of the plant start the safety systems automatically so, that the operators have enough considering time for actions that are in accordance with the operating procedures.

The readiness for the training, that is needed to avoid human errors, is good at the Olkiluoto plant. A simulator, by the means of which operators are trained to cope with accident situations, is available.

The conclusion is, that the Olkiluoto plant and its use have been implemented according to the manner set forth in the Section 19 of Decision 395/1991.

4.8 Protection against external events and fires

The most important nuclear power plant safety functions shall remain operable in spite of any natural phenomena estimated possible on site or other events external to the plant. In addition, the combined effects of accident conditions induced by internal causes and simultaneous natural phenomena shall be taken into account to the extent estimated possible.

Structures, systems and components important to safety shall be designed and located, as well as protected by means of structural fire barriers and adequate fire fighting systems so that the likelihood of fires and explosions is small and their effect on plant safety insignificant. (Section 20 of Decision 395/1991)

Detailed requirements related to the Section 20 of Decision 395/1991 are presented in the Guides YVL 1.0, YVL 2.6, YVL 4.1, YVL 4.2 and YVL 4.3.

Natural phenomena and other transients caused by external events

Usual loadings such as snow and wind loads and temperature changes, that are applied in Finland and caused by natural phenomena were taken into account, when the structures of the Olkiluoto plant were designed. Unusual natural phenomena, from the standpoint of plant cooling systems and the cooling of other important spaces as well as the functioning of systems, were not studied especially when the plant was designed.

Risks that arise from natural phenomena such as storms, algae, fluctuation of the sea water level, warm air, warm sea water, formation of frazil ice and drifting of snow arising from snow storms have been examined later in connection with the probabilistic weather risk analysis conducted by the TVO. Risks have been reduced by improving e.g. the suction air system of the diesel generators and sea water cooling of the plant against severe weather conditions.

External missiles such as air plane crashes or other external events caused by man have not been taken into account in the plant design. Furthermore, the combined effects of external and internal events have not been taken into account in the design of the Olkiluoto plant in the manner required by the Guide YVL 1.0. These events have been examined later in connection with the probabilistic safety analysis.

The effects of earthquakes were assessed as insignificant, when the Olkiluoto plant was designed. The effects were not taken particularly into account during the design, but it was considered, that the safety coefficients included in the structures and devices were adequate for taking earthquakes into account. The risks arising from earthquakes have been examined later in connection with the probabilistic safety analysis conducted by the TVO. The analysis identified certain improvement needs such as the anchoring of direct current accumulator batteries and rectifier cabinets. After this the rectifier cabinets, some of the electronic cabinets and the cabinets next to them and the accumulator batteries of two parallel subsystems have been anchored on both plant units to prevent them from moving. These improvements reduce considerably the risks arising from earthquakes. The anchoring of accumulator batteries will be continued during the next years.

Preparedness for fires and fire protection

The possibility of fires and the risks of nuclear power plant accidents arising from fires have been taken into account in the functional and layout design of the Olkiluoto plant. The nuclear power plant does not, however, fulfill the requirements set forth in the Guide YVL 4.3 because of inadequate separation of systems, inadequate fire detection and alarm systems or inadequate structural fire endurance. The redundant subsystems A/C of the plant are generally separated appropriately from the subsystems B/D. Subsystems A and C and correspondingly B and D have also been separated from each others by using distance and local shields. In most fire situations this separation is adequate for protecting the operability of the other subsystem.

Fire safety has been improved in different areas of the fire protection at the Olkiluoto plant after commissioning. Although the loss of external electrical supply has been taken into account in the plant design, the plants were provided with e.g. a new start-up transformer, based on the experience gained from the fire of the electric supply unit in 1991, to improve the independency of plant's external grid connections. Furthermore, the main transformers, in-house transformers and start-up transformers are protected with a sprinkler extinguishing system, which reduces essentially the risks arising from transformer fires.

Fire detection and alarm system of the Olkiluoto plant does not comply fully with the requirement set forth in the item 2.3.1 of the Guide YVL 4.3, which demands that the system in question must be able to locate the fire at least with the accuracy of a fire compartment. TVO is beginning a renewal of fire detection and alarm systems on both plant units. The new fire detection and alarm systems, once completed, will comply with the aforementioned requirement.

The use of halons will be forbidden in Finland after the year 1999 with the exception of some special items. Due to this the halon extinguishing systems at the Olkiluoto plant will also be replaced with other extinguishing systems by the year 2000. The clarifications for obtaining the substitute extinguishing system is under way.

Fire risks have been assessed in a probabilistic safety analysis that concentrates on fire issues. Based on this the fire protection of cables, that are crucial to safety, have been improved at the entire plant. On the basis of the probabilistic safety analysis these improvements reduce the risks arising from fires considerably.

The conclusion is, that the Olkiluoto plant is protected from external events and fires in the manner set forth by the Section 20 of Decision 395/1991. The improvement needs relating to the protection level of the plant are still assessed in connection with the PSA and if necessary, measures, that increase safety, will be taken according to the Section 27.

4.9 Safety classification

The functions important to the safety of the systems, structures and components of a nuclear power plant shall be defined and the systems, structures and components classified according to their safety significance.

The systems, structures and components important to safety shall be designed, manufactured, installed and operated so that their quality level and the inspections and tests required to verify their quality level are adequate considering any item's safety significance. (Section 21 of Decision 395/1991)

Detailed requirements that relate to the Section 21 of Decision 395/1991 and that concern the safety classification are presented in the Guide YVL 2.1.

Safety classification is conducted to ensure that the systems, structures and components important to safety are designed, manufactured and installed so, that their quality level and the inspections and tests needed to verify the quality level are adequate considering the safety significance of any item. Safety class functions as a starting point, when the requirements set for the design, manufacturing, installing, quality control, testing, operation and quality assurance of a system, structure or component are defined.

Safety classification is used to determine inspection measures during the construction and operation of the plant. The correlation between the safety classification and inspection measures is presented in detail in different YVL Guides.

In the safety classification document, the systems, structures and components of the plant units shall be grouped into three safety classes 1, 2 and 3 as well as to the class EYT (not classified on a basis of nuclear safety). Safety class 1 includes the most crucial items from the standpoint of safety. The reactor pressure vessel and the primary circuit, for example, belong to the safety class 1 and the reactor containment, on the other hand, to the safety class 2.

The Safety Classification Document was updated in connection with the modernisation project of the Olkiluoto plant units. The new Safety Classification Document covers

  • safety classification of systems, structures and components
  • safety, quality and tightness classification of mechanical components
  • safety classification of electrical and instrumentation equipment
  • classification of the I&C equipment inside the containment for durability against environmental conditions.

The requirements presented in the Guide YVL 2.1, which came into force on the 1st of June 1992, and the plant modifications, that have been or will be conducted, were taken into account when the classification document was updated. Classification for the earthquakes has shortly been added to the classification document and will be applied, if necessary, in dimensioning completely new functions. In other plant modifications it shall be considered case by case, to which extent the seismic requirements are taken into account.

The conclusion is that the Olkiluoto plant meets the provisions set forth in the Section 21 of Decision 395/1991.

4.10 Monitoring and control of a nuclear power plant

A nuclear power plant's control rooms shall contain equipment which provide information about the plant's operational state and any deviations from normal operation as well as systems which monitor the state of the plant's safety systems during operation and their functioning during operational transients and accidents.

A nuclear power plant shall contain automatic systems that maintain the plant in a safe state during transients and accidents long enough to provide the operators a sufficient time to consider and implement the correct actions.

There shall be an emergency control post at a nuclear power plant which is independent of the control room and the necessary local control systems by the means of which the nuclear reactor can be shut down and cooled and residual heat from the nuclear reactor and spent fuel stored at the plant can be removed. (Section 22 of Decision 395/1991)

Olkiluoto plant units 1 and 2 have their own independent control rooms, where the necessary process information is available, and from where all necessary control measures can be conducted. The alarms covering also the spent fuel storage (KPA storage) are output to the control room of the Olkiluoto plant unit 1. The technical solutions of the main control rooms are based on the proven control room technology.

Measuring information is presented by the indicating measuring equipment installed in the steering desks and panels. Conventional and computer aided alarm systems are used to facilitate the management of main processes and other sub and auxiliary processes.

The alarms are indicated primarily by the alarm lamp panels. The parallel alarms received through the computer are seen on the monitor. In addition, the event and state data as well as deviations from warning/alarm limits are printed on the alarm printers.

A safety parameter display system (SPDS system), which improves the performance capability of the operating personnel in controlling transient and accident situations, has been taken into use at the Olkiluoto plant units.

A so-called half hour rule has been the design basis for the protection system at the Olkiluoto plant units 1 and 2. Important protection measures and safety systems start up automatically so, that no actions of operating personnel are needed during the first thirty minutes after the beginning of the operational transient or postulated accident. Operators have time for consideration before the control and other measures. Proper emergency and transient situation procedures as well as operator training reduce the possibility of human errors further.

Both Olkiluoto plant units have an emergency control post, from where the reactor can be tripped (scram) and main parameters of the reactor such as neutron flux, pressure, temperature and water level can be monitored. Cooling the reactor to a cold state and the removal of decay heat could be carried out after the shutdown by using local control rooms. The interim spent fuel storage has its own local control room for the monitoring of decay heat removal.

The requirement of an independent emergency control post emerged after the TVO plants were designed. TVO can also monitor the main parameters of the process from areas that are outside the control room and emergency control post. The reactor can be shutdown only from the control room or from the emergency control post.

TVO has studied the independence of the control room and the emergency control room in different accident situations such as fires and in different initiating events of common cause failures such as earthquakes, high temperature of air and sea water, a magnetic field caused by a mobile phone and losses of electrical power. The risk of a simultaneous loss of the control room and the relay room, which functions as an emergency control post, can be considered small.

In a long-term accident situation the main process parameters as well as crucial radiation measurements and weather information can be monitored from the space preserved for the emergency preparedness supporting group. The indicating instrumentation equipment (SAM system) that measure the state of the containment in a case of a severe accident have been placed in an easily accessible room.

The modernisation of systems, conducted in connection with the power uprating, facilitate the monitoring and operation of the plant. During the projects, functions that were earlier manual have been automated and displays of the control rooms as well as other means for collecting information have been improved. The modernisation of the neutron flux measuring system and reactor pressure control can be mentioned as examples from these modifications.

Thus far only a small part of the plant systems have been modernised. TVO plans to continue the modernisation of systems during the forthcoming operating period.

A new programmable technology was also taken into use, in connection with the conducted modernisation, in the reactor protection system (the aforementioned neutron flux measuring system) and in controlling the reactor pressure and feed water. The introduction of new technology sets new challenges both for personnel training and for the procedures applied at the plant during the operation and the modification design of the systems. The aforementioned matters can be considered as improvement issues during the forthcoming operating period.

The conclusion is, that the Olkiluoto plant meets the provisions set forth in the Section 22 of Decision 395/1991. The implementation of the emergency control room is assessed further in connection with the control room improvement project and, if necessary, measures that increase safety will be taken according to the Section 27 of Decision 395/1991. The development of the know-how related to the modification design and to the introduction of new technology can be considered as an improvement issue in the forthcoming operating period at the TVO.


5 OPERATION OF A NUCLEAR POWER PLANT

5.1 Technical specifications and plant procedures

Technical and administrative requirements and restrictions for ensuring the safe operation of a nuclear power plant shall be set forth in the plant's Technical Specifications.

Appropriate procedures shall exist for the operation, maintenance, in-service inspections and periodic tests as well as transient and accident conditions of a nuclear power plant. (Section 23 of Decision 395/1991)

The Technical Specifications determine the limits of process parameters, that effect the plant safety, for different operating modes, set the provisions for operating limits caused by component inoperabilities and set forth the requirements for the tests that are conducted regularly for components important to safety. Furthermore, the Technical Specifications include the bases for the set provisions.

The Technical Specifications have to be supplied to the Radiation and Nuclear Safety Authority (STUK), when the operating licence is applied, and the Technical Specifications have to be kept updated during the entire time of plant operation. STUK's approval has to be applied, if any modifications are to be made to the Specifications.

The administrative and technical procedures needed in operation of the Olkiluoto plant units 1 and 2 have been gathered into the Operating Manual. The Procedures have been inspected by STUK. The checking/updating of the procedures is a continuous task.

The Operating Manual contains necessary transient and emergency procedures for unusual conditions.

The Maintenance Manual includes the administrative and technical procedures needed in maintenance. The most important procedures have been inspected by STUK. The power company checks the procedures periodically, approximately in four-year-intervals.

Updating and comprehensiveness of the procedures are among the inspection issues included in the STUK's Periodical Inspection Program. Furthermore, other procedures that relate to the topic of inspection are reviewed in all inspections of the STUK's program.

The conclusion is, that the Technical Specifications and procedures meant in the Section 23 of Decision 395/1991 exist for the operation of the Olkiluoto plant.

5.2 Operation and maintenance

In all activities affecting the operation of a nuclear power plant and the availability of components, a systematic approach shall be applied for ensuring plant operators' continuous awareness of the state of the plant and its components.

The reliable operation of systems and components shall be ensured by adequate maintenance as well as by regular in-service inspections and periodic tests. (Section 24 of Decision 395/1991)

Plant operation

The measures that are followed in operation and maintenance of the Olkiluoto plant units 1 and 2 are based on written procedures and on Operating Orders and Operating Notices that are drawn up if necessary. The Operating Order is drawn up e.g. when the operating condition or power of the plant is modified or when measures are directed to the reactor or nuclear fuel. The Operating Notice, on the other hand, is drawn up on unusual procedures that will not be permanent.

The Work Request System ensures that the operators of the plant are aware of the plant unit's state. TVO has developed its Work Request System and will continue to do so on the basis of operational experience. In the main control room of the plant units, the operators follow, in addition to the Work Request System, the failures, repairs and preventive maintenance of the components specified in the Technical Specifications. The Shift Chief grants the permission to begin a single work, when he/she inspects the work plans that are in accordance with the Work Request System, by taking into account the operability requirements for the systems and components set forth in the Technical Specifications. The control room is informed from the operational conditions of systems and components as well as from the room conditions and their possible deviations. The proper response to deviations is specified in the operating and transient procedures.

In connection with the Periodical Inspection Programme STUK follows the implementation of the Work Request System and controls that the Technical Specifications are followed e.g. on the basis of reports supplied to it and inspections conducted on site. STUK's resident inspector follows the operation and maintenance of the plant units regularly.

Before the plant start-up after an annual maintenance outage or after a repair outage, the valves, pumps and other process, electric and instrument equipment of the safety-significant systems, as well as their operability, are inspected. Furthermore, necessary tests, by the means of which the proper functioning of systems and components is finally ensured, are conducted before and during the plant start up.

Maintenance

The requirements concerning the maintenance are clarified in the Guide YVL 1.8.

The maintenance of the Olkiluoto plant units 1 and 2 covers, in addition to the preventive and corrective maintenance, the design and execution of modifications, spare part service, outage actions and the related quality control.

The maintenance organisation plans and builds up the annual maintenance outages together with the operation organisation and technical support organisation. Special attention has been paid to the reliable work of the subcontractors and to the technical competence of the external work force. The technical expertise of testing laboratories and contractors is controlled both by the power company and STUK.

TVO has available a computer-aided preventive maintenance programme, which includes all systems and components that are essential for the safety and operability. The program includes the normal preventive maintenance measures that are in accordance with the Work Request System such as calibrations of measuring systems, frequency measurements of rotating components, checks of oil levels, lubrications and greasing. The comprehensiveness of the program is assessed on the basis of observations made in connection with operational experience and preventive maintenance.

In addition to the measures listed in the preventive maintenance program, systems, components and rooms are controlled in connection with the normal operation and daily tour routes. Some of the most important components such as the main circulation pumps and the turbine are provided with on-line monitoring equipment.

The operability of systems and components is ensured by regularly conducted tests. The systems and the components that will be tested as well as the test dates are presented in the Technical Specifications. Periodical testings, that correspond at least to the aforementioned, are required after maintenance measures that require modifications, repairing or disassembling. STUK's approval is required in advance for a functional test programme that is conducted after a significant modification.

Inspections that concern the operability and condition of components are also conducted, if necessary, on the basis operational experience received from elsewhere and development of technical knowledge. The most significant sources of experience, in this sense, have been the Swedish BWR plants and international communication organs.

As far as the spare part service is concerned, it has been made sure that completely assembled components, that can be easily used to replace the failed component, exist for as many safety-significant systems as possible.

STUK controls the condition monitoring and maintenance as well as the modification and repair work by regularly repeated inspections. The inspections endeavour to ensure that the power company has adequate resources such as a competent personnel, instructions, a spare part and material storage as well as the tools for adequately efficient implementation of condition monitoring and maintenance actions. Special items are the condition monitoring programmes of the carbon steel pipelines and their results.

In-service inspections

The condition of pressure retaining components of the Olkiluoto plant units 1 and 2 is assured through regular in-service inspections. Periodically repeated inspections are performed during the outages to the safety-significant components by non-destructive testing methods according to the Guide YVL 3.8. Results of in-service inspections are compared with the results of earlier inspections and with the results of pre-service inspections conducted before the commissioning.

In-service inspection programs are supplied to STUK for approval before each inspection period. The programs and related inspection procedures are changed when necessary, taking into account the development of requirements and standards in the area, the development of inspection techniques as well as inspection experience and operational experience from nuclear power plants in Finland and elsewhere.

The objective has been to choose areas where initiation of defects is most likely as inspection items. Such ones are the items that are susceptible to thermal fatigue and stress corrosion.

The length of an inspection period is usually ten years. The inspection periods for items susceptible to stress corrosion are five or three years and for items susceptible to thermal fatigue, respectively, three years.

Guide YVL 3.8 and the latest editions of the standard ASME Code, Section XI are used as the acceptance criteria of in-service inspection programs, procedures and results.

The Common Position Report published by the Task Force for Nuclear Safety Regulators calls for the validation of the entire NDT-system; equipment, software, procedures and personnel. Improvements of the validation are at an early stage and the plans concerning it are very general in nature. STUK follows the development and implementation of the plans closely. The implementation of the validation system is a significant improvement issue.

In addition to the aforementioned inspections, physical inspections that concern the condition and reliability of pressure vessels are performed at regular intervals according to the Finnish Pressure Vessel Legislation. These inspections are the full inspection, internal inspection and operational inspection and they include non-destructive testing as well as pressure and tightness tests. Inspections concerning pipelines have been defined in the system related condition monitoring programmes. These in-service inspections are handled in the Guides YVL 3.0, YVL 3.3, YVL 5.3, YVL 5.4 and YVL 5.7.

Life-time management of the plant units

The management of ageing at the Olkiluoto plant is based on predictions made by an expert group composed of experts from the areas of mechanical, electrical, instrumentation, civil, maintenance and safety engineering. By utilising the operational and maintenance experience and research results related to the ageing phenomena, the objective is to identify in an early stage those areas of the plant, that limit the operating life and require significant modification, repair and inspection work or special condition monitoring.

The predictions for necessary measures are drawn up from the estimates supplied by the experts responsible for systems, techniques and components as well as by other expert groups, and these predictions are updated annually. The unit responsible for operation takes the predictions into account when it designs the annual maintenance and assesses the comprehensiveness of preventive maintenance programs.

The updating of predictions, conducted in connection with the power uprating, was directed to e.g. components of the reactor pressure vessel and its internals susceptible to stress corrosion, valves and pipelines of the reactor plant, sea water canals as well as the containment and its cables.

The conclusion is that the Olkiluoto plant meets the provisions set forth in the Section 24 of Decision 395/1991.

5.3 Personnel

Nuclear power plant personnel shall be well suited for its duties, competent and well trained. Initial, complementary and refresher training programmes shall be established for the personnel.

For ensuring safety in all situations, competent personnel shall be available in a sufficient number. (Section 25 of Decision 395/1991)

Detailed requirements that were set for the personnel training related to the Section 25 of Decision 395/1991 are presented in the Guide YVL 1.7. The procedure related to the licensing of operators is presented in the Guide YVL 1.6.

TVO is headed by the Managing Director with the assistance of the Board of Directors. In addition to the Managing Director, the Production Director (director responsible for nuclear safety in accordance with the Nuclear Energy Law), Technical Director, Director of Economy and the Director responsible for Society Affairs are members of the Board of Directors. The activities of the company are divided into areas of responsibility, that belong to the aforementioned directors. Furthermore, fuel maintenance, public information and personnel administration operate directly under Managing Director's subordination. Production Director is responsible for the production (operation, production services, maintenance planning, reactor surveillance, technical surveillance, modification planning, material management and special assignments) and Technical Director's area of responsibility is technology (power plant technology, development, training, nuclear waste management, safety and quality assurance). Furthermore, TVO has a Safety Group that is composed of experts from different technical areas. The tasks, responsibilities and duties of units are clarified in the TVO Administrative Rules and in the Organisational Manual. The Administrative Rules have been approved by STUK as a part of the Technical Specifications.

The minimum crew required for the main control room and the plant area has been presented in the Administrative Rules of the Olkiluoto plant. According to the duty system of the plant a person of the Shift Chief level has to be reachable for the control room personnel at all times, for a case of possible special situations at the plant.

The principles and organisation of TVO's training activities as well as detailed training procedures are presented in the Training Manual, by the means of which a systematic implementation of the training is ensured. The training in the company has been organised so, that in addition to the existing eleven persons in the Training Centre there are training contact persons in each organisation unit and several committees, that survey and handle the training needs of e.g. operation and maintenance as well as of the entire company and monitor training results. An organisation model like this makes it possible to take unit and individual related training needs into account in an efficient manner. The Training Manual presents vacancy related competence requirements that have been defined for the personnel. The competence requirements are based on the tasks, areas of responsibility relating to the vacancies in question, and the related regulations of the regulatory authority. Person's basic education and the basic and refresher training given by the TVO are defined in the qualification requirements.

A training simulator, which is used for giving operating training to new operator candidates for approximately 50 days as a part of the basic education, is available for the training of plant operators. In addition to the simulator training the basic training program of operators includes class-room and on-the-job training at the plant and in the main control room. The basic training takes approximately 18 months, after which the operator is allowed to work as a turbine operator. After working as a turbine operator and gaining more experience, the turbine operator is given more individual training by e.g. the simulator for the duties of a reactor operator. In the end of the training period a written and oral examination as well as a demonstration of operating skills by the simulator are required from operators, before a person is allowed to start working as an operator or as a Shift Chief in the main control room of the nuclear power plant.

A refresher training program, which is conducted in a three year period, is available for the plant operators. The program includes the subjects that shall be repeated annually. Furthermore, the refresher training of operators includes annually two weeks of operating training, given by the simulator, which includes a considerable amount of transient situation training in addition to the normal operating conditions (e.g. start-ups and shutdowns). The plant operators receive approximately three weeks of refresher training annually.

Persons, such as the responsible director and his deputies, Shift Chiefs and operators of the plant, persons taking care of physical protection and emergency preparedness and nuclear material control, that belong to the plant's operating personnel and handle certain key tasks, need STUK's acceptance for their tasks. The acceptance of plant operators is valid for three years at a time. The renewal of the acceptance requires e.g. that the person in question has worked continuously in the control room, has taken part in the refresher training program and in demonstration of shift work skill as well as an oral examination.

STUK also approves the persons, who control the operation of the plant pressure vessels. Repairs of pressure bearing structures and inspections of mechanical components and structures may also be conducted only by companies approved by STUK or persons working for them.

One inspection topic in STUK's periodical inspection program is personnel training. In the inspections concerning training in 1996 and 1997, special attention was paid to the implementation of education needs caused by the modernisation of the Olkiluoto plant and personnel reviews relating to the renewal of the operating licence on the basis of e.g. IAEA's guidelines concerning periodical safety reviews. Inspections have stated that one objective of the plant modernisation project is to improve personnel competence. A comprehensive supplementary training program on the new systems of the plant and their use was organised for the operating personnel. The participation in the program has been found sufficient among personnel. In addition to the consideration of modifications made at the plant, the modernisation program also includes the renewals of the training simulator computer and certain calculation models. It has been assessed that the simulator modifications will be ready, by the time that the training program begins in the fall of 1998.

In addition to the operating organisation, an emergency preparedness organisation has been defined for the plant to prepare for accident situations. The emergency preparedness organisation has been described in the Emergency Plan and its operation is exercised annually in emergency drills. To design and maintain security arrangements, a security organisation has been defined for the plant in the Security Plan.

In addition to maintaining the plant in operation, TVO is also responsible for the overall design of nuclear safety. According to STUK's position TVO does not have an adequate amount of trained personnel to handle comprehensive and/or multi-area safety issues of principle or to design technical solutions affecting nuclear safety.

The conclusion is, that the training and competence of the Olkiluoto plant personnel meets the provisions set forth in the Section 25 of Decision 395/1991 as far as the operation and maintenance of the plant are concerned. The improvement of readiness, for the part of plant design as well as for the part of steering and controlling design activities, conducted by external organisations, is a significant improvement issue of the future.

5.4 Monitoring releases of radioactive materials

Releases of radioactive materials from a nuclear power plant and their concentrations in the environment shall be effectively monitored. (Section 26 of Decision 395/1991)

Detailed requirements relating to the Section 26 of Decision 395/1991 are presented in the Guides YVL 7.6 and YVL 7.7.

The Olkiluoto plant is provided with technical systems, by the means of which most of the radioactive materials released into and being in the process systems are collected and stored. Only a small portion of the radioactive materials is released into the environment.

Radioactive materials may be released from the plant either as gas effluents through the ventilation stack to the atmosphere or as water releases to the sea water canal and further to the sea environment. The releases of radioactive materials to the atmosphere or to the sea environment are controlled at the Olkiluoto plant along all release routes by continuous radiometers, by sampling and by determining radioactivity of nuclides in the laboratories.

STUK has approved the procedures concerning the use of radiation measurements and laboratory assays, and monitors activities regularly.

A comprehensive monitoring program of radioactivity in the environment, that is approved by STUK, is being conducted in the environment of the Olkiluoto plant. According to this program the possible dispersion of radioactive materials is being monitored continuously by analysing the contents of nuclides, that show the dispersion of releases, in the food and other foodstuff produced in the plant vicinity.

The control program includes approximately 500 samples annually. Samples include e.g. milk, meat, fish, grain and vegetables as well as water and aerosols of the air. Furthermore, the samples are taken from such indicator organisms, that very efficiently accumulate radioactive materials to themselves from their habitat. The nuclides that are the most significant from the standpoint of human exposure are analysed from the samples: gamma emitters, like 60Co, 131I and 137Cs, beta emitters 3H and 90Sr and alpha emitters 238Pu, 239Pu and 240Pu.

In the past few years the releases of the Olkiluoto plant, from the standpoint of radiation exposure, have been clearly less than one hundredth part of the annual release limits. Inert gases have prevailed among releases to the air and tritium among releases to the water. Released nuclides detected in the environment have been activated corrosion products (for instance 60Co) and some other activation products and tritium. Detections from terrestrial samples have been rare, and they have been detected mainly from high-power air samplers during annual maintenance outage. The amounts of radioactive materials coming from the power plant and detected from indicator samples of aquatic environment are regularly very small. The main portion of the activity in the environmental samples of the nuclear power plants still originate from the fall-out caused by the Chernobyl accident.

An automatic off-site radiation monitoring station, whose function is to give a fast signal if unusual conditions occur and radiation levels change in the environment, has been installed in the Olkiluoto plant vicinity in the beginning of the 1990's. The measuring instrumentation of the meteorological tower near the plant has been renewed in the 1990's.

The conclusion is, that the releases of radioactive materials are controlled at the Olkiluoto plant according to the manner set forth in the Section 26 of Decision 395/1991.

5.5 Operating experience and safety research

Operating experience from nuclear power plants as well as results of safety research shall be systematically followed and assessed.

For further safety enhancement, actions shall be taken which can be regarded as justified considering operating experience and the results of safety research as well as the advancement of science and technology. (Section 27 of Decision 395/1991)

Detailed requirements for fulfilling the requirements set forth by the Section 27 of Decision 395/1991 are presented in the Guide YVL 1.11. The requirements of the Guide concern both the actions concerning the operating experience of the power companies and the control conducted by STUK. The requirements that concern reporting to the regulatory body are presented in the Guide YVL 1.5.

Actions concerning the operating experience

The general objective of the operating experience action is to create and maintain the measures, by the means of which lessons are learned from gained experiences. TVO's operating experience action covers the follow-up and systematic utilisation of experience gained from both its own and other plants.

At the TVO the tasks related to the operating experience action have been decentralised whereas the overall responsibility belongs to the Safety Section. For the co-ordination and handling of practical activities, an Operating Experience Group (KÄKRY) has been formed under the Safety Section from experts that come from different fields of technology. Its task is to sift and to supply event reports, that it has received from different sources, for analysis, and to follow the progress of the handling and the implementation of corrective measures.

KÄKRY's information sources concerning the Olkiluoto plant are e.g. control room diaries, failure reports, regular meetings related to the operation and outages of the plant units and other reports concerning deficiencies and deviations. For the other plants, the most important data bank is a joint Nordic operating experience group ERFATOM, which sifts, analyses and supplies the operating experience it has gathered for its members. Other external data banks are the VKK (the operating experience group of Finnish power companies), WANO (World Association of Nuclear Operators), INPO (Institute of Nuclear Power Operations), IAEA (International Atomic Energy Agency), OECD/NEA (Nuclear Energy Agency) and KSU (Kärnkraftsäkerhet och Utbildning AB). WANO, INPO and KSU are organisations formed by the power companies. IAEA and OECD/NEA maintain corresponding connections mainly between the regulatory bodies.

The decision making that concerns the operating experience action takes place in the plant meeting and in the Safety Group, which also supervises actions of KÄKRY and the execution of corrective actions.

Responsibilities related to the operating experience action are described in the Administrative Rules, Quality Assurance Manual for Operation and in the Organisation Manual. The Organisation Manual also describes operating experience tasks that belong to other organisational units. The control and review of the entire operating experience action are included in the Quality Assurance Program of the plant.

The depth by the means of which TVO's own operational events are handled, depends on the character of the event and on the severeness of the consequences. The main principle is, that all failures and deficiencies are identified and corrected by clarifying their reasons. A separate root cause analysis is conducted for complex events, which have a special significance for the plant safety, or in which considerable deficiencies have been noted in the functioning of the organisation, and which haven't already been adequately analysed in separate reports or memorandums. The number of conducted root cause analyses is relatively small. It can, however, be estimated that significant operational events, particularly from the standpoint of technology, are analysed in an adequate depth. In addition to the clarification of technical failures also organisational and human factors have to be taken into account. Furthermore, more attention has to be paid in the future to the review of events that don't have severe consequences and to the recurrence of events. Some measures have been taken by TVO to execute improvement needs. Such measures include the development of event data base, the analyses of events with the root cause method developed by the International Atomic Energy Agency (IAEA), ASSET and an independent review of the operating experience action, that will be conducted by the IAEA in 1998.

STUK's review is that the operating experience action at the TVO fulfills the requirements set for it. The gained operating experience shows that the number of significant operating events has remained small inspite of plant ageing, and that no repetition of events, that are significant to safety and that would indicate from a deficiency in corrective measures, has been observed. An exception from the aforementioned is formed by the unplanned scrams, for the part of which TVO has taken measures to turn the current course of developement.

Research activities

TVO follows the research activities that take place in the field by taking part in the steering and supporting group activities of national projects that concern e.g. reactor safety, structural safety of nuclear power plants and programmable automation systems. TVO is engaged in international co-operation particularly with the Swedish power companies and ABB Atom. Furthermore, TVO is a member of the co-operation group formed by the owners and the users of the boiling water reactors (BWR Owners' Group) and participates in the plant development projects managed by the boiling water reactor suppliers.

The follow-up and review of research activities has been decentralised in TVO so, that each organisation unit follows and assesses the research and development of its own field. TVO's own research work often consists of application of research results to practice. TVO's own research work has been most comprehensive in the area of nuclear waste management.

STUK's review is that research work conducted by TVO meets the provisions set for it.

Safety upgrading

TVO has continuously upgraded its nuclear power plant units on the basis of knowledge and experience gained from operating experience and safety research. The development projects have often been started after transients, whose initiating event or course has deviated from the expected one, and that have taken place either at the Olkiluoto plant or other plants. Some modifications have also been made to ensure a reliable functioning of safety systems. Examples from such projects include:

  • Improvement of suction grids of the emergency cooling systems at the bottom of the containment, providing grids with the rinsing system and replacement of mineral wool insulation with so-called mirror insulation. The modifications were executed in the summer of 1992 after the incident at the Barsebäck 2 unit, where parts of mineral wool insulation came out of its place, transferred to the water pools of the containment and blocked some of the suction grids in operation.
  • Installation of automatically opening dampers to the suction air system of emergency diesel generators during the 1996 maintenance outage to ensure that the combustion air can be taken, when necessary, from the room space. The modification was executed after an incident, where the suction air line was blocked during testing in the snow storm.

In assessing the plant modification needs, TVO has utilised a PSA-model that was made from the plant and that has been used, when the overall plant specific risk significance of different accident conditions and the possible deficiencies in their management to the plant safety have been compared. For the execution of plant modifications, the intention has been to find items, whose significance to the core damage probability is the biggest.

According to STUK's review TVO has carried out and is currently carrying out several plant modifications and other measures that enhance the plant safety according to the Section 27 of Decision 395/1991. TVO has used risk reviews to help to identify the interdependencies between systems, whose consideration in the design and execution of plant modifications has enhanced the plant safety. The use of risk estimates as a counter argument against plant modifications is not, however, acceptable, when clearly identified deficiencies in the plant operation can be eliminated by improvements.

The conclusion is that the Olkiluoto plant meets the provisions set forth in the Section 27 of Decision 395/1991.

5.6 Nuclear power plants in operation

For the part of such a nuclear power plant for which an operating licence was issued before the entry into force of this decision (an operating nuclear power plant) the limit for the dose referred to in Section 11 is 100 mSv, unless the application of the provisions contained in Section 11, as such, is justified, considering the provisions of Section 27, second Section.

The provisions of Sections 12, 17 and 18 of this decision are applied to an operating nuclear power plant to the extent justified based on the provisions of Section 27, second Section, and taking into account the technical solutions of the nuclear power plant in question. (Section 28 of Decision 395/1991)

Deviations to the provisions of Sections 11, 12, 17 and 18 are determined in the Section 28. The compliance with the provisions in question is assessed in items 3.5 and 3.6 as well as in items 4.5 and 4.6.

Share this page