February 16, 2018

Nuclear Disasters and Systems Thinking: Part 2/3: Chernobyl, Ukraine

On April 27, 1986, nuclear engineer Cliff Robinson was walking down the hallway to his office at the Forsmark Nuclear Power Station, a triple BWR plant near Uppsala, Sweden. One of the many radiation detectors went off just as he passed it in the hall. Startled, he stopped and scanned the bottom of his boot with a hand-held scanner. The counter went wild.


He thought either World War III had begun or something was amiss in the reactor. The whole reactor staff searched to find the source of the radiation, but they found nothing. The radiation was only on Robinson’s shoes, it was not coming from the reactor itself. By 12:00 UTC, they determined that the source was a nuclear reactor somewhere in western Russia. They asked their colleagues in Finland...


Through their bilateral trade agreement,  Finland had purchased a nuclear power plant from the Soviet Union. It was a pair of PWR type reactors. Upon receiving the new power plant, the Finns were distressed by the poor design of the process-monitoring and control equipment in the plant. So, they redesigned them with help from the Western World. They realized if all Soviet reactors are built this way, eventually there would be a problem. They built a sophisticated radiation-indicator net covering the entire country.


Finland knew where the radiation cloud was coming from and they confirmed. The world was now aware of what had happened in Chernobyl.


Just a couple of days ago, life was normal in Chernobyl, a small 1,000-year-old town in Ukraine. The town played host to a nuclear plant, built in the 1970s. It was neither a BWR nor a PWR type of plant, but a RMBK type of plant. RMBK was what was called a graphite moderated power generator.


It was designed in the 1950s, and used by the Americans as a test reactor when they decided that there were some serious flaws in its design and abandoned its usage.


One of the biggest design flaws was the size of the reactor core. It was big. There was no practical way to construct a sealed containment building over this tall machine – like the shield in Three Mile Island.


Another design flaw was in the “scram”, aka emergency shutdown, system. The Western reactors use a “scram” system to shut it down as quickly as possible by inserting large amounts of negative reactivity mass(es) into the midst of the fissile material, for example control rods. It takes about 3 seconds to complete the scram on a GE BWR power reactor. In the equivalent Soviet system, this procedure takes about 20 seconds. A lot can happen in 20 seconds.


This power plant was built in the1970s, and this design was selected over a much safer PWR equivalent design because it was cheaper to build. PWR reactors were also marginally less powerful, so the decision was made.


A safety test-run was scheduled to take place on April 26, 1986 for Unit 4. The test would involve inserting all 211 control rods part-way, creating a power level low enough to resemble a blackout while continuing to cool the reactor to compensate for fission products. The procedure involved testing the hardware.


Because the deliberately low power levels that the test required would cause the reactor’s safety systems, including the backup diesel generators and Emergency Core Cooling System (ECCS) to automatically shut down the reactor, these systems were disabled.


At 00:28, while reducing the power to levels low enough to begin, the senior reactor-control engineer made a mistake, causing the control rods to descend far more than intended. He only had been in his current position for a few months during which the reactor power had never been reduced.


This caused a massive drop in power, more than intended. However, chief engineer decided to continue with the test as he did not want his reputation tarnished. He ordered the engineers to bring the reactor back to power even though his two subordinates challenged his decision. He threatened that if they were not willing to do what he wanted them to do he would find someone who would.


By 1:00, the engineers had succeeded to increase the power to 200 megawatts, but nowhere the intended 700 megawatts. The reactor had become unstable, because the Russian safety regulations dictated that a RBMK reactor to be kept at a minimum power of 700 megawatts for normal operation.


The operators overrode additional automatic systems and manually raised still more control rods to increase the fuel’s reactivity hoping to get more power. At the same time, they connected all 8 remaining circulating pumps and increased the flow of coolant into the core – way above the safety regulations.


Increased coolant levels meant less steam, which soon caused the turbine speeds to drop. To counteract negative reactivity from all the extra coolant water, the operators withdrew most of the few control rods still inside the reactor, until only 8 remained. The normal absolute minimum allowed at the time was 15 (which was raised to 30 since then).


The automatic safety system under normal conditions would have shut down the reactor many times by now, but remember that they were disabled.


At 1:22:30, the operators noticed the computer readings demanded that the reactor be shut down. They were calm but concerned, however, the chief engineer, under pressure to get the test completed, has ordered them to continue. Of course, the computer would demand a shutdown. That was the reason why they disabled the automatic safety systems in the first place. So, the test began.


At 1:23:04, turbine 8 was disconnected and began to coastdown – meaning continued to generate power at a reduced rate. At this point, the operators discussed that their work was done and they could start to shut down.


Within seconds of the turbine shutting down, the pumps were filled with steam and instead of pumping coolant water into the reactor, they started to push steam into it. In simple terms, more steam = less water = more power = more heat = more steam.


The reactor was in a dangerous, unstable state and the one of the operators, job or no job on the line, decided to shout out a warning sign to the other operator.


At 1:23:40 on April 26, 1986, the 32-year operator made his fateful decision and announced that he was initiating a scram, causing all remaining rods to begin their slow descent into the core. Within seconds after that, the rods stopped moving.


Then the operator tried to release the clutches and help rods move into place using their own weight. However, a flaw in the design of the reactor caused the rods to jam.


Within 4 seconds, the reactor’s energy output had soared to several times its intended capacity.


At precisely, 1:23:58, a mere 18 seconds after the scram was initiated, steam pressure overwhelmed Chernobyl’s incapacitated fourth reactor. A steam explosion blew the 450-ton upper biological shield clear off the reactor before it crashed back down, coming to rest at a steep angle in the raging maw it left behind. The core was exposed.


A split second later, steam and rushing air reacted with the fuel’s ruined zirconium cladding to create a volatile mixture of hydrogen and oxygen, which triggered a second, far more powerful explosion. Fifty tons of vaporized nuclear fuel was thrown into the atmosphere, destined to be carried away in a poisonous cloud that would spread across most of Europe. This mighty explosion ejected a further 700 tons of radioactive material.


The rest is history. It is considered one of the worst, if not the worst nuclear disaster in history.


There is no doubt that the flaws in the design of the reactor as well as human error played a role in the making of the disaster, however as we are about to see they were all affected by the system. Let’s take a closer look at them:


First of all, the concerns over the design of the reactor were not unknown. On October 16th, 1981, a report was submitted to KGB highlighting several concerns over the design and the quality of the construction at Chernobyl. It stated that there had been 29 emergency shutdowns during the plant’s first 4 years of operation. The report also concluded that the control equipment did not meet the requirements of reliability. The report was forwarded to the higher powers, yet nothing had been done.


None of the men in the control room and nobody in the entire power plant had a clear understanding of the nuclear side of the power plant. They were experts in turbines, wiring and mechanical engineering specialties, but had no training or experience in the graphite reactor dynamics. The chief engineer was the one who had an inkling of nuclear experience. He worked briefly on the very small experimental naval reactors.


The testing of this run-down unit was actually a standard feature of the RMKB design and should have been made operational during the reactor’s commissioning three years earlier. Yet, the tests were signed off during the commissioning with the unwritten promise of completing them later. Completing the work and getting the reactor online ahead of schedule meant significant bonuses and awards for everybody involved.


The safety test-run was originally scheduled to run on April 25, 1986 for Unit 4. The test did not go through on that day because Kiev’s national grid controller asked them to delay it until after the evening peak electricity consumption period had ended.


The afternoon staff had been briefed on the test and knew exactly what to do, but their shift ended and they had to go home. Evening staff took over but then they had to leave too which left the task of running the test to the night crew. The night crew had never conducted such a test before, they were not prepared for it and had not anticipated running this test.


To make matters worse, Unit 4 was at the end of a fuel cycle, around 75% of the fuel was nearing its lifecycle and was due for a refuel. This meant that due to its design, there was old fuel in the reactor that was running hot. Any interruption in the flow of the cooling water could quickly damage the older fuel channels and generate heat faster than the reactor was designed to cope with.


Even though the chief engineer saw the signs of the reactor becoming unstable, he still decided to push on with the test. This test had already been conducted three times before on Unit 3 – on 1982, 1984 and 1985 and all had failed. The Soviet System would have punished failure severely and he certainly did not want that on his record. Would this have caused him to push with the test instead of taking the safe route?


It is very easy to pin this down to human error and Soviet engineering mistakes and blame the individuals instead of looking at the system and how it caused all these flaws and human errors in the decision making.


It is easy to do all that except the next disaster would involve American engineering making all the arguments about the Soviet design flaws pointless. It proved that it is always the system.


Events started tumbling toward disaster at 2:46 on a Friday afternoon, off the northeast coast of Japan…


Recommended Reading List:

  • Atomic Accidents, by Mahaffey, James
  • Chernobyl: 01:23:40, Leatherbarrow, Andrew