Thirty-five years ago, radiation alarms went off at the Forsmark nuclear power plant in Sweden. After an investigation, it was determined that the radiation did not come from inside the plant, but from somewhere else. Based on the prevailing winds at that time, it was ultimately determined that the radiation came from inside Soviet territory. After some political wrangling, the Soviet government ultimately admitted that the Chernobyl nuclear plant was the source, due to an accident that had taken place there.
Following the disaster, the causes have been investigated in depth so that we now have a fairly good idea of what went wrong. Perhaps the most important lesson taught by the Chernobyl nuclear plant disaster is that it wasn’t about one nuclear reactor design, one control room crew, or one totalitarian regime, but rather the chain of events which enabled the disaster of this scale.
To illustrate this, the remaining RBMK-style reactors — including three at the Chernobyl plant — have operated without noticeable issues since 1986, with nine of these reactors still active today. During the international investigation of the Chernobyl plant disaster, the INSAG reports repeatedly referred to the lack of a ‘safety culture’.
Looking at the circumstances which led to the development and subsequent unsafe usage of the Chernobyl #4 reactor can teach us a lot about disaster prevention. It’s a story of the essential role that a safety culture plays in industries where the cost of accidents is measured in human life.
Anatomy of a Disaster
Two years before the Chernobyl plant disaster – on the night of December 3rd, 1984, over two-thousand people in the city of Bhopal died when a lethal cloud of methyl isocyanate (MIC) was accidentally released by the nearby Union Carbide India Ltd chemical plant. In the subsequent years, over a thousand more would die, and over half a million people were injured. To this day the chemical pollution from the plant has rendered the soil and ground water around the now abandoned plant a hazard to human life, even as people continue to live in the area.
The Bhopal disaster was the culmination of a lack of maintenance, defective safety equipment, as well as an absence of a safety culture. This combined allowed water to run past defective valves into an MIC tank, causing the production of the lethal gas in an exothermic reaction. As the US owners of the plant (today The Dow Chemical Company) failed to clean up the site when the plant closed in 1986, this task is now left to local governments.
The 1986 Chernobyl plant disaster shows many similarities, in particular the lack of a safety culture. This began with the design of the RBMK (reaktor bolshoy moshchnosti kanalnyy, or “high-power channel-type reactor”), where natural uranium was chosen to avoid the cost of 235U enrichment. This meant a physically larger reactor, leading to the decision to skip a containment vessel which competing designs (e.g. VVER) did include, as it would be too large and too expensive.
Although the RBMK design does feature many safeties, including a split main cooling loop, an emergency cooling system (ECCS), and a SCRAM emergency shutdown system, there are no provisions that keep operators from disabling these safeties at will. Thus, what should have been a simple emergency power experiment with the steam generator (using its inertial momentum to power the circulation pumps) ended up in disaster.
Playing Games with Reactor Reactivity
In every light water reactor (LWR) design that uses plain H2O for cooling of the reactor core, there are two main parameters which determine whether the reactor is performing nominally, or under/over operating conditions. These pertain to the reactor reactivity: the number of neutrons present at any given time with the appropriate velocity (neutron temperature) for the neutron cross section of the target fuel.
In the case of uranium-235, so-called thermal neutrons are required, yet the fissile reaction produces many faster neutrons (‘fast neutrons’). Fast neutrons can be slowed down to become thermal neutrons by using a neutron moderator. This process increases the reactivity of the reactor. This process is then counteracted by neutron absorbers, which include the water as well as any control rods, which are often made of boron carbide.
Most LWR designs use light water for both moderating and capturing neutrons, which also means that if the reactivity increases, the water boils quicker, which creates more steam. This steam has reduced neutron moderation capacity, which in turn reduces the number of available thermal neutrons and thus creates a negative feedback loop. This is in essence a negative void coefficient.
The RBMK as an early Generation II design on the other hand has a lot in common with the prototypical Generation I graphite pile reactors, including the use of graphite as neutron moderator. While this allowed the use of natural uranium, it also meant that the RBMK ran with a positive void coefficient: as the water in the reactor cooling channels boiled and created voids, the neutron capture capacity decreased, while the moderating effect remained unaffected, creating a potentially run-away reaction.
This trade-off was deemed acceptable as it allowed the RBMK design to output thermal power far beyond that of Western reactor designs of the time, and it was assumed that a well-trained crew would have no problems managing an RBMK reactor.
As has been pointed out ad nauseam with e.g. the sinking of the Titanic, marketing and management regularly trumps engineering, and any disaster that can be averted by proper maintenance and training becomes an inevitability in the absence of a safety culture.
Inviting Murphy
When Chernobyl-4 was scheduled to be turned off for maintenance, it was selected and prepared for the steam generator experiment by disabling the ECCS safety. However, right before the experiment was supposed to begin it was decided to leave the reactor running for an additional 11 hours as the grid needed the extra power. During this delay, the day shift which was supposed to have carried out the experiment was replaced by the evening shift, all of whom consequently had to manually regulate the water valves due to the disabled ECCS.
When the night shift — who had arrived at work expecting to manage a shutdown and cooling reactor — were told to carry out the experiment. This meant reducing the reactor from full power to about 700 – 1,000 MW thermal before cutting the steam to the generator.
A quirk of the RBMK design is that it’s highly unstable and hard to control at low power levels. Between the positive void coefficient, the flawed design of the control rods, and the formation of neutron absorbers such as xenon-135 as a by-product, the reactivity of the #4 reactor dropped to less than 100 MW. This caused the operators to remove more and more control rods (including rods from the automated control system) in a bid to increase reactivity. This allowed reactivity to slowly increase again to levels somewhat close to those required by the experiment.
Coolant flow to the reactor core was increased to create more steam, but this decreased the reactivity and thus two of the pumps were turned off to increase reactivity again. In this configuration, with virtually all control rods removed and all safeties disabled, the experiment was wrapped up, even as the dropping power from the slowing generator caused less cooling water pressure. As a final step the decision was made to use the SCRAM feature, which would fairly rapidly insert the control rods to stop the reaction.
While these rods were being inserted, they drove the water out of their channels, increasing voids, while the graphite section at the tip of each control rod further increased reactivity. As a result of the increased reactivity at the bottom of the reactor, reactor thermal output spiked to an estimated 30,000 MW of 3,000 MW nominal. The cooling water was instantly boiled off and the zirconium fuel rod cladding was melted, causing hydrogen gas to be generated as it came into contact with the steam.
The first explosion by super-heated steam erupting out of the core flipped the shield on top of the core and blew out the roof of the building. A second explosion a few seconds later — likely caused by exploding hydrogen gas — ripped the reactor core apart and terminated the nuclear chain reaction. All that was left of reactor #4 were radioactive bits of the core slung around everywhere and super-hot corium — a lava-like ooze of many different materials from the destroyed core — melting its way into the basement of the reactor building. Meanwhile, the graphite of the core caught on fire, causing the fall-out plume that would be detected first in Sweden.
End of an Era
Today, nine RBMKs are still active, all of them in Russia. The remaining three RBMKs at the Chernobyl plant were shut down over the next few decades, after all remaining RBMKs had been tweaked using the lessons learned from Chernobyl-4:
- The use of slightly enriched uranium fuel to compensate for additional control rods.
- More neutron absorbers to stabilize the reactor at low power levels.
- Faster SCRAM sequence (12 seconds instead of 18).
- Restricted access to controls that disable safety systems.
The main effect of these changes are that the positive void coefficient is significantly reduced, the reactor is much easier to control at low power levels, and there is much less freedom for operators to ‘improvise’.
With the RBMK and similar designs now firmly out of the public’s favor, the competing VVER became the main reactor design that would come to power Russia. In its modern VVER-1200 form, the VVER is a Generation III+ design that uses light water for both moderating neutrons and cooling, as well as neutron absorption. As a design that follows international safety standards for nuclear reactors, it will be replacing the remaining RBMKs at Leningrad, Kursk, and other plants over the coming years.
It’s Safety Culture, Silly
As an interesting counter-point to the notion that it was the positive void coefficient that made the RBMK so dangerous, there is the CANDU reactor. This is a reactor type that’s so uneventful that the average non-Canadian citizen isn’t even aware that Canada has a nuclear industry and has been exporting these reactors around the world.
Yet the CANDU design used natural uranium originally, while running at a positive void coefficient. Despite this, the CANDU reactor’s active and passive safety features prevent something like the operator mismanagement that happened at Chernobyl-4, or the partial meltdown at the (negative void coefficient) reactor at Three Mile Island. In the latter case, an operator overrode a safety system, in a scenario somewhat reminiscent of the botched Chernobyl-4 experiment.
A similar cause underlies the nuclear accident at the Fukushima Daiichi nuclear plant in 2011, as pointed out in the 2012 Japanese Diet report. A general lack of safety culture, and widespread corruption up to upper government levels led to safety systems not being upgraded, lax adherence to earthquake resistance standards, and failure to implement upgrades recommended by US regulators.
Even so, accidents at nuclear facilities are still exceedingly rare, which makes commercial nuclear power among the safest forms of power generating per TWh. What’s perhaps more worrying is that this lack of safety culture isn’t just an issue in the nuclear industry, but something far more pervasive, as Bhopal and other major industrial disasters show. In the US, the Chemical Safety and Hazard Investigation Board (CSB) is responsible for investigating industrial chemical accidents.
In addition to the official reports, the CSB has also made a number of documentary videos available on its YouTube channel. What these reports hammer home is that safety culture is not something that should ever be taken for granted, or assumed to not be an issue. Despite lacking a totalitarian regime, countries like the US still somehow manage to suffer regular industrial disasters that kill and injure hundreds.
One lesson which the US CSB’s reports teach is that as scary as radioactive materials may appear, something as innocent as saw dust or flour should never be underestimated. Allowing hazardous situations to even exist is the first step towards it escalating into someone’s worst day on the job, bar none.
There’s No ‘I’ in Safety
Nobody wants to be the guy on a team who has to point out the obvious safety issues in a design or procedure. Nor does anyone want to be the person who has to rat out their colleagues for not following safety procedures. Simultaneously, a single person cannot force a company or a country to implement better safety procedures.
When there’s no overarching effort to create, implement, and adhere to safety regulations, it is only a matter of time before the next easily preventable disaster strikes, no matter what form this may take. Although safety regulations aren’t exactly cool or ‘sexy’, they are often the one thing that stands between a boring day at the factory and a flattened refinery or coal fly ash spill that kills dozens and renders a large area uninhabitable.
It’s up to us to not only remember the Chernobyls, but also the Bhopals and similar disasters that took so many more lives and will continue to do so every year so long as we as a society do not make safety culture a part of life everywhere.
Heading image: The New Safe Confinement in final position over reactor 4 at Chernobyl Nuclear Power Plant. By Tim Porter, CC-BY-SA 4.0
No comments:
Post a Comment