This article was printed in CONTROL's July 2009 edition.
By Béla Lipták
This is the fifth part of a six-part series by Bela Liptak that describes the potential of process control for increasing safety in nuclear power plant operations. The previous four articles are
- November, 2008: Nuclear Power and Cyberterrorism
- January, 2009 : Nuclear Security, Part 2
- March, 2009 : The Future of Nuclear Energy
- May, 2009 : Three Mile Island Accident
We now know that properly designed process controls could have prevented the meltdown at Chernobyl. The causes of this accident were similar to those at 3 Mile Island seven years earlier. Both of these accidents occurred at night, after a shift change of operators who were poorly trained, uninformed and were operating the plants under manual control while their safety controls were bypassed. Ironically, the Chernobyl accident occurred during a test run, which was conducted to improve plant safety. This accident proved once more what experienced control engineers have all learned: that a process must be understood before it can be controlled.
The accident occurred while the reactor was being tested at low loading (20%) to determine the time period during which the plant would stay stable and continue to produce electricity after being shut down. The test was conducted in the middle of the night, by an inexperienced crew, while the control computer was disabled. The Chernobyl design had a positive void coefficient (VC), meaning that an increase in core temperature (more boiling) further increased power generation.
During the test on April 26, 1986, at 1:23 a.m., a runaway condition developed during which the power generation reached over 100 times the design capacity and caused a steam explosion that blew off the 2,500-ton top of the reactor. As air entered the reactor, the graphite in the core also ignited, further worsening the meltdown. As a result of the explosion and fire, 20 million curies of radioactivity was released, an amount which is 30 times the nuclear fallout that occurred at Hiroshima and Nagasaki. Thirty operators and fire fighters died and some 1,800 thyroid cancer cases (700 of them children) were reported (most of them survived). The accident also resulted in a massive relocation of the population as radiation made human life impossible over a 5,000 square-kilometer area.
Matching the Controls to the Process
I cannot possibly list all the errors in the process control system, because practically none was provided. The lack of process control can be explained partly by the fact that the plant was built for military purposes and, therefore, was designed to operate at constant loading in a plutonium-production mode. The second cause was the prevailing operating philosophy at the time in the Soviet Union, which did not trust automation and relied on operators who did not understand the process.
Examples of this lack of understanding included the use of constant controller gains on a variable gain process. The gain of this process increased (the process became more sensitive) as the load was reduced.
The operators did not understand the "inverse response" of the process either. They did not know that as the control rods are lowered into the reactor core, the reactivity does not drop immediately, but it first rises and drops only later. (Reactivity refers to the portion of nuclear energy that is available to generate steam. Reactivity is reduced—the "energy insulation effect" increased as the absorber rods are lowered. The second most effective moderator is water. Graphite is the third, and steam is the least effective moderator. Reactivity therefore increases with increased steam void formation or boiling.) In other words, they viewed a variable gain and "inverse response" process as if it was neither. Therefore, as the load dropped (reaching 7% of full loading), the VC became so large that it overwhelmed all other influences, and the meltdown of the core resulted.
As the operators did not understand the process, they attempted to control a very fast process―which at the time of the explosion had a time constant in seconds―by slow final control elements. The speed of the control rod movement was 0.4 m/s, corresponding to a stroking time of 15 seconds to18 seconds. In addition, these manual controls used a measurement with a dead time of 15 minutes, because the intermittent calculation of the operating reactivity margin (ORM), using 4,000 data points, required that much time and on top of that, the calculation was done outside the control room at a different location from where the operators worked.
The ORM is the ratio obtained if all control rods are withdrawn divided by the effect on the total reactivity of one rod. In this case, ORM should have exceed 30, and it was 7. In addition, ORM calculation was intermittent, took 15 minutes and was done 150 feet away from the control console.
If an experienced process control engineer had been on site, her or she would have known that in order to maintain stability, supply-demand matching controls were needed. This demand controller, under steady load conditions and stable conditions would have met the variations in electric power demand by modulating the thermal energy supplied by the reactor core. This electricity demand controller would have been designed as the cascade master of slave controllers that were modulating all final control elements. The slave controllers should have modulated the flow of cooling water and the position of control rods (in this case 211 boron carbide absorber rods). Naturally, these final control elements would have been selected to be faster than the process they control.