Interested in linking to "Automation Could Have Prevented Chernobyl"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
The released radioactivity cloud spread as far as Norway, and the atmosphere in the area is expected to remain radioactive for some 300 years (the ground itself, longer). Decommissioning is still in progress and is estimated to be completed by 2015, when a containment structure (sarchopagus) will finally be built. So what happened? Why did such a simple process as boiling water created such a mess?
The core of the reactor consisted of hundreds of pressure tubes containing low-concentration (2% U-235) fuel rods. Water was pumped through the tubes from the bottom up, and the fission in the fuel rods turned this water to steam, which was sent through a steam separator to the steam turbine-generators (Figure 1).
The pressure tubes were inserted into blocks of graphite neutron moderator, which served to slow down the neutrons, because when slowed, the neutrons are more efficiently captured by the U-235 atoms and, therefore, the concentration in the fuel rods can be lower and less expensive (~ 2% at Chernobyl). The rate of heat generation was maintained by the insertion of control rods that absorb the excess neutrons. Various safety systems, such as an emergency core cooling system (ECCS), were provided, but they were not automatic; therefore, the operators could (and did) disable them at will.
Automation can't correct design errors, but it can protect the plant from the consequences of them. The basic design error at Chernobyl was that scramming (shut down) at low loads (under 700 MWt ~ 230 MWe) caused a temporary and self-accelerating power surge. This occurred because the reactor had a positive void coefficient (+VC), while all properly designed reactors have a negative one (-VC).
VC indicates the effect of swelling (the increase in the volume of steam bubbles) when the rate of steam generation changes (temperature rises or pressure drops). VC is negative (-VC) if swelling decreases reactivity (fewer U-235 atoms are split). All properly designed reactors do this; i.e. the nuclear reaction rate slows when more steam bubbles form. This is because steam is a less effective moderator (does not slow the speed of the emitted neutrons as much as does water), and therefore, when swelling occurs, the proportion of fast neutrons, which are less likely to hit and split U-235 atoms, rises, so the reactor produces less power due to this "negative feed-back" effect.
With the Chernobyl reactors, the opposite was the case: At loads under 700 MWt, the VC was positive (+VC), and the operators either were not told or did not understand this counter-intuitive characteristic. This was the case because the control rods had graphite tips and were 1.3 meters shorter than necessary .
In case of an emergency, the sudden insertion of the control rods (scramming) with their graphite tips could initially cause a dramatic and self-accelerating power surge, because the graphite tips act like modulators. In other words, as they were shoved down into the core, the graphite slowed down more, not fewer neutrons (+VC) than before, and therefore the neutron impact efficiency in the fuel rods increased instead of dropping.
On top of this, the control rods were too short. Therefore, the upper part of the rod made of boron carbide that absorbs the neutrons did not even enter the reactor core at the beginning of lowering the control rods. Thus, for the first few seconds of scramming, reactor power output increased instead of dropping!
The control rods also jammed, so they could not be slammed into the core anyway. Naturally, the runaway reaction resulted in a meltdown that burned the zirconium cladding of the fuel rods, causing the generation of hydrogen, which exploded, destroying the building and releasing radioactive isotopes into the environment.
At Chernobyl, it was the conducting of a "safety test" that caused the meltdown. The purpose of the test was to determine if, in case of the failure of the external power supply grid, the residual "rotational energy" (inertia) of the turbines would be enough to provide electric power until the backup diesel generators (DG) started up. The goal of the test was to determine if this "rotational inertia" was enough to supply the plant with electricity for about a minute after a grid failure .
The test should have been performed when the thermal power generation exceeded 700 MWt—when the void coefficient is negative (-VC)—but the operators, being in a hurry at 1 a.m. and ignorant of the consequences, started the test before reaching this minimum power and, therefore, started the test under +VC conditions. They ran the test "in manual," disabled the turbine generator's safety systems, and therefore, the main process computer could not shut down the reactor or even reduce its power.
So why would having automation prevented this accident? The answer is simple: An automatic safety interlock would have prevented the start of the test until the 700 MWt limit was reached. Unfortunately, automatic safety interlocks can prevent accidents only if they exist and can't be deactivated by the operators. In other words, allowing panicked, unqualified and sleepy operators at 1 a.m. to do what they felt like doing was a recipe for disaster.
Naturally, if the control system was so designed that the operators could not bypass the automatic safety system, the accident could not occur, but even if it did due to some other cause, at the first sign of a power surge, the control computer would have "scrammed" the reactor by inserting all of the control rods into the core and flooding it with water.
In Figure 2, I have inserted some numbers, showing the points where automatic safety controls should have existed and did not. Point 1 refers to the fact that automatic pressure relief valves should have been provided to relieve the steam overpressure that caused the explosion that damaged the building.
Reliable water level and pressure/temperature measurements should have been combined with automatic interlocks to scram the reactor if the water level dropped below the reactor core (Points 2 & 3). Automatic pressure relief should have been provided on the roof to protect the building from steam explosion damage (Point 4). Control rod controls should have been faster than the speed of the worst possible power surge, and operators should have been prevented from manually removing any control rods (which they did), and should have automatically "scrammed" the reactor when the power surge was detected (Point 5). When the presence of hydrogen was detected, both automatic venting and inerting should have been triggered (Points 6 & 7).
In the next article of this series, I will show how safety automation could have prevented the Fukushima accident.