Safety Instrumented Systems / Systems Integration / Asset Management / Wireless

Automation Could Have Prevented Chernobyl

Bela Liptak Tells How Automatic Safety Controls Could Have Prevented the Accident at Chernobyl

By Bela Liptak

In the first part of this series, I described how automatic safety controls could have prevented the Three-Mile Island accident. Now I'll do the same for Chernobyl. This accident at the RBMK nuclear power plant at Chernobyl in the Ukraine occurred at 1:23 a.m. on April 26, 1986, right after the midnight shift change of the operators at Unit 4, which consisted of four 1000-MWe units, built in the 1970s. The meltdown caused a steam explosion that blew off the 2500-ton top of the reactor, followed by hydrogen explosions and a fire when the graphite in the core ignited. Twenty million curies of radioactivity were released, 30 times the nuclear fallout that occurred at Hiroshima and Nagasaki. Thirty-one operators and fireman were killed, and over 100,000 people were evacuated.

The released radioactivity cloud spread as far as Norway, and the atmosphere in the area is expected to remain radioactive for some 300 years (the ground itself, longer). Decommissioning is still in progress and is estimated to be completed by 2015, when a containment structure (sarchopagus) will finally be built. So what happened? Why did such a simple process as boiling water created such a mess?

The Process

The core of the reactor consisted of hundreds of pressure tubes containing low-concentration (2% U-235) fuel rods. Water was pumped through the tubes from the bottom up, and the fission in the fuel rods turned this water to steam, which was sent through a steam separator to the steam turbine-generators (Figure 1).

The pressure tubes were inserted into blocks of graphite neutron moderator, which served to slow down the neutrons, because when slowed, the neutrons are more efficiently captured by the U-235 atoms and, therefore, the concentration in the fuel rods can be lower and less expensive (~ 2% at Chernobyl). The rate of heat generation was maintained by the insertion of control rods that absorb the excess neutrons. Various safety systems, such as an emergency core cooling system (ECCS), were provided, but they were not automatic; therefore, the operators could (and did) disable them at will.

Design Errors

Automation can't correct design errors, but it can protect the plant from the consequences of them. The basic design error at Chernobyl was that scramming (shut down) at low loads (under 700 MWt ~ 230 MWe) caused a temporary and self-accelerating power surge. This occurred because the reactor had a positive void coefficient (+VC), while all properly designed reactors have a negative one (-VC).

VC indicates the effect of swelling (the increase in the volume of steam bubbles) when the rate of steam generation changes (temperature rises or pressure drops). VC is negative (-VC) if swelling decreases reactivity (fewer U-235 atoms are split). All properly designed reactors do this; i.e. the nuclear reaction rate slows when more steam bubbles form. This is because steam is a less effective moderator (does not slow the speed of the emitted neutrons as much as does water), and therefore, when swelling occurs, the proportion of fast neutrons, which are less likely to hit and split U-235 atoms, rises, so the reactor produces less power due to this "negative feed-back" effect.  

With the Chernobyl reactors, the opposite was the case: At loads under 700 MWt, the VC was positive (+VC), and the operators either were not told or did not understand this counter-intuitive characteristic. This was the case because the control rods had graphite tips and were 1.3 meters shorter than necessary .

In case of an emergency, the sudden insertion of the control rods (scramming) with their graphite tips could initially cause a dramatic and self-accelerating power surge, because the graphite tips act like modulators. In other words, as they were shoved down into the core, the graphite slowed down more, not fewer neutrons (+VC) than before, and therefore the neutron impact efficiency in the fuel rods increased instead of dropping.

On top of this, the control rods were too short. Therefore, the upper part of the rod made of boron carbide that absorbs the neutrons did not even enter the reactor core at the beginning of lowering the control rods. Thus, for the first few seconds of scramming, reactor power output increased instead of dropping!

The control rods also jammed, so they could not be slammed into the core anyway. Naturally, the runaway reaction resulted in a meltdown that burned the zirconium cladding of the fuel rods, causing the generation of hydrogen, which exploded, destroying the building and releasing radioactive isotopes into the environment. 

The Test That Caused the Accident

At Chernobyl, it was the conducting of a "safety test" that caused the meltdown. The purpose of the test was to determine if, in case of the failure of the external power supply grid, the residual "rotational energy" (inertia) of the turbines would be enough to provide electric power until the backup diesel generators (DG) started up. The goal of the test was to determine if this "rotational inertia" was enough to supply the plant with electricity for about a minute after a grid failure .

The test should have been performed when the thermal power generation exceeded 700 MWt—when the void coefficient is negative (-VC)—but the operators, being in a hurry at 1 a.m. and ignorant of the consequences, started the test before reaching this minimum power and, therefore, started the test under +VC conditions. They ran the test "in manual," disabled the turbine generator's safety systems, and therefore, the main process computer could not shut down the reactor or even reduce its power.

Automation Would Have Prevented the Accident

So why would having automation prevented this accident? The answer is simple: An automatic safety interlock would have prevented the start of the test until the 700 MWt limit was reached. Unfortunately, automatic safety interlocks can prevent accidents only if they exist and can't be deactivated by the operators. In other words, allowing panicked, unqualified and sleepy operators at 1 a.m. to do what they felt like doing was a recipe for disaster.

Naturally, if the control system was so designed that the operators could not bypass the automatic safety system, the accident could not occur, but even if it did due to some other cause, at the first sign of a power surge, the control computer would have "scrammed" the reactor by inserting all of the control rods into the core and flooding it with water.

In Figure 2, I have inserted some numbers, showing the points where automatic safety controls should have existed and did not. Point 1 refers to the fact that automatic pressure relief valves should have been provided to relieve the steam overpressure that caused the explosion that damaged the building.

Reliable water level and pressure/temperature measurements should have been combined with automatic interlocks to scram the reactor if the water level dropped below the reactor core (Points 2 & 3). Automatic pressure relief should have been provided on the roof to protect the building from steam explosion damage (Point 4). Control rod controls should have been faster than the speed of the worst possible power surge, and operators should have been prevented from manually removing any control rods (which they did), and should have automatically "scrammed" the reactor when the power surge was detected (Point 5). When the presence of hydrogen was detected, both automatic venting and inerting should have been triggered (Points 6 & 7).

In the next article of this series, I will show how safety automation could have prevented the Fukushima accident.