Low safety culture of the entire system – the cause of the Chernobyl accident
On April 26, the whole nuclear community honors the memory of the heroes, who, at the cost of their own lives, have protected us from the consequences of the most technogenic catastrophe – the accident at the fourth power unit of the Chernobyl Nuclear Power Plant. Today, on the 33rd anniversary of the tragedy, it is important to understand what conclusions were made and how the accident affected the further development of the world’s nuclear energy.
The reasons and conclusions of the Chernobyl tragedy are given in the article of Razu Kamilov, a member of the Ukrainian Nuclear Society, a leading instructor of the training center SS “Atomremontservis” NNEGC “Energoatom”.
Low safety culture of the entire system – the cause of the Chernobyl accident
The sad irony of fate is that the notion of Safety Culture in its appearance as one of the fundamental principles of safety in the nuclear industry is due to the accident at the Chernobyl nuclear power plant in 1986.
In the final investigation report of the IAEA experts, this is reflected as follows: «Without going into the details of that report, the Commission notes that in analysing the root causes of the Chernobyl accident, INSAG concluded that the need to create and maintain a ‘safety culture’ is a precondition for ensuring nuclear power plant safety». In the future, the IAEA has fixed this concept in its official documents.
Analyzing the causes of the accident at the Chernobyl nuclear power plant, I will rely on the official report of the IAEA INSAG-7 experts, as there are many other versions of the causes of the accident, including exotic ones (such as conspiracy theories or alien intervention). Safety culture requirements applied in accordance with INSAG-4.
“The Summary Report on the Post-Accident Review Meeting on the Chernobyl Accident (IAEA Safety Series No. 75-INSAG-l)”, published in September 1986. The report focused on the staff’s fault as the main cause of the accident. This approach coincided with the findings of the Soviet commission of inquiry.
In the USSR, several people from operational personnel were sentenced to various terms of imprisonment.
In 1993, the amended INSAG-7 report was issued, in which an attempt by IAEA experts to justify their agreement with the version of the causes of the accident, proposed in 1986 in the report of Soviet specialists, can be seen. In the new report, the design flaws of the reactor are mentioned as the main cause of the accident.
For convenience of perception, I will present the materials in the following sequence:
– Summary of the findings of the IAEA experts on the causes of the accident;
– Explaining the content of the conclusions that is meant;
– What is the manifestation of a low safety culture.
Technical details are presented as simplified as possible, in a language accessible to non-specialists.
Conclusion of experts about the causes of the accident
«Design deficiencies of the RBMK-1000 reactor at Chernobyl Unit 4 predetermined the severe consequences of the accident The Chernobyl disaster was caused by the choice made by the RBMK-1000 reactor designers of a design which did not take adequate account of the safety issues involved. As a result of that choice, the physical and thermal-hydraulic characteristics of the reactor core contradicted the principles of dynamically stable safe systems. In accordance with this design concept, a reactor control and protection system was designed which did not meet the safety requirements. The unsatisfactory physical and thermal-hydraulic characteristics of the reactor core in terms of safety were aggravated by errors made in the design of the RCPS. The design parameters and characteristics of the RBMK-1000 reactor on 26 April 1986 violated the safety standards and regulations so seriously that it could only be operated in a country where there was an inadequate safety culture» (INSAG-7)
What is meant?
The RBMK type reactors (like at the Chernobyl NPP) did not meet the requirements of the safety regulations in force at that time. For example, one of the most important properties that a reactor should have according to safety standards (General Provisions for the Safety of Nuclear Power Plants) is the property of internal self-protection (self-regulation). This means that the reactor must provide safety based on natural feedbacks, processes and characteristics within the reactor.For a better understanding of further explanations and examples, I will give some technical details. Only slow neutrons can fissil uranium U235. Therefore, almost all modern reactors are operated using slow neutrons. Neutrons are divided into slow and fast, depending on their kinetic energy. Initially, neutrons are fast. To slow them down they use so-called moderator. This is mainly water or graphite. In WWER reactors, which are currently operated in Ukraine, water is used as a moderator. In the RBMK (Chernobyl-type) reactors, graphite is used as a moderator.
In WWER reactors, self-regulation based on natural feedback is as follows:
The power of the reactor increases – the temperature of the water increases – the density of water decreases – its slowing capacity decreases – the number of slow neutrons decreases – the number of fissionable nuclei decreases – the capacity of the reactor decreases.
In case of decrease in reactor power, the process is repeated in the reverse order. Thus, the reactor remains in a stable state, fluctuating in a small power range.
Now let’s consider the same sequence of events for the RBMK reactor.
If the reactor power increases, the graphite temperature increases — but the slowing ability of graphite does not change — the number of slow neutrons continues to increase — the number of fissioned nucleus continues to increase — the reactor accelerates (the so-called positive vapor effect).
Until an operator or automatic control system intervenes, the reactor will accelerate. It is about such negative properties of the reactor referred to in the conclusions of IAEA experts.
Large size of the core also contributes to RBMK reactor’s instability. Sizes over 11 meters in diameter and 7 meters high. Compare with the size of the VVER reactor, about 4 by 4 meters. A large reactor space leads to uneven distribution of neutron fluxes. It was distortion of the neutron flux distribution that became one of the main reasons contributing to the 1986 accident on ChNPP. Further, with a detailed description of the immediate cause of the accident, I will explain the effect of this fact.
What is meant by the mistakes made in the design of rods of the control and protection system (CPS)? It is believed that the structural defect of the CPS rod has become a kind of trigger that led to the explosion.
The rode of the CPS constructively consists of two assemblies hang on one rod (see figure). The upper part is the boron-containing part (boron is a very good neutron absorber). The lower, shorter part consists of graphite. Graphite is a weaker neutron absorber than water.
In process of moving of the CPS rod to the core, in the areas where the graphite part of the rod displaces water, the criticality (the number of slow neutrons) increases, instead of decreasing (it works so-called end effect).
By the time of the accident, there was a very strong skew in distribution of the neutron flux along height of the reactor. The flow was shifted to the bottom part of the reactor. In the figure it is indicated by the red curve.
Why there was such a situation? During the experiment, the operators could not keep the reactor at power. In order to complete the experiment, the work manager (deputy chief engineer) forced the operators to bring the reactor to capacity. But, this type of reactor has the feature of “poisoning” immediately after stopping. The reason is that xenon isotopes, which are good “eaters” of neutrons, accumulate in the reactor. There is not enough reactivity to start the reactor (simplistically we can say there are not enough neutrons). Therefore, in such cases, it is necessary to make the time delay of about one day, while xenon disintegrates. Raising the power of the reactor without time delay, as in this case, leads to the need to extract from the core, almost all control rods, and the reactor is in a highly unstable and uneven state. By the way, raising the power of the reactor without time delay was the only error of operators, which contributed to the accident.
Thus, all the components required for the accident, had already been:
– positive vapor reactivity coefficient (structural deficiency);
– the “end effect” of the control rods (structural deficiency);
– unstable reactor, operating at low power, in which almost all the control rods removed from the core (the situation created by the actions of operators).
It only remained to press the trigger and as trigger, in this case, was the reactor emergency shutdown button – AZ-5. After it pressing, all the rods synchronously went to the core. In the lower part of the reactor, where to graphite rods reached, a large positive reactivity was input (end effect). An explanation of this situation is given in the figure above. The effect was as if you had pressed the brake and the car started to accelerate.
Increasing power of reactor has increased the water vapor content and input of additional positive reactivity (positive vapor effect). In seconds, power of reactor increased many times. Then the technological channels were ruptured and steam-water mixture release into the reactor space and its complete evaporation (this was the first explosion, steam explosion). Next, the reactor accelerates on fast neutrons, and it is completely destroyed. This is the second (one might say nuclear) explosion. True, unlike a bomb explosion, the chain reaction immediately fades away, because there are no conditions for further self-sustaining chain reaction.
In this description of causes of the accident, many technical, physical and thermohydraulic nuances are omitted, since the article is intended mainly for non-specialists. But an idea of the main causes of the accident it gives.
What is the inconsistency with safety culture requirements?
The main postulate of safety culture is safety first of all! Safety is first over production, economics, and politics. Given this postulate, it is interesting to study history of the RBMK reactor. In the beginning, I will cite the memories of one of the authors of the RBMK reactor, Academician Alexandrov. The memories can be found on the Internet.
“You know why we started making nuclear power plants with the RBMK reactors? Because of Arkady Raikin (famous Soviet satirist. – R.K.). I can’t remember exactly the year when Fima (Efim Slavsky, then Minister of Middle Machine Building of the USSR. This ministry was engaged in the manufacture of weapons – R.K.) and me was called by Nikita Khrushchev to his house. He had one question: why do the Americans and the British build nuclear power plants, and we do not. Why the USSR built NPP in Obninsk first, and now it is behind. Catching up and overtaking (US. – R.K.) – that’s your task!
We explained to him for a long time that the reactors which already in operation in the country were designed to produce weapons-grade plutonium and that use of uranium-graphite channel-type reactors to produce electricity can be unsafe.
It was evident that Nikita does not understand what we tell him. And as often happened in such cases, he became very angry, switched to the Ukrainian language and said: “Go damn children and make a station in a year. And if you don’t, I’ll take away membership cards immediately” (communist party cards. – R.K.). We understood that this was not a joke and went to discuss our action plan.
At dinner, we talked about Khrushchev and watched TV with half eyes. The performance of the famous satirist Arkady Raikin was broadcast. Suddenly Fima shouted: look, Khrushchev. But it was Raikin, who meanwhile said: “Here is the ballerina is spinning. Spinning, spinning, in eyes already rippled. Attach her to the dynamo – let the current produces for underdeveloped areas”. This humoresque exactly suited to the situation and to Khrushchev’s understanding of the problem.
Having gone mad, we called Academician N. Dollezhal (one of the main designers of the RBMK reactor. –R.K.) and in two weeks prepared proposals for Tomsk-7 (Siberian Nuclear Power Plant)” (Tomsk-7 is NPP for weapons-grade plutonium produce. – R.K.).
It perhaps that the author high-colored something in his memories. But, in fact, these memories accurately characterize the situation in which RBMK-type reactors were created.
In the seventies in the United States began the rapid construction of nuclear power plants. In the Soviet Union, this process was slow. The reason was the technological complexity of reactor vessel fabrication. Fabricate of reactor’s vessel took 2-3 years. The reactor vessel could produce only Izhora plant in Leningrad.
The Communist Party has set a task for Soviet scientists to solve this problem. And the solution was found exactly as described above, to adapt the military reactor to generate electrical energy.
Economic and political interests were first over safety. As you understand, there is no safety culture in this case.
«In any important activity, the manner in which people act is conditioned by requirements set at a high level. The highest level affecting nuclear plant safety is the legislative level, at which the national basis for Safety Culture is set». (INSAG-4).
The system of legal, economic and socio-political relations in field of atomic energy that existed at time of the accident was not legally regulated. There was no law regulated utilization of nuclear power. Practically no one carried full responsibility for NPP operated safety.
«An organization pursuing activities with a bearing on nuclear plant safety makes its responsibilities well known and understood in a safety policy statement». (INSAG-4).
The meaning of a safety policy statement is to publicly declare priority of safety over other tasks. The statement also makes it clear for staff that if they follow the safety priority in their work and refuse execute unsafe works, they won’t be sanctioned for that.
If the practice of such statements existed in 1986, perhaps the timid attempts of control room operators (reactor operator Toptunov and unit shift chief Akimov, both died in the first days of the accident) to resist against pressure of the deputy chief engineer, would be successful, and the accident would not have happened. Under the link https://youtu.be/FogTJMUhL8o, you can watch a fragment from the Discovery reconstruction film, in which operators are forced to perform a dangerous operation (output to the power of recently shutdown reactor). But a statement of safety policy could not have appeared, in situation of absence any legislative regulation of nuclear power utilization.
«A regulatory body has a weighty influence on the safety of nuclear plants within its purview and an effective Safety Culture pervades its own organization and its staff.». (INSAG-4).
The nuclear regulatory body was formed just 3 years before the Chernobyl accident, and despite the concept of a safety culture it could not be considered independent, since it was part of the same state structures that were responsible for building the nuclear power plant. For example, if order of regulatory body will interfere with the implementation of the production plan, it was possible to use the levers of administrative pressure.
«As a matter of policy, all organizations arrange for regular review of those of their practices that contribute to nuclear plant safety. This includes, for example, staff appointments and training, the feedback of operating experience, and the control of design changes, plant modifications and operating procedures». (INSAG-4).
As an example of a flagrant inconsistency with the above requirement of a safety culture, the following fact can be given:
The chief designer and scientific supervisor was aware of the “end effect” of control rods before the accident. It was experimentally detected during the physical start-ups of Unit 1 of the Ignalina NPP and Unit 4 of the Chernobyl NPP. The institution of the scientific supervisor even paid attention to the extreme danger to the reactor of the revealed effect.
The chief designer acknowledged the input of positive reactivity and proposed a number of corrective measures. However, the chief designer themselves did not implement the technical measures.
Even more glaring is another fact. The first unit of the Leningrad NPP in 1975 has an accident, which in fact was the prototype of the accident on 4-th unit of ChNPP in 1986. Like at the Chernobyl nuclear power plant, the reactor was shut down (due to operator error). But chief of shift of the plant, fearing to get a “scolding” from the authorities decided to immediately start the reactor in power, and not wait for the “unpoisoning” of the reactor. As a result, one fuel channel was completely destroyed, about 30 fuel channels were damaged. Immediately after the accident, the radiation background in the city of Sosnovy Bor (5 km from the emergency unit) ranged from 600 μR / hour and higher. Residents of Sosnovy Bor (city of NPP workers) received quite serious radiation exposures. Most of them are probably still unaware of this. Data on emergency situations were hidden both from the public and from the operating personnel of nuclear power plants under the secrecy reason, which was so widely practice in the USSR.
Director of the Chernobyl NPP Viktor Bryukhanov, who was declared the main culprit of the Chernobyl disaster, after serving his ten years in prison, said in an interview: “If you go deep, then there were micro-accidents before … But they were hiding even from us. About Leningrad (accident on Leningrad NPP. –R.K.), for example, I was rumored to know from my colleagues. What could be understood in this situation?”
If the results of the emergency at the Leningrad NPP were promptly communicated to the operating personnel of other operating NPPs, the Chernobyl disaster would not have occurred.
Conclusion of experts about the causes of the accident
The misguidedness of the practice of transferring emergency protection functions to the human operator owing to the lack of appropriate engineered safety features was highlighted by the accident itself: the combination of design deficiencies and the non-total reliability of human operators brought about the disaster (INSAG-7).
What is meant?
The modern approach to the design of hazardous technological systems, including nuclear power plants, is to proceed from the assumption that a person will be mistaken. The Chernobyl reactor was designed so that it can explode if personnel make mistakes. And he exploded.
The question of the errors, necessary for a catastrophe turned out to be a matter of time. Using a deliberately dangerous reactor, the personnel were assigned a security system function. And when the accident happened, they were made scapegoats.
Compare a different approach to determining the causes of the accident. After the severe accident at the Three Mile Island (USA) nuclear power plant, the reactor developers not tried to blame the operating personnel because “… engineers can analyze the first minute of the incident several hours or even weeks to understand what happened or predict the process trend when changing parameters”, whereas the operator must “describe the hundreds of thoughts, decisions and actions taken during the transition process”. The American operator who made the wrong decisions on the night of the accident was not pursued for this in any way. Those who investigated the accident adhered to principle that operator should never be in a situation that engineers had not previously analyzed.
Conclusion of experts about the causes of the accident
The system of legal, economic and sociopolitical correlations that existed prior to the accident and still exists in the field of nuclear power has no legal basis. When there is no law governing the utilization of nuclear power, no one bears the full responsibility for the safety of operating nuclear power plants». (INSAG-7).
What is meant?
There was a situation that there are dangerous objects, and those who are responsible for the safety of these objects, no. Each organization participating in the process of creating and operating a nuclear power plant was responsible only for its part of the work. Now approach practiced in accordance with safety culture requires presence of legislative regulation of nuclear energy utilization, with definition of entity bearing the full responsibility for safe operation of nuclear power plants. The entity that bears full responsibility for safe operation of nuclear power plants is usually operating organization (in case of Ukraine, it is NNEGC “Energoatom”) and directors of NPP as its representatives on sites.
Evaluation of the Chernobyl accident events showed that insufficiency of safety culture is typical not only for the operational stage, but not least for participants of other stages of NPPs creation and operation (designers, builders, equipment manufacturers, ministerial managers, regulatory structures, etc.).
We can say that the accident was result of a low safety culture not only at ChNPP, but also in the entire state system that existed at that time.
