Monday, 4 July 2016

Having a Meltdown

I am a big fan of world history. Whether it be the two world wars, the moon landing, the time the rebels overthrew the Galactic Empire.....I enjoy reading about it all. One event in particular has always fascinated me, the nuclear explosion at Chernobyl. For those of you who are now looking at your screen scratching your head in confusion, let me elaborate. On the 26th of April 1986 a scheduled reactor shutdown at the Chernobyl nuclear facility in the USSR went disastrously wrong, costing 31 people their lives and causing the evacuation of an entire city. To this day the city remains under quarantine because of the high levels of radiation still present.
"Wow, that is terrible!" you exclaim. And yes, it was. But when you read up about the details, you realise that it was just one mistake after another that caused the disaster. Let's dig a little deeper.

WARNING: THIS POST IS ABOUT TO GET HIGHLY TECHNICAL AND EXTREMELY INFORMATIVE

In steady state operation, a significant fraction (just over 6%) of the power from a nuclear reactor is derived not from fission but from the decay heat of its accumulated fission products. This heat continues for some time after the chain reaction is stopped (following an emergency shutdown, for example) and active cooling may be required to prevent core damage. Old reactors like those at Chernobyl use water as a coolant. Reactor 4 at Chernobyl consisted of about 1,600 individual fuel channels; each requiring a coolant flow of 28 metric tons (28,000 liters) per hour. Since cooling pumps require electricity to cool a reactor after an emergency shutdown (SCRAM), in the event of a power grid failure, Chernobyl's reactors had three backup diesel generators; these could start up in 15 seconds, but took 60–75 seconds to attain full speed and reach the 5.5‑megawatt (MW) output required to run one main pump. To solve this one-minute gap, considered an unacceptable safety risk, it had been theorised that rotational energy from the steam turbine (as it spun down under residual steam pressure) could be used to generate the required electrical power. Analysis indicated that this residual momentum and steam pressure might be sufficient to run the coolant pumps for 45 seconds, thus bridging the gap between an external power failure and the full availability of the emergency generators. Now, because this was just a theory, it was only marginally tested, and those tests failed. So another test was scheduled.

This test focused on the switching sequences of the electrical supplies for the reactor. The test procedure was expected to begin with an automatic emergency shutdown. No detrimental effect on the safety of the reactor was expected, so the test program was not formally coordinated with either the chief designer of the reactor or the scientific manager. Instead, it was approved only by the director of the plant (and even this approval was not consistent with established procedures). Mistake number 1. Because, you know, Russia....where everything is alright with enough vodka.

The experimental procedure was intended to run as follows:
  • The reactor was to be running at a low power level, between 700 MW and 800 MW.
  • The steam-turbine generator was to be run up to full speed.
  • When these conditions were achieved, the steam supply for the turbine generator was to be closed off.
     Turbine generator performance was to be recorded to determine whether it could provide the bridging power for coolant pumps until the emergency diesel generators were sequenced to start and provide power to the cooling pumps automatically.
  • After the emergency generators reached normal operating speed and voltage, the turbine generator would be allowed to continue to freewheel down.
What could possibly go wrong? I mean, how hard could it be? Very, by the look of things. The conditions to run the test were established before the day shift of 25 April 1986. The day shift workers had been instructed in advance and were familiar with the established procedures. A special team of electrical engineers was present to test the new voltage regulating system. As planned, a gradual reduction in the output of the power unit was begun at 01:06 on 25 April, and the power level had reached 50% of its nominal 3200 MW thermal level by the beginning of the day shift.

At this point, another regional power station unexpectedly went offline, and the Kiev electrical grid controller requested that the further reduction of Chernobyl's output be postponed, as power was needed to satisfy the peak evening demand. The Chernobyl plant director agreed, and postponed the test. Despite this delay, preparations for the test not affecting the reactor's power were carried out, including the disabling of the emergency core cooling system or ECCS, a passive/active system of core cooling intended to provide water to the core in a loss-of-coolant accident. Given the other events that unfolded, the system would have been of limited use, but its disabling as a "routine" step of the test is an illustration of the inherent lack of attention to safety for this test. Mistake number 2.

At 23:04, the Kiev grid controller allowed the reactor shutdown to resume. This delay had some serious consequences: the day shift had long since buggered off home, the evening shift was also preparing to do the same, and the night shift would not take over until midnight, well into the test. According to plan, the test should have been finished during the day shift, and the night shift would only have had to maintain decay heat cooling systems in an otherwise shut-down plant. Because of this the night shift had very little time to prepare for the test.

Alexander Akimov was chief of the night shift, and Leonid Toptunov was the operator responsible for the reactor's operational regimen, including the movement of the control rods. Toptunov was a young engineer who had worked independently as a senior engineer for only about three months. Seems like exactly the right guy for the job!

The test plan called for a gradual decrease in power output from reactor 4 to a thermal level of 700–1000 MW. An output of 700 MW was reached at 00:05AM on 26 April. However, due to the reactor's production of a fission byproduct, xenon-135, which is a reaction-inhibiting neutron absorber, core power continued to decrease without further operator action—a process known as reactor poisoning. This continuing decrease in power occurred because in steady state operation, xenon-135 is "burned off" as fast as it is created from decaying iodine-135 by absorbing neutrons from the ongoing chain reaction to become highly stable xenon-136. However, when the reactor power was lowered, previously produced high quantities of iodine-135 decayed into the neutron-absorbing xenon-135 faster than the reduced neutron flux could burn it off. As the reactor power output dropped further, to approximately 500 MW, Toptunov mistakenly inserted the control rods too far—the exact circumstances leading to this are unknown because Akimov and Toptunov both died in the hospital on May 10 and 14, respectively. This combination of factors put the reactor into an unintended near-shutdown state, with a power output of 30 MW thermal or less. Mistake number 3.

The reactor was now producing 5 percent of the minimum initial power level established as safe for the test. Control-room personnel decided to restore power by disabling the automatic system governing the control rods and manually extracting the majority of the reactor control rods to their upper limits. Several minutes elapsed between their extraction and the point that the power output began to increase and subsequently stabilize at 160–200 MW, a much smaller value than the planned 700 MW. The rapid reduction in the power during the initial shutdown, and the subsequent operation at a level of less than 200 MW led to increased poisoning of the reactor core by the accumulation of xenon-135. This restricted any further rise of reactor power, and made it necessary to extract additional control rods from the reactor core in order to counteract the poisoning.

The operation of the reactor at the low power level and high poisoning level was accompanied by unstable core temperature and coolant flow, and possibly by instability of neutron flux, which triggered alarms. The control room received repeated emergency signals regarding the levels in the steam/water separator drums, and large excursions or variations in the flow rate of feed water, as well as from relief valves opened to relieve excess steam into a turbine condenser, and from the neutron power controller. In the period between 00:35AM and 00:45AM, emergency alarm signals concerning thermal-hydraulic parameters were ignored, apparently to preserve the reactor power level. Mistake number 4.

When the power level of 200 MW was eventually achieved, preparation for the experiment continued. (This was probably mistake number 5) As part of the test plan, extra water pumps were activated at 01:05AM on 26 April, increasing the water flow. The increased coolant flow rate through the reactor produced an increase in the inlet coolant temperature of the reactor core (the coolant no longer having sufficient time to release its heat in the turbine and cooling towers), which now more closely approached the boiling temperature of water, reducing the safety margin. Mistake number 6.

The flow exceeded the allowed limit at 01:19AM, triggering an alarm of low steam pressure in the steam separators. At the same time, the extra water flow lowered the overall core temperature and reduced the existing steam voids in the core and the steam separators. Since water weakly absorbs neutrons (and the higher density of liquid water makes it a better absorber than steam), turning on additional pumps decreased the reactor power further still. The crew responded by turning off two of the circulation pumps to reduce feedwater flow, in an effort to increase steam pressure, and also to remove more manual control rods to maintain power. Mistake number 7.

All these actions led to an extremely unstable reactor configuration. Nearly all of the control rods were removed manually, including all but 18 of the "fail-safe" manually operated rods of the minimal 28 which were intended to remain fully inserted to control the reactor even in the event of a loss of coolant, out of a total 211 control rods. While the emergency SCRAM system that would insert all control rods to shut down the reactor could still be activated manually, the automated system that could do the same had been disabled to maintain the power level, and many other automated and even passive safety features of the reactor had been bypassed. Further, the reactor coolant pumping had been reduced, which had limited margin so any power excursion would produce boiling, thereby reducing neutron absorption by the water. The reactor was in an unstable configuration that was clearly outside the safe operating envelope established by the designers. If anything pushed it too far, it would be unable to recover automatically.

Now, at this point any wise person would realise that, maybe, just maybe, a very dangerous situation had now been created, and said wise person would have initiated steps in order to secure the situation. What did the Russians do? They declared that all was well and then went ahead with their experiment. I could carry on with the extremely technical explanation of what went wrong, but half of you have either dosed off or browsed away by now, so let's just say there was a rather large and impressive explosion. The reactor was spewing radioactive material into the night sky and causing fires all around the plant. The Russians thought "Well, we'd better put out those fires" and proceeded to do just that, without any safety gear or radiation suits. The fire brigade was also not informed about the radiation pouring from the reactor when they arrived to help. So a large number of people received MASSIVE doses of radiation which killed some within hours and some within days of exposure. To this day the Government does not allow anyone to go within 30 square kilometers of the reactor for more than a few minutes. This is to ensure that you don't come out with three heads, the ability to glow in the dark and various other superpowers.

So what can we learn from this? That lack of attention to detail and ignoring some very obvious warning signs can lead to terrible disaster. One which will have serious repercussions for years to come. Now if only someone would mention this to the South African Government.....


No comments:

Post a Comment