Previous Page

Chernobyl is the most contaminated place on Earth. It will take thousands of years before it is habitable by humans again. It was the worst nuclear power plant accident in history, and the only instance so far of level 7 on the International Nuclear Event Scale.

The following article was copied from SA Instrumentation Control Magazine, October 1998.

The Chernobyl failure - how electrical engineers contributed to the disaster

At 01h24 in the early hours of Saturday morning on the 26 April 1986 the worst accident in the history of commercial nuclear power generation occurred. Two explosions in quick succession blew off the 1000 tonne concrete sealing cap of the Chernobyl-4 nuclear reactor. Molten core fragments showered down on the immediate area and fission products were released into the atmosphere. The accident cost probably hundreds of lives and contaminated vast areas of land in the Ukraine.

Many reasons probably contributed to the disaster. Certainly the design of the reactor was not new - around 30 years old at the time of the accident and had been conceived before the days of sophisticated computer-controlled safety systems. Because of this, the reactor's emergency-handling procedures relied heavily on the skill of the operators. This type of reactor also had a tendency to run out of control when operated at low power. For this reason the operating procedures for the reactor strictly prohibited it being operated below 20% of its maximum power. It was mainly a combination of circumstance and human error which caused the failure, however. Ironically, the events which led up to the disaster were designed to make the reactor safer. Tests, devised by a specialist team of engineers, were being carried out to evaluate whether the emergency core cooling system (ECCS) could be operated during the free-wheeling run-down of the turbine generator, should an offsite power failure occur. Although this safety device had been tested before, it had not worked satisfactorily and new tests of the modified device were to be carried out with the reactor operating at reduced power throughout the test period. The tests were scheduled for the afternoon of Friday, 25 April 1986 and the plant power reduction began at 1.00 pm. However, just after 2.00 pm, when the reactor was operating at about half its full power, the Kiev controller requested that the reactor should continue supplying the grid with electricity. In fact they were not released from the grid until 11.10 that night. The reactor was due to be shut down for its annual maintenance on the following Tuesday and the Kiev controller's request had in effect shrunk the window of opportunity available for the tests.

25 April 1986

1.00 pm. Power reduction started with the intention of achieving 25 % power for test conditions.

2.00 pm. ECCS disconnected from primary circuit. (This was part of the test plan).

2.05 pm. Kiev controller asked the unit to continue supplying grid. The ECCS was not reconnected (V). (This particular violation is not thought to have contributed materially to the disaster but it is indicative of a lax attitude on the part of the operators toward the observance of safety procedures).

11.10 pm. The unit was released from the grid and continued power reduction to achieve the 25% power level planned for the test programme.

26 April 1986

12.28 am. Operator seriously undershot the intended power setting (E). The power dipped to a dangerous 1%. (The operator had switched off the autopilot and had tried to achieve the desired level by manual control).

1.00 am. After a long struggle, the reactor power was finally stabilised at 7% well below the intended level and well into the low-power danger zone. At this point, the experiment should have been abandoned, but it was not (E). This was the most serious mistake (as opposed to violation). It meant that all subsequent activity would be conducted within the reactor's zone of maximum instability. This was apparently not appreciated by the operators.

1.03 am. All eight pumps were started (V). The safety regulations limited the maximum number of pumps in use at any one time to six. This showed a profound misunderstanding of the physics of the reactor. The consequence was that the increased water flow (and reduced steam fraction) absorbed more neutrons, causing more control rods to be withdrawn to sustain even this low level of power.

The following is a chronological account of the hours up to the disaster together with an analysis by James Reason, which was published in the Bulletin of the British Psychological Society the following year. Significant operator actions are italicised. These are of two kinds: errors (indicated by an E) and procedural violations (marked with a V).

1.19 am. The feedwater flow has increased threefold (V). The operators appear to have been attempting to cope with a falling steam-drum pressure and water level. The result of their actions, however, was to further reduce the amount of steam passing through the core, causing yet more control rods to be withdrawn. They also overrode the steam-drum automatic shutdown (V). The effect of this was to strip the reactor of one of its automatic safety systems.

"Together, they made a dangerous mixture: a group of single-minded but non-nuclear engineers directing a team of dedicated but over-confident operators. Each group probably assumed that the other knew what it was doing. And both parties had little or no understanding of the dangers they were courting, or of the system they were abusing." James Reason

1.22 am. The shift supervisor requested a printout to establish

how many control rods were actually in the core. The printout indicated only six to eight rods remaining. It was strictly forbidden to operate the reactor with fewer than 12 rods. Yet the shift supervisor decided to continue with the tests (V). This was a fatal decision: the reactor was thereafter without brakes.

1.23 am. The steam line valves to No. 8 turbine generator were closed (V). The purpose of this was to establish the conditions necessary for repeated testing, but its consequence was to disconnect the automatic safety trips. This was perhaps the most serious violation of all.

1.24 am. An attempt was made to scram the reactor by driving in the emergency shut-off rods, but they jammed within the now warped tubes.

1.24 am. Two explosions occurred in quick succession. The reactor roof was blown off and 30 fires started in the vicinity.

1.30 am. Duty firemen were called out. Other units were summoned from Pripyet and Chernobyl.

5.00 am. Exterior fires had been extinguished, but the graphite fire in the core continued for several days.

The subsequent investigation into the disaster highlighted a number of significant points which contributed to it:

The test programme was poorly worked out and the section on safety measures was inadequate. Because the ECCS was shut off during the test period, the safety of the reactor was in effect substantially reduced. The test plan was put into effect before being approved by the design group who were responsible for the reactor. The operators, although highly skilled, had probably been told that getting the test completed before the shutdown would enhance their reputation. They were proud of their ability to handle the reactor even in unusual conditions and were aware of the rapidly reducing window of opportunity within which they had to complete the test. They had also probably lost any feeling for the hazards involved in operating the reactor.

The technicians who had designed the test were electrical engineers from Moscow. Their objective was to solve a complex technical problem. In spite of having designed the test procedures they probably would not know much about the operation of the nuclear power station itself.

Printed (in SA Instrumentation & Control) by kind permission of Pitman Publishing. Extract from Operations Management (International Edition) by Slack, Chambers, Harland, Harrison & Johnston. The South African edition is available from Financial Times Management, Box 748, Auckland Park 2006, telephone (011) 726 5558.