Cause

The accident occurred during an experiment to test a way of cooling the core of the reactor in an emergency situation. The test was incorporated into a scheduled shutdown of reactor 4.

The test

An inactive nuclear reactor continues to generate a significant amount of residual heat. RBMK reactors, like those in use at Chernobyl, following an emergency shutdown will continue to emit 7 % of their thermal output and therefore must continue to be cooled. The Chernobyl reactors used water as a coolant with reactor 4 fitted with 1,600 individual fuel channels; each requiring a coolant flow of 28,000 litres per hour.

 

RBMK diagram

As the cooling pumps require electricity to cool the reactor, in the event of a power failure, Chernobyl’s reactors had three backup diesel generators; these would start up in 15 seconds, but took 60–75 seconds to attain full speed and reach the 5.5‑megawatt output required to run the main pump. To solve this one-minute gap, considered an unacceptable safety risk, it had been theorised that rotational energy from the steam turbine (as it wound down under residual steam pressure) could be used to generate the electrical power required. Analysis indicated that this residual momentum and steam pressure might be sufficient to run the coolant pumps for 45 seconds, bridging the gap between an external power failure and full power from the emergency generators.

This potential still needed to be confirmed, and previous tests had ended unsuccessfully. An initial test carried out in 1982 showed that the voltage of the turbine-generator was insufficient. The system was modified, and the test was repeated in 1984 but again proved unsuccessful. In 1985, the tests were attempted a third time but also yielded negative results. The test procedure was to be repeated again in 1986, and it was scheduled to take place during the maintenance shutdown of Reactor Four.

The test focused on the switching sequences of the electrical supplies for the reactor. The test procedure was to begin with an automatic emergency shutdown. No detrimental effect on the safety of the reactor was anticipated, so the test program was not formally coordinated with either the chief designer of the reactor or the scientific manager. Instead, it was approved only by the director of the plant (and even this approval was not consistent with established procedures).

According to the test, the thermal output of the reactor should have been no lower than 700 MW at the start of the experiment. If test conditions had been as planned, the procedure would almost certainly have been carried out safely; the eventual disaster resulted from attempts to boost the reactor output once the experiment had been started, which was inconsistent with approved procedure.

The Chernobyl power plant had been in operation for two years without the capability to ride through the first 60–75 seconds of a total loss of electric power and thus lacked an important safety feature. The station managers presumably wished to correct this at the first opportunity, which may explain why they continued the test even when serious problems arose, and why the requisite approval for the test had not been sought from the Soviet nuclear oversight regulator (even though there was a representative at the complex of 4 reactors).

The experimental procedure was intended to run as follows:

  1. The reactor was to be running at a low power level, between 700 MW and 800 MW.
  2. The steam-turbine generator was to be run up to full speed.
  3. When these conditions were achieved, the steam supply for the turbine generator was to be closed off.
  4. Turbine generator performance was to be recorded to determine whether it could provide the bridging power for coolant pumps until the emergency diesel generators were sequenced to start and provide power to the cooling pumps automatically.
  5. After the emergency generators reached normal operating speed and voltage, the turbine generator would be allowed to freewheel down.

 

The control room of reactor 3

The control room of reactor 3, not 4, pictured after closure (© BBC)

 

At 1:23:04 a.m. the experiment began

Four (of eight total) Main Circulating Pumps (MCP) were active. The steam to the turbines was shut off, and a run down of the turbine generator began. The diesel generator started and sequentially picked up loads. During this period, the power for the four MCPs was supplied by the turbine generator as it coasted down. As the momentum of the turbine generator decreased, the water flow rate decreased, leading to increased formation of steam voids (bubbles) in the core.

Because of the nature of the RBMK reactor at low reactor power levels, it was now primed to embark on a positive feedback loop, in which the formation of steam voids reduced the ability of the liquid water coolant to absorb neutrons, which in turn increased the reactor’s power output. This caused yet more water to flash into steam, giving yet a further power increase. However, during almost the entire period of the experiment the automatic control system successfully counteracted this positive feedback, continuously inserting control rods into the reactor core to limit the power rise.

At 1:23:40, as recorded by the SKALA centralised control system, an emergency shutdown of the reactor, which inadvertently triggered the explosion, was initiated. The SCRAM was started when the EPS-5 button (also known as the AZ-5 button) of the reactor emergency protection system was pressed: this fully inserted all control rods, including the manual control rods that had been withdrawn earlier. The reason why the EPS-5 button was pressed may never be known, whether it was done as an emergency measure or simply as a routine method of shutting down the reactor upon completion of the experiment.

 

Emergency shutdown switches

The six emergency shutdown switches from control room 1. The EPS-5 button (top row, center) initiated rapid emergency shutdown (© sovietologist).

 

There is a view that the SCRAM may have been ordered as a response to the unexpected rapid power increase, although there is no recorded data conclusively proving this. Some have suggested that the button was not pressed, and instead the signal was automatically produced by the emergency protection system; however, the SKALA clearly registered a manual SCRAM signal. In spite of this, the question as to when or even whether the EPS-5 button was pressed has been the subject of debate. There are assertions that the pressure was caused by the rapid power acceleration at the start, and allegations that the button was not pressed until the reactor began to self-destruct but others assert that it happened earlier and in calm conditions.

After the EPS-5 button was pressed, the insertion of control rods into the reactor core began. The control rod insertion mechanism moved the rods at 0.4 m/s, so that the rods took 18 to 20 seconds to travel the full height of the core, about 7 meters. A bigger problem was a flawed graphite-tip control rod design, which initially displaced coolant before inserting neutron-absorbing material to slow the reaction. As a result, the SCRAM actually increased the reaction rate in the lower half of the core.

A few seconds after the start of the SCRAM, a massive power spike occurred, the core overheated, and seconds later this overheating resulted in the initial explosion. Some of the fuel rods fractured, blocking the control rod columns and causing the control rods to become stuck at one-third insertion. Within three seconds the reactor output rose above 530 MW.

The subsequent course of events was not registered by instruments: it is known only as a result of mathematical simulation. Apparently, a great rise in power first caused an increase in fuel temperature and massive steam build-up, leading to a rapid increase in steam pressure. This destroyed fuel elements and ruptured the channels in which these elements were located.

Then, according to some estimations, the reactor jumped to around 30 GW thermal, ten times the normal operational output. The last reading on the control panel was 33 GW. It was not possible to reconstruct the precise sequence of the processes that led to the destruction of the reactor and the power unit building, but a steam explosion, like the explosion of a steam boiler from excess vapour pressure, appears to have been the next event. There is a general understanding that it was steam from the wrecked channels entering the reactor’s inner structure that caused the destruction of the reactor casing, tearing off and lifting the 2,000-ton metal plate, to which the entire reactor assembly is fastened. This was the first explosion that many heard. This explosion ruptured further fuel channels, and as a result the remaining coolant flashed to steam and escaped the reactor core. The total water loss in combination with a high positive void coefficient further increased the reactor power.

A second, more powerful explosion occurred about two or three seconds after the first; evidence indicates that the second explosion was from the core itself undergoing runaway criticality. The nuclear excursion dispersed the core and effectively terminated the nuclear chain reaction. However by this point, a graphite fire was burning, greatly contributing to the spread of radioactive material and the contamination of outlying areas.

There were initially several hypotheses about the nature of the second explosion. One view was, “the second explosion was caused by the hydrogen which had been produced either by the overheated steam-zirconium reaction or by the reaction of red-hot graphite with steam that produced hydrogen and carbon monoxide.” Another hypothesis was that the second explosion was a thermal explosion of the reactor as a result of the uncontrollable escape of fast neutrons caused by the complete water loss in the reactor core. A third hypothesis was that the explosion was caused by steam. According to this version, the flow of steam and the steam pressure caused all the destruction that followed the ejection from the shaft of a substantial part of the graphite and fuel.

 

Cause

There were two official explanations of the accident: the first, later acknowledged to be erroneous, was published in August 1986 and effectively placed the blame on the power plant operators. The second report published in 1992 was less critical of the operators and placed much greater emphasis on the design of the reactor itself.

The International Atomic Energy Agency (IAEA) created a group known as the International Nuclear Safety Advisory Group (INSAG), which in its report in 1986 supported the theory of operator error, based on the data provided by the Soviets and the oral statements of specialists. In this report, the catastrophic accident was caused by gross violations of operating rules and regulations. “During preparation and testing of the turbine generator under run-down conditions using the auxiliary load, personnel disconnected a series of technical protection systems and breached the most important operational safety provisions for conducting a technical exercise.”

The report said that operator error was probably due to their lack of knowledge of nuclear reactor physics and engineering, as well as the lack of experience and training. Personnel had an insufficiently detailed understanding of technical procedures involved with the nuclear reactor, and knowingly ignored regulations to speed test completion

In this analysis of the causes of the accident, deficiencies in the reactor design and in the operating regulations that made the accident possible were set aside and mentioned only casually.

In 1991 a Commission of the USSR State Committee for the Supervision of Safety in Industry and Nuclear Power reassessed the causes and circumstances of the Chernobyl accident and came to new insights and conclusions. Based on this, in 1992 the IAEA Nuclear Safety Advisory Group (INSAG) published an additional report, INSAG-7 (PDF).

According to this account, the operators’ actions in turning off the Emergency Core Cooling System, interfering with the settings on the protection equipment, and blocking the level and pressure in the separator drum did not contribute to the original cause of the accident and its magnitude, although they may have been a breach of regulations. Turning off the emergency system designed to prevent the two turbine generators from stopping was not a violation of regulations.

Human factors contributed to the conditions that led to the disaster. These included operating the reactor at a low power level – less than 700 MW – a level documented in the run-down test program, and operating with a small operational reactivity margin (ORM). The 1986 assertions of Soviet experts notwithstanding, regulations did not prohibit operating the reactor at this low power level.

However, regulations did forbid operating the reactor with a small margin of reactivity. Yet “post-accident studies have shown that the way in which the real role of the ORM is reflected in the Operating Procedures and design documentation for the RBMK-1000 is extremely contradictory,” and furthermore, “ORM was not treated as an operational safety limit, violation of which could lead to an accident.”

According to the INSAG-7 Report, the main reasons for the accident lie in the peculiarities of physics and in the construction of the reactor:

  • The reactor had a dangerously large positive void coefficient. The void coefficient is a measurement of how a reactor responds to increased steam formation in the water coolant. Most other reactor designs have a negative coefficient, i.e. the nuclear reaction rate slows when steam bubbles form in the coolant, since as the vapor phase in the reactor increases, fewer neutrons are slowed down. Faster neutrons are less likely to split uranium atoms, so the reactor produces less power (a negative feed-back). Chernobyl’s RBMK reactor, however, used solid graphite as a neutron moderator to slow down the neutrons, and the water in it, on the contrary, acts like a harmful neutron absorber. Thus, neutrons are slowed down even if steam bubbles form in the water. Furthermore, because steam absorbs neutrons much less readily than water, increasing the intensity of vaporization means that more neutrons are able to split uranium atoms, increasing the reactor’s power output. This makes the RBMK design very unstable at low power levels, and prone to suddenly increasing energy production to a dangerous level. This behaviour is counter-intuitive, and this property of the reactor was unknown to the crew.
  • A more significant flaw was in the design of the control rods that are inserted into the reactor to slow down the reaction. In the RBMK reactor design, the lower part of each control rod was made of graphite and was 1.3 meters shorter than necessary, and in the space beneath the rods were hollow channels filled with water. The upper part of the rod, the truly functional part that absorbs the neutrons and thereby halts the reaction, was made of boron carbide. With this design, when the rods are inserted into the reactor from the uppermost position, the graphite parts initially displace some water (which absorbs neutrons, as mentioned above), effectively causing fewer neutrons to be absorbed initially. Therefore for the first few seconds of control rod activation, reactor power output is increased, rather than reduced as desired. This behaviour is counter-intuitive and was not known to the reactor operators.

Other deficiencies besides these were noted in the RBMK-1000 reactor design, as were its non-compliance with accepted standards and with the requirements of nuclear reactor safety.

Both views were heavily lobbied by different groups, including the reactor’s designers, power plant personnel, and the Soviet and Ukrainian governments.

The human factor was in both reports considered as a major element of the accident. As in the previously released report INSAG-1, close attention is paid in report INSAG-7 to the inadequate (at the moment of the accident) “culture of safety” at all levels. Deficiency in the safety culture was inherent not only at the operational stage but also, and to no lesser extent, during activities at other stages in the lifetime of nuclear power plants (including design, engineering, construction, manufacture and regulation). The poor quality of operating procedures and instructions, and their conflicting characters put a heavy burden on the operating crew, including the Chief Engineer. “The accident can be said to have flowed from a deficient safety culture, not only at the Chernobyl plant, but throughout the Soviet design, operating and regulatory organizations for nuclear power that existed at that time.”

 

Looking into the reactor. Part of the lid can be seen on the left

Looking into the reactor. Part of the lid can just be seen on the left.