Causality 22: Chernobyl

8 July, 2018


The largest nuclear incident in human history released an estimated 400 times the radioactive material compared to Hiroshima and Nagasaki. It all happened because of a test that was delayed by one shift, or was it the ultimate inevitability of a flawed reactor design?

Transcript available
Chain of events, cause and effect. We analyse what went right and what went wrong, as we discover that many outcomes can be predicted, planned for, and even prevented. I'm John Chidgey, and this is Causality. Causality is part of the Engineered Network. To support our shows, including this one, head over to our Patreon page and for other great shows visit today. Chernobyl The fourth time is not a charm. On the 25th of April 1986, a cooling test began in Reactor 4 of a relatively new nuclear power plant called Chernobyl, near the town of Pripyat in northern Ukrainian Soviet Socialist Republic, the USSR in the Soviet Union. It would end the following day with what has become to date the most disastrous nuclear power incident in history, considered to be a Level 7 event on the international nuclear event scale. The only other event that has been classified as a Level 7 was covered in Episode 3 at Fukushima in 2011. It was an incident whose causes are hotly debated and it has been analysed by all and sundry for many many years since the event. One camp claiming that it wasn't caused by malfunctioning equipment but rather by human factors alone whilst others claim it was caused by a fundamentally flawed reactor design for which failure was inevitable at some point. Either way it wasn't caused by natural events that were inadequately prepared for, or for faulty equipment poorly serviced or monitored. But we're getting ahead of ourselves. The Soviet Union began a campaign in the 1960s of building towns to house the people that would construct and operate their power stations of the future. One of the nine so-called "Atom Towns" was the town of Pripyat, 104km or 65mi north of Kyiv. The construction of the new Chernobyl nuclear power plant began in 1970. Even after construction was well underway, debates continued through 1972 about the final design of the reactor. The two options considered were Pressurized Water Reactor (PWR) or Reaktor Bolshoy Moshchnosti Kanalnyy (or RBMKs for short), loosely translated meaning "High Power Channel Reactor". The RBMK design, specifically the 1,000 series, which is considered today to represent the second generation of large-scale nuclear reactor designs, was developed in Russia and was heavily favoured by nuclear scientists at the time as it was touted as having the lowest cost per MegaWatt of generated electricity. The downsides of the reactor design were instability in low power conditions and significantly higher radiation due to the fact it was a boiling water design. Ultimately the RBMK design was chosen for its cost effectiveness and the first unit was brought online in 1977, with a second following in 1978. In 1982, Unit 1 experienced a partial meltdown, however this is not directly related to what was to happen in subsequent years and therefore it's beyond the scope of this episode. The fact that details about this partial meltdown in Reactor 1, and the quantity of reactor issues that were covered- up by the Soviet Union in that time period is cause for some concern. In this case, the extent of the meltdown in 1982 wasn't released to the public until 1985, long after the damage was repaired and the unit was returned to service. Unit 4, in this case, however, was brought online on the 20th of December 1983. An interesting side note was that three months prior to the incident, in the February 1986 edition of Soviet Life, Vitaly Sklyarov, the Minister of Power and Electrification of Ukraine was quoted as saying "The odds of a meltdown are one in 10,000 years. The plants have safe and reliable controls that are protected from any breakdown with three safety systems." The power plant itself had a three-shift rotation, with 8 core hours of work per shift and a 30-minute handover between the shifts. Night shift ran from midnight to 8 in the morning, day shift from 8 in the morning to 4 in the afternoon, and evening shift from 4 in the afternoon to midnight. Like all nuclear fission power plants, the fission reaction of fissile material, in this case was U235, releases large amounts of heat, and that heat in turn converts liquid water to steam, which in turn drives a turbine, and this turbine drives a generator, which produces electricity. Beyond the usual need to condense the steam for recycling through the system, cooling water is also essential for keeping the temperature of the reactor under control, especially when the core is shut down to control decay heat generated. Decay heat has been covered in previous Episodes 3 and 17 if you want more information about that. Reactor 4 specifically had 1,600 fuel rods that required 28,000 litres per hour which is 7,400 gallons per hour of coolant flow. The cooling pumps that regulated the core temperature relied on steam created by the reactor to drive a turbine to create electricity to, in turn, drive those pumps. The backup diesel generators took 15 seconds to start once triggered, and between 60 and 75 seconds in total to start, come online and ramp up to the minimum power required to run the cooling pumps. The idea was that the residual momentum of the steam turbine could continue to generate enough electricity to cover the gap for an estimated 45 seconds in the event that the steam cut out when there was no grid power available. The test that led to the incident itself had actually been carried out previously on several occasions. The first time was 4 years earlier in a different reactor with the same design, but the engineers found the output voltage produced under momentum rotation, was insufficient to drive the cooling pumps. It was attempted again 2 years after the first attempt and again a year after that, each time the test failed to achieve the desired goal. The fourth test was the one that led to the incident in 1986. Interestingly, the test focused more on electrical switching and electrical performance with minimal detail surrounding the reactor control. As a result, the test procedure had been heavily reviewed by the electrical engineering personnel and approved by the plant director however, the chief scientist and chief reactor designer were not involved in the co-ordination of the test itself. It seems at first glance that after 3 failed attempts they should have accepted the end result and investigated other options perhaps like redesigning including flywheels or including a UPS system. However with financial restrictions and a strong perception that this "gap" was a significant and unaddressed safety issue in the reactor's design, they pushed ahead with the test with the hope that they could prove it could work with the equipment that they had already installed. And now about the incident itself. This test had been planned for some time and the conditions required to execute the test required a power reduction for the unit overall. Under normal operational conditions the full 3.2GW of thermal power drove 2 turbines and in order to test low power operation they first needed to drop off one turbine and at on Friday, the 25th of April, plant operators began the 12-hour process of power reduction, reaching a target of 50% at 1.05pm that same day. At that time, turbine number 2 was switched off. Around 2pm, another power plant on the electrical grid had tripped, and the Kyiv electrical grid controller advised that the power should not be dropped further at Reactor 4 until the evening peak period had passed. Hence power at Chernobyl was maintained at 50% in Reactor 4, all the way through until 11pm that evening. Despite the original test plan requiring a drop to 30% prior to shutting off the Emergency Core Cooling System (the ECCS), was shut off anyway shortly after 2:00pm. At 4pm, the evening shift began. In the lead-up to the test, both day and evening shifts were run through the details of the test procedure at length, with the intention that the test be completed during the late day or early evening shifts of the Friday. However, with the 10-hour delay due to an unrelated power station trip elsewhere on the grid had meant that whilst most of the preconditions for the test had been achieved, When the night shift arrived for handover, the critical execution of the test itself was handed to the night shift to perform instead. Yuri Tregub was one of the two operators from the evening shift that was intended to run the test and he opted to stay around for the night shift to assist the night shift operators with the test. The night shift consisted of minimal staffing, with less experienced operators regularly given the night shift as a right of progression through the ranks, a standard practice in many companies the world over. Following references to reactor power in MegaWatts refer to MegaWatt thermal, meaning reactor power measurement specifically not the electrical output of the generator. Between 11pm and midnight the core was reduced from 50% to 30% and further to 700 MegaWatt thermal (MWt) at 5 minutes past midnight now on Saturday the 26th of April as this was the targeted safe level for the test. The reactor power change was made significantly faster than during the previous night and day shift adjustments had been made. Reactors need to have their power levels increased and reduced gradually, otherwise instability can occur when the reactor goes out of equilibrium. So why do reactors go out of equilibrium? The Iodine-135 conversion by decay to Xenon-135 becomes a Neutron absorbing fission by-product acting similarly to a control rod. Under normal reactor operation, a common uranium fission by-product is Tellurium-135 which has a very brief half-life of only 19 seconds, which then beta decays into Iodine-135 with a half-life of 6.6 hours which then subsequently also beta decays into Xenon-135. Xenon-135 has a half-life of 9.2 hours, however the bigger problem is its cross-section for Neutron absorption which is measured in units called "Barns,"" where 1 Barn is 10^-24cm2. The probability of fission occurring relates on two characteristics relating to the Neutron, speed of the Neutron first. Under a fission event or a decay event, Neutrons are released at high speed, imaginatively called "Fast Neutrons". In order to increase the probability that the nucleus will retain an additional Neutron when it hits it, we try to slow the Neutron down first, to a so-called "Thermal Neutron". The cross-sectional area in Barns of the nucleus the Neutron is fired at means that the larger that value, the larger the target area, the more likely the Neutron will hit that target. The larger the Barns, meaning the higher the probability the nucleus will ultimately capture the Neutron as well. Since there are two Neutron speeds there are two cross sections: Thermal and Fast. Carbon in the form of Graphite is commonly used in rods to slow down fast Neutrons turning them into Thermal Neutrons and interestingly Carbon does not tend to capture Neutrons in this process. Control rods on the other hand are typically made of Boron-Cadmium or Indium as these have higher Thermal and Tast Cross-Sections and capture the Neutrons very readily. At Chernobyl the reactor used Boron-Carbide control rods and Graphite Carbon moderator rods. Boron's Thermal Cross-Section is 200 Barns and Fast Cross-Section is 0.4 Barns. Circling back to Xenon-135 which is why we're going down this discussion and why all this matters is its Thermal Cross-Section is a whopping 2M Barns and its Fast Cross-Section is 0.0008 or 1/1250th of a Barn. In addition, Xenon-135 captures its Neutrons like a control rod is designed to, which actually is a problem. Hence, it doesn't take very much Xenon-135 to start absorbing a lot of Neutrons and to slow your reaction rate down significantly. Under normal operation the ramp up and ramp down of the reactor power ensures that there are sufficient Neutrons in the reactor in its Neutron flux such that the Iodine and Xenon-135 balance leads to the Xenon absorbing excess Neutrons and converting it to other isotopes: an effect referred to as "burning-off" the Xenon. If the Xenon isn't being burned off at the same or a similar rate as it's being created then this leads to an effect referred to as "Reactor Poisoning". When poisoning occurs too many Neutrons are absorbed by the Xenon-135 and unlike a control rod whose position inside the reactor core can be precisely controlled (hence its name) the Xenon concentration isn't directly controllable by an operator and that's a problem. It becomes a somewhat random element impacting the reactors controllability and thus leading to instability in the core. One more detail, the control rod insertion and removal mechanism operated at 0.4 m/sec at Chernobyl, that's about 16 in/sec, and each rod extended at maximum to the full height of the core, which was 7m. Hence it would take between 18 to 20 seconds to fully extend into or retract out of the core. Now that we've established that, back to the incident. At 12:05am, Aleksandr Akimov, the Unit Shift Chief in charge of the test, took over from Tugrub, though despite being weary after back-to-back shifts, Tugrub stayed to advise if needed. The reactor power dropped even further, despite the fact that the shift operator, Leonid Toptunov, hadn't moved the control rod positions. The core further dropped to approximately 500MWt by 12:28am, due to reactor poisoning. At this time, Toptunov transferred control of the control rod positioning from local to automatic regulation without first selecting the option to "hold power at required level." This resulted in the control rods being inserted far deeper into the reactor core than intended, dropping even further the power output to only 30MWt, effectively performing an unintended shutdown of the core. The operators and engineers involved in the control room debated whether they should continue the test or to just completely abort it at that point. Anatoly Dyatlov, the deputy chief engineer, was supervising the test, and despite Akimov and Toptunov's objections, he threatened to hand control of the reactor to Tegrub from the previous shift if they did not comply and continue to push ahead with the test as planned. In order to increase the power from the reactor, the operator on shift switched to full manual control of rod positioning and removed more control rods from the core to try and accelerate the reaction. And at 12:32am local time, only 26 control rods remained in the core, noting that there are 211 in total. In preparation for the test, several of the automatic SCRAM initiator triggers had been disabled as the test conditions would have triggered a core shutdown automatically had they been left enabled, although the manual SCRAM button (labelled AZ-5) was available if it was needed. The reactor gradually responded to the removal of the control rods and appeared to stabilise at about 200MWt at 1:00am. At 1:03am, a standby cooling circulation pump was switched into the left cooling loop in accordance with the test procedure to increase water flow to the core. At 1:07am an additional cooling pump was connected to the right cooling loop in accordance with the test procedure. Since water acts as a Neutron absorber as well as a coolant, this began to affect the core which was already unstable due to poisoning. At 1:15am, with the reactor power now dropping once again as a result of the increased cooling water flow, 20 more rods were removed from the core, leaving only 6 control rods in place. The steam drum that separated the liquid water from the steam at 1:19am hit the emergency low level shutdown height, however the operator blocked this because this would have rendered the test invalid, effectively aborting it before the test could really begin. At 1:21am, the reactor section foreman was on the open platform above the reactor core and observed that the fuel channel blocks, each weighing 350kg or 770lbs, were jumping up and down and felt shockwaves rippling through the floor. At 1:21.50, the pressure in the steam separator drums fell sharply and the operator attempted to manually control the water flow rate to keep the water level in the drum at an acceptable level so they could begin the test. Now believing that they had achieved this and the conditions were acceptable to begin the test, at 1:23am the instruction to manually shut the steam lines was given and at 1:23:04am the valves were all closed and the test officially began. As the flow rate into the core slowed down, the boiling rate accelerated at the bottom of the core, creating an increasing number of steam voids in the coolant. These voids reduced the Neutron absorption and drove the reactivity of the core up higher. The pressure in the pressure tubes increased and within 20 seconds of the steam shut off, temperature spiked and the reactor power increased past 530MWt. It is believed that the operator realised the reactor power was surging and at that point they initiated a manual SCRAM event and pushed the AZ-5 button at 1:23:40am. Whether this was the reason a SCRAM was initiated or not, it cannot be determined for certain. As the control rods were reinserted into the core, in only 4 seconds the reactor power shot up to an estimated 100 times maximum design value, rupturing several fuel channels and the 1,000T reactor support plate detached, warping the control rod mechanisms, jamming them in their position at only half inserted. The fracturing allowed steam and water to enter back into the reactor completely uncontrolled, which at 1:23:45am, only 41 seconds after the test began, the core was open to air from the outside. There is some debate about the conditions in the core at this point, given the limited instrumentation available that was still functional at that point and the inaccessibility following the explosion, however the more commonly postulated source was a Graphite fire at high temperature leading to hydrogen production and subsequent explosion. The second explosion at approximately 1:24am was significantly larger, blowing the reactor lid off completely and ejecting large quantities of fuel, moderator and control rod material as well as concrete, steel and radioactive byproducts as high as 1km (6/10th of a mile) into the air. The force of the second explosion killed the main circulating pump plant operator Valery Khodemchuk instantly, with a second dying from injuries sustained in the explosion a few hours later. Power went out through the facility with only battery backed up lighting remaining, though the large amount of radioactive dust made visibility difficult in this early morning hours. At 1:26:03am, the fire alarm was activated by Akimov. At 1:28am, 14 firemen stationed on site arrived at the Reactor 4 building and began fighting the numerous fires that had broken out in and surrounding Reactor 4. In the following 30 minutes, the operators received mixed messages about whether the reactor had been breached and tried a multitude of things to re-establish core cooling with no success. Aleksandr Kudryavtsev and Viktor Proskuryakov were the trainees from other shifts, sent to observe and learn from Tuptunov during the test execution. They were sent by the shift lead to turn the manual control rod positioners to ensure a full core shutdown, still believing that they were operable. Upon reaching the reactor hall, with the upper biological shield in the reactor no longer containing radiation, in the 1min they observed the blue-red fire in the core of Reactor 4, their skin was darkened with a so-called "Nuclear Tan," also known as a Radiation Burn, as they absorbed a fatal dose of radiation. They returned to report the state of the reactor core to the control room, however when they arrived and told the story, they were not believed. By 2:00am a group of 100 firefighters from Pripyat converged on the largest fires on the roof of Reactor 4 and by 5:00am in the morning the majority of the fires had been extinguished. Following the explosion in the early hours a group of people from the town of Pripyat gathered on a nearby bridge to watch the fire from a distance. The flames were of many different colors reaching into the sky. However, the prevailing wind direction was blowing the fallout from the explosion directly across where they were standing in that part of town and none of the people on that bridge survived. At 6:00am Akimov was relieved by the unit chief, although he stayed on site fighting extreme nausea. By 6:35am all the fires had been extinguished by a contingent of now 186 firefighters on the scene, with the sole exception of the Graphite fire in the remains of the core of Reactor 4. At 8:00am the day shift began, including the construction crews of 286 people building Reactors 5 and 6 continued on site. No instruction was given to evacuate at that point. As the day went on in the town of Pripyat nearby, dozens of people became increasingly unwell, reporting severe headaches, metallic tastes in their mouths accompanied by uncontrolled fits of coughing and vomiting. Later in the evening on Saturday, the order was given to assemble transportation for a mass evacuation of Pripyat, and at midnight on Sunday the 27th of April, buses arrived in town ready for the evacuation order to be given. At 1:13am on Sunday, Reactor 1 was shut down, followed by Reactor 2 the next hour. At 7:00am Monday morning it was finally confirmed that the Graphite in the core was not only still burning but it was emitting extremely large amounts of radiation. The order was given to begin sky drops of a mixture of sand, boron and lead into the open reactor core from above via helicopters. From approximately 10:00am that morning helicopter dumps began and between the 27th of April on the 1st of May, 1,800 flights dropped over 5,000T of material into the reactor core. Following the incident it was confirmed that very little of this material ever actually reached the core because at that time the core had melted through deeper into the building structure. At 2:00pm Sunday Pripyat was evacuated with 43,000 residents leaving in a space of only 3-1/2hrs on a contingent of 1,200 buses. It was orderly and efficient, although somewhat belated. The fallout from this incident was far-reaching, with radioactive material in the upper atmosphere carried by the jet stream to the United States and Asia, though the largest concentrations of radioactive material fell over Europe. The first signs of this were detected by the Forsmark Nuclear Power Plant in Sweden at 9:30am on Monday 28 April, only two days after the incident and some 1,100km or 680mi away. An American spy satellite provided detailed evidence to the world outside of the Soviet Union on Tuesday the 29th of April that showed the scale and severity of the incident at Chernobyl. In the weeks following the incident a tunnel was bored from underneath Reactor 3 to under Reactor 4 and a large slab of concrete was put in position under Reactor 4 to prevent the still molten core from entering the water table beneath. A month later, despite radiation levels dropping on site, the idea of a concrete sarcophagus was proposed to contain any further releases of radiation. More about that in a moment. 31 people died as a direct result of the incident in the first 3 months alone, though the following years would be much worse. Akimov died on the 10th of May, 14 days after the incident. Toptunov died four days later, on the 14th of May, along with Aleksandr Kudryavtsev and Viktor Proskuryakov, the other trainee, dying on the 17th. Many of the operators involved couldn't provide critical details of the incident in the days following due to their medical condition after the incident. The town of Pripyat has been abandoned since the incident occurred, although interestingly tourists have more recently been allowed with controlled visits to the town. Both Caesium and Strontium radioisotopes are the primary fallout materials that are preventing rehabitation of impacted areas in the fallout zone. The half-life of Caesium-137, for example, is 30 years, hence safe habitable levels may be hundreds of years away depending upon the concentration in any given area. A forest area of about 4sqkm downwind of the plant turned reddish brown following the incident and completely died. The losses of livestock were huge across many parts of Europe, specifically looking at the United Kingdom though, it restricted the movement of sheep from upland areas when Caesium-137 fell across parts of Northern Ireland, Wales, Scotland and Northern England. Immediately following the disaster in 1986, a total of 4,225,000 sheep had their movement restricted across 9,700 farms to prevent contaminated meat from entering the human food chain, and that was just the United Kingdom. Longer term, 237 people suffered from acute radiation sickness and it's estimated that about 4,000 people will die prematurely in total due to cancers caused by the radioactive fallout from Chernobyl. So what went wrong? As I said before, there are two formal groups that debate the true cause of the incident – design flaw or people factors. One of them was the INSAG-1 report International Nuclear Safety Advisory Group in 1986 and their second report, INSAG-7, in 1992 followed the declassification of documents from the former Soviet Union, which argued the primary cause was human factors. The other was the IAEA, International Atomic Energy Agency's 1993 revised report that also took detail from the declassified documents and their conclusion focused on the RBMK design as the primary cause. Let's consider design flaw first. The RBMK design lacked several key features that contributed to the outcome at Chernobyl. The first, a positive steam void co-efficient. It's a measure of how a reactor responds to increasing steam formation in the cooling water surrounding the fuel rods. Reactors cooled by boiling water contain a proportion of steam in their core. Since liquid water is more efficient as a coolant and more effective at absorbing Neutrons than steam is, if there's a change in the proportion of steam bubbles or voids in the coolant, there will be a corresponding change in core reaction rate as a result. The ratio of these changes is termed the void co-efficient of reactivity. If the void co-efficient is negative, an increase in steam will lead to a decrease in reactivity. When the void co-efficient is positive, an increase in steam will lead to an increase in reactivity which will in turn lead to more heat being generated which will in turn further increase the reactivity. Hence positive void co-efficients are considered to be fundamentally bad design for nuclear reactors. Although it's an over-simplification to say that the void co-efficients are the main contributor to overall power co-efficients of reactivity in a nuclear reactor, in the RBMK design it is the largest contributor and it is positive. Not only that, but with the RBMK design the void co-efficient depends on the reactor configuration and its stability which is dependent on other factors such as the reactor's ORM which leads to the next issue. The minimum number of rods to satisfy the ORM was far too low. The ORM stands for the Operational Reactivity Margin and it's a set of formulae that calculate the safe number of control rods to be inserted at any given time in the reactor. If there are too few control rods below the ORM the reactivity of the core will be unstable. In the technological regulations on operation of 3rd and 4th power units of the Chernobyl Nuclear Power Plant with RBMK-1000 reactors, dated 1983, the text translates from Russian approximately as follows. "Section 6.6.4: Minimum reactivity margin in the process of power lifting after a short-term stop should make not less than 15 rods. If at extraction of CPS (Control and Protection System) rods during reactor turn up to a critical condition the reactivity margin will decrease to 15 rods and will continue to fall. To dump all rods to bottom limit switches, rods to bring into the zone of their greatest efficiency. By the curves of poison out to define an idle time." That's not necessarily the best translation however we interpret that as meaning there should be 15 rods in the core in a situation the core was in immediately prior to the incident not 6. After the incident calculations were re-done estimating with the specific conditions at 1:23:30am that the minimum equivalent number of rods for ORM was 8, which was still more than were inserted at the time. Clearly operators were either unfamiliar with the regulations or if they were under the duress of the test at the time they didn't recall them or they didn't appreciate the risk of ignoring them. How this is a bad design is such that operators didn't have a visual indication or a real-time calculation to estimate the ORM when they're operating the reactor. Thirdly, the reactor control and protection mechanism, the control rods themselves, were badly designed. The control rods each had a section of Graphite for 152mm (that's 6") at their furthest position. When the control rods were fully extracted as they were being inserted into the core, the first Graphite segment also displaced water in the rod channel and then the Boron-Carbide control rod material would follow after the Graphite. The rate of insertion and removal was such that when they were commanded to be inserted, the reactor had the top position of the fuel rods exposed to an unintended moderator. The Graphite displaced 150mm of absorbing water with 150mm of Graphite as a moderator, for half a second. As the rods were inserted into the core, the additional set of moderators continued to track through the core until they reached final insertion when they were taken out of play. This had the effect of slowing enough Fast Neutrons to become Thermal Neutrons, which ironically led to an acceleration of the reaction rate for a period of time before the Boron-Carbide could then absorb excess Neutrons and slow down the reaction rate as they were intended to. Hence, inserting the control rods created a "power blip" in the reactor core before the control rods began controlling as they should have. When a reactor is operating under stable operational conditions at moderate to full load, this isn't a problem, and at normal load it's barely measurable. However when the reactor is heavily poisoned and highly unstable already it was the spark that set off a rate of fission sky-rocketing out of control. Now let's consider the human factors. The training for the test was provided for the shifts when they were supposed to carry out the tests not the graveyard shift. Pressure to execute the tests to close a known safety design flaw at the early hours of the morning bypassed their rationale and caution. There's also the effect of "RBMKs have been operating all over Russia for a decade without incident therefore they must be safe" that serves to throw common sense out the window as well. There weren't incidents in RBMKs because of a combination of factors including: operators of the other plants followed the rules, they understood reactor poisoning and how it functioned, the government regularly covered up and kept incidents a secret (even small ones) meaning there were incidents in other RBMK reactors, it's just the other operators were never told about them. And any high risk testing at other plants, they'd been handled by more experienced operators. More experienced operators would have known to abort the test, or at least let the reactor gradually stabilise, burn off the Xenon-135 and get rid of the reactor poisoning for several hours before they began the test. Had they done that, there wouldn't have been an incident. Like Challenger, the Space Shuttle, interestingly in the same year, the clear go/no-go criteria for the test to initiate had to be set. And at Chernobyl it had been. 700MWt for the reactor with the correct ORM prescribed control rods in position. Not 200MWt and certainly not with only 6 control rods inserted. Clearly the operators didn't understand enough about the fission reaction and the reactor poisoning to appreciate why the test had been set the way it had been. They had made exceptions to the test to the go/no-go criteria on the fly without knowledge, experience or authorisation from those that should have been consulted first. The thing that amazes me is that it was so vital that the facility continued to generate electricity for the Soviet Union's power grid that despite the incident, the drawn-out clean-up and precautions taken, they pushed ahead anyway. Reactor 1 was restarted on the 29th of September that year. On the 10th of October, order was given to recommence construction of Reactors 5 and 6. Reactor 2 came back online on the 9th of November. At that point the sarcophagus was still under construction over Reactor 4. It wasn't even completed until the 14th of December in 1986. The design life of the initial sarcophagus structure was 30 years, and it took some 300,000T of concrete and 6,000T of steel to construct, albeit hastily. Reactor 3 came back online on the 21st of April 1987 and with this achieved, it was announced two days later, finally, Reactors 5 and 6 would no longer be completed and construction was finally stopped on them. In coming decades, Reactors 1, 2 and 3 continued to supply electricity until Reactor 3 was the last to be shut down on the 15th of December in the year 2000. Doing the math on the original sarcophagus for a moment, that design life ended in 2016. The Ukrainian government realised this was coming and the hastily built structure needed to be done properly and in 1992 launched an international competition to design and construct the NSC for New Safe Confinement Structure over the top of the entire existing sarcophagus. In 1997 the project formally began and after 2004 conceptual designs were completed. In 2007 it was awarded to Novarka: a consortium lent by French construction companies. Civil works began in 2010 with construction practical completion expected in mid 2018. The large arch structure is designed to stop particulates from escaping the enclosed space for the next 100 years, whilst allowing enough room inside to begin safely dismantling, removing and disposing of radioactive material both from the original sarcophagus as well as the reactor itself, gradually over that 100 years. The cost of the shelter implementation plan which includes the structure's costs is $2.3B USD. It's extremely difficult to confirm with absolute accuracy, however physics models and known measurements of radioactivity comparing airburst fused nuclear detonations, it's estimated that the Chernobyl incident released some 400 times more radioactive material than the bombing of both Hiroshima and Nagasaki at the end of the Second World War. 100,000 square kilometers of land was significantly contaminated with fallout. The worst hit regions? Belarus, Ukraine and Russia. The Soviet Union claimed that they had spent $18B USD at the time in 1988 on containment and decontamination as a result of the incident. In Belarus, the total cost between 1986 and 2005 was estimated all inclusively at a staggering $235B USD in total, factoring in loss of agriculture, compensation claims, containment, evacuation and much more. Interestingly, the incident forged a much closer tie between the United States and the Soviet Union and played a key role in the dissolution of the Soviet Union in 1991, five years later. So what do we conclude from this? Personally, when I was 9 years old at the time, I vividly remember watching the television news with a radiation/radioactivity symbol showing a cloud all over Europe. I was terrified it would spread through the world and we'd all become sick and die, the sort of thing that makes an impression on a child I suppose. There's several learnings about the RBMK reactor design that have since been addressed by significant retrofitting and the remaining operational RBMKs in Russia are better for that. But rather than explore those things, considering there's a dwindling number of active RBMKs using this design left in operation anymore, let's focus on two other points instead. An operator display that showed the operator the currently calculated ORM based on the reactor core configuration would have provided additional information to inform their decision. Without that key stability metric clear front and center for the operator they relied on their own mental map and understanding and training of what was likely to be stable versus what wasn't. If abnormal operational steps for any plant that you're operating are planned but not essential, if they slip in time due to unforeseen circumstances, stop. Just stop. You have to reassess if it's still safe to execute the job, because time changes risk. Be aware of your biases as well, knowing that just because nothing happened yesterday, and the day before, and the day before that, doesn't mean it can't happen today. That attitude, unchecked, leads to complacency, and complacency leads to incidents. But finally the problem lies with nuclear fission as an energy source. The RBMK design allowed for larger reactor cores for less money but at the expense of their stability and overall safety. Given the Chernobyl incident and its cost to both human life, plants, animals, agriculture and the staggering amounts of money to contain the radioactive fallout, can you really justify saving some money on your reactor design? If you're going to build yourself an atomic bomb in super slow motion, otherwise known as a nuclear fission reactor, you'd better design it to be as stable as possible with as many fail-safes as possible too. Train your people properly, share when incidents and learnings occur to prevent the next incident. As of the time of recording, there are about 450 nuclear power stations operating globally, with 50 new reactors currently under construction primarily in China. The estimated nuclear capacity growth is about 25% between 2015 and 2040, and it's driven by a fear of Carbon as well as simple economics. None of the new reactors being built are RBMKs, so I suppose that's something. But what worries me more though is that between Three Mile Island, Chernobyl and Fukushima, people are still betting that nuclear fission electricity generation is a better option than the alternatives despite these incidents and despite the risk. And with these incidents so far showing just how bad it can be when they go wrong, is that really the right decision? Is that the right way to go? Is it really worth it? I just don't get it. If you're enjoying Causality and want to support the show, you can. Like some of our backers, Carsten Hansen and John Whitlow. They, and many others, are patrons of the show via Patreon, and you can find it at (all one word). Patron rewards include a named thank you on the website, a named thank you at the end of episodes, access to pages of raw show notes, as well as ad-free, high-quality releases of every episode. So if you'd like to contribute something, anything at all, there's lots of great rewards, and beyond that, it's all very much appreciated. Causality is part of the Engineered Network, and you can find it at, and you can find me at Mastodon @[email protected], or the network on Twitter @Engineered_Net. This was Causality. I'm John Chidgey. Thanks so much for listening.
Duration 47 minutes and 6 seconds Direct Download

Show Notes

Prior Episode References:

Technical References:


Essays, Regulations and Miscellaneous:

Episode Gold Producer: 'r'.
Episode Silver Producers: Carsten Hansen and John Whitlow.
Premium supporters have access to high-quality, early released episodes with a full back-catalogues of previous episodes


John Chidgey

John Chidgey

John is an Electrical, Instrumentation and Control Systems Engineer, software developer, podcaster, vocal actor and runs TechDistortion and the Engineered Network. John is a Chartered Professional Engineer in both Electrical Engineering and Information, Telecommunications and Electronics Engineering (ITEE) and a semi-regular conference speaker.

John has produced and appeared on many podcasts including Pragmatic and Causality and is available for hire for Vocal Acting or advertising. He has experience and interest in HMI Design, Alarm Management, Cyber-security and Root Cause Analysis.

You can find him on the Fediverse and on Twitter.