The Chernobyl nuclear power plant, located about 100km north of the city of Kiev in Ukraine, comprised four RBMK-1000 reactors in service and two under construction. Unit 4 was scheduled to be shut down for maintenance on 25 April, and a safety system test was planned to be carried out immediately before taking the unit out of service. The test involved using the residual energy of the turbogenerator as it ran down to provide electricity for the main circulating pumps to reduce the time the pumps would be without power following a postulated loss of unit electrical power. The planned test procedure involved taking the reactor to about 30% full power (so that only one of the two turbine generators would be in use), isolating the emergency coolant injection (ECI) system (to preclude spurious operation) and then tripping the turbine.
To maintain forced circulation following the completion of the test, power supplies to the pumps were arranged so that four of the eight main circulating pumps were supplied by unit service power and the other four by station service power ensuring that, following power rundown, four pumps would still remain in operation. This test had been carried out at Chernobyl the previous year, however the delivered voltage from the running down turbine fell off too rapidly, so two new voltage regulator designs had been developed and were to be tested.
At 01:00 on 25 April, power reduction from 1000MWe began. Twelve hours later, at about 50% full power, one of the unit’s two turbine generators was tripped and the ECI system was isolated in accordance with the test plan. However, grid requirements were such that the unit was requested to stay online at 50% power until about 23:00, and so operation was continued at this power level with the ECI disconnected.
At 23:10 power reduction was recommenced with the intention of bringing the power level to 20-30% full power (700-1000MWt), the level planned for the test.
26 April 1986
00:05
Reactor at 720MWt (approximately the power level planned for test). Operation of reactor below this level is very inadvisable because of instability, but not prohibited.
00:28
During transfer from local to global control, power dropped to 30MWt (neutron power zero). This was not, as originally claimed, due to operator error. (Cause not identified, but informal communications suggest equipment failure.) Attempts to bring reactor power up to the required 30% level were frustrated by the combination of the negative reactivity effects of xenon poisoning, reduced coolant void and graphite cooldown.
00:36
Because of difficulties in controlling steam drum level, one of the steam drum level trips was disabled; however the low power steam drum level trip provided adequate protection for this power level.
00:43
Trip on loss of both turbogenerators disabled in order that the test might be repeated as planned. Originally considered the final, fatal error, but in fact the only likely effect of disabling the trip was to delay the onset of the accident by 39 seconds. (This action was originally, and incorrectly, reported as occurring at 01:23:04.)
01:03
Reactor power raised to 200MWt and stabilised. Efforts to return to planned power level were frustrated by combination of xenon poisoning, reduced coolant void and graphite cooldown. No 7 main coolant pump turned on.
01:07
No 8 main coolant pump turned on. Operation with all eight pumps was not forbidden by operating procedures, however the flow rates produced were above permissible. Steam void decreased requiring further absorber withdrawal.
At 01:03 and 01:07 the two standby main circulation pumps were switched on, as required by the test procedure. However, because of the low hydraulic resistance of the main cooling circuit at this low power level, the total coolant flowrate rose above the limit specified in operating regulations. In addition, steam void in the core fell, decreasing reactivity and requiring further absorber rod removal. At this point the reactor was in an extremely unstable condition, with the coolant channels filled with water at close to saturation temperature so that small changes in temperature or pressure could produce positive reactivity gain through steam void formation rather quickly. The reactivity effects of steam void formation would be considerably enhanced since most of the absorbers were out of the core (the relative reactivity ‘worth’ of the water in the channels was considerably magnified).
01:22:30
Calculations based on the data record from Chernobyl suggest that the operating reactivity margin (ORM, explained later) at this point was eight rods. The operators would not have known this because of the time required (10-15 minutes) for the SKALA computer to calculate the ORM.
01:23:04
Turbine stop valves closed. Four pumps begin to run down. (The other four pumps were connected to station power.)
01:23:40
Trip button (EPS-5) pressed by the reactor operator on the instructions of the foreman.
01:23:43
Power excursion rate emergency signals on. Power > 530MWt.
01:24
Note in operating log: “Severe shocks; the RCPS [reactor control and protection system] rods stopped moving before they reached the lower limit stop switches; power switch of clutch mechanisms is off.”
The actual initiating mechanism for the Chernobyl power runaway is still a matter for some debate. One view is that the decreasing flowrate as the pumps ran down, together with the entry to the core of slightly warmer feedwater, was enough to initiate boiling at the bottom of the core, with void formation spreading rapidly up the channels, giving rise to a very large reactivity insertion, augmented by xenon ‘burn-out’. A second view is that when the reactor tripped, the ‘positive scram effect’ in the lower portion of the core was sufficient to set in train the destructive reactivity transient. In either event, the results would be the same.
Power passed the 530MWe level (the high power trip setpoint) within three seconds and rose rapidly to a level estimated to be between 140 and 400 times full power. The fuel disintegrated and about 30% is estimated to have been blown into the space immediately below the core. This was the principal shutdown mechanism. The interaction of the very hot fuel particles with water produced large quantities of steam very rapidly, and this ruptured the reactor vessel and lifted the 2000t upper reactor shielding slab and rotated it about 90º. This ruptured all the piping in the reactor system, prevented any further absorber rod insertion and demolished the structures immediately above the reactor. One member of the operating crew was killed at that time and a second received injuries from which he died a few hours later.
Two distinct explosions were heard, the first being the initial ‘steam explosion’ and the second most probably an explosion of hydrogen evolved in the course of zirconium-steam reactions. Fuel, moderator material and probably some reactor structural materials were ejected and some, landing on the roofs of adjacent structures, started a number of fires.
Heroic efforts by the fire brigade quickly extinguished the fires started by ejected reactor material (all fires were extinguished by 05:00). The fire in the region of the graphite moderator was dealt with by dropping a total of 5000t of material from helicopters to smother the fire and reduce radioactive emissions. The material included boron carbide, to ensure the damaged reactor remained subcritical, dolomite to provide an inert gas environment (dolomite releases CO2 when heated), clay and sand to act as filtering media and lead to absorb heat and provide gamma shielding. The fire was successfully smothered and radioactive emissions were significantly reduced. Fuel temperature was controlled through injection of nitrogen into the space below the core. As a precautionary measure the bubbler pools beneath the reactor were drained and a concrete slab (with cooling provisions) was poured, providing a further barrier to downward migration of fuel or other radioactive debris. The whole reactor has since been enclosed in a concrete vault.
It would be remiss not to acknowledge the gallantry and self-sacrifice of all those involved in the stabilisation of the wrecked unit 4 at Chernobyl. The total impact of the Chernobyl accident – in human and material terms – was devastating. In addition to the two initial deaths, 29 people died as an immediate consequence of the accident: one from coronary thrombosis and 28 from acute radiation poisoning. Nineteen more persons died in 1987–2004 of various causes, plus nine children from thyroid cancer.
RBMK DESCRIPTION
The RBMK reactor is a vertically oriented, graphite moderated, direct cycle (boiling water) pressure tube reactor. The reactor essentially comprises a 12m diameter by 7m high cylinder built up of graphite blocks, threaded by almost 1700 vertical zirconium alloy (Zr/2.5 wt % Nb) pressure tubes which contain the reactor fuel and the various control and shut-off rods. The reactor fuel is zirconium alloy clad uranium oxide enriched to 2.0% U-235.
The heat transport system comprises two cooling loops, each with four main circulating pumps (three running and one on standby) and two steam drums. The discharge from the pumps goes to a large (900mm diameter) header which feeds a series of 300mm diameter distribution headers which serve groups of feeder pipes. As the coolant flows up the fuel channels it boils and the steam water mixture, with an average quality of 14% (maximum 22%), is fed to the steam drum, thence to the two 500MWe turbines. Coolant flow through the core is matched to power levels by large throttling valves on the main coolant pump discharges. In addition, at the point of each feeder connection to a distribution header, there is an individual control valve which is used to regulate the flow through the individual channels to maximise the margin to fuel dryout under a variety of operating conditions while keeping the channel power as high as possible.
The reactor core is contained in a steel vessel which is filled with a mixture of helium and nitrogen to maintain an inert atmosphere for the hot graphite (about 600ºC) and promote heat transfer. An arrangement of graphite rings on the pressure tubes ensures good thermal contact between the tubes and the moderator to provide a heat transfer path from the graphite through the pressure tubes to the coolant.
The reactor and most of the coolant circuit is contained within a number of thick-walled leaktight enclosures which are linked to two pressure suppression pools (‘bubbler ponds’), however the upper sections of the fuel channels and the steam drums are not so enclosed. The top of the reactor is covered with a 3m thick steel and concrete shielding slab through which the fuel channels pass. Fuelling is on-load, using a single fuelling machine above the reactor. This machine also serves the adjacent unit.
RBMK characteristics
A reactor cooled by boiling water contains a certain amount of steam in the core. The proportion of the coolant volume made up by steam bubbles (‘voids’) is called the ‘void fraction’. A change in void fraction will change core reactivity and the ratio of these changes is termed the void coefficient of reactivity. This can be positive or negative, depending on reactor design – a positive void coefficient implies a positive reactivity feedback mechanism as an increase in void fraction causes increased reactivity, hence increase fuel temperature and a further increase in void fraction.
The void coefficient of reactivity is the dominant component of the power coefficient of reactivity of RBMK reactors, reflecting a high degree of dependence of reactivity on the steam content of the core. The void coefficient of the RBMK core depends on the composition of the core (number of control rods inserted, number of additional fixed absorbers installed, fuel enrichment level and burnup), and with all new fuel and fixed absorbers installed the coefficient is negative.
In the initial core loading of RBMK reactors with 2% enriched fuel, fixed absorbers, separate from the reactor control and protection system, were installed in a number of fuel channels. As the fuel burned out, the designers allowed these absorbers to be removed and the fuel irradiation to increase. This shifted the void coefficient significantly in the positive direction and made it crucially sensitive to the extent of insertion of the control and protection rods. In an RBMK reactor with an ‘equilibrium’ fuel loading, the magnitude of the positive void effect is sufficient to make the reactor dangerously unstable at powers of 30% full power or lower. At the time of the Chernobyl 4 accident, the reactor’s fuel burnup, control rod configuration and power level combined to place the reactor in an extremely unstable state with a void coefficient so large that it overwhelmed all other influences on the power coefficient.
The RBMK reactor is provided with two systems for controlling power: the physical power density distribution control system (PPDDCS), using in-core detectors; and the reactor control system (RCS) using both in- and out-of-core detectors. The two systems are designed to supplement each other. The PPDDCS controls relative and absolute power distributions and total reactor power over the range 5-120% full power. The RCS incorporates the local automatic control and local automatic protection systems, however this pair of systems only operates at power levels of 10% full power or higher. Control at lower power levels relies solely on out-of-core detectors, therefore at 10% full power or less no in-core instrumentation is available to the operators. The out-of-core detectors cannot indicate neutron flux distribution in the core nor, since they are located at the core mid-plane, can they indicate the average axial distribution of the flux.
In a reactor the size of the RBMK, the chain reaction in one part of the core is only very loosely coupled with that in other, distant, regions. This leads to a requirement to control the spatial power distribution almost as if there are several independent reactors within the core volume. In extreme conditions this situation can be highly unstable because small spatial redistributions of reactivity can cause large spatial redistributions of the power. At Chernobyl 4, just before the accident with the reactor at about 7% full power, the chain reactions in the upper and lower halves of the core were proceeding almost independently, a situation that was exacerbated by heavy xenon poisoning in the intervening central region.
Control rod design
Reactor control is achieved by means of 211 boron carbide absorber rods of which 24 are designated ‘safety’ or ‘emergency protection’ (that is, usually fully outside the core to provide reactivity depth on shutdown), 12 ‘local automatic control/emergency protection’ and 24 ‘automatic control’. There are 139 ‘manual control’ rods. These rods are manipulated by the operators in response to changing reactor conditions to keep the automatically controlled rods within their range of travel.
The rods move in water-filled channels, and the effect of the water is to limit the maximum rate of insertion of the absorber rods to 400mm/s – implying an insertion time of 15-18 seconds for a rod moving from the fully withdrawn position. With the exception of 24 flux-shaping rods inserted from the bottom of the reactor, all absorber rods are fitted with graphite ‘followers’, that is lengths of graphite to displace the water in the channel as the absorber rod is withdrawn, and augment the rod’s reactivity worth as it is inserted. However these followers are not only shorter than the full core height but are also separated from the control rods by a distance of 1.25m (in other words, each graphite follower hangs 1.25m below its absorber rod). When an absorber is fully withdrawn from the core there remain, above and below the follower, water-filled sections 1.25m in length. This means that as the rod is inserted from its fully withdrawn position, the initial negative reactivity insertion at the top of the core is minimised (absorber replacing water) and a positive reactivity insertion occurs at the bottom of the core (water displaced by graphite). The magnitude of this effect depends upon the spatial distribution of the power density and the operating regime of the reactor. This ‘positive scram’ effect was discovered experimentally in 1983 during startup of Ignalina 1 in Lithuania and Chernobyl 4. As is discussed later, the relevant commissioning teams proposed measures to eliminate these effects (including design changes to the absorber rods) but these were not implemented, nor were these undesirable features communicated to the operating community.
Operating reactivity margin
An important concept in control of the RBMK reactor is that of the ‘operating reactivity margin’ (ORM), expressed in terms of the number of ‘equivalent’ control rods of nominal worth remaining within the core. The ORM is essentially the extra reactivity that would arise if all control and safety rods were withdrawn expressed as the multiple of the total reactivity controlled by a standard rod. At Chernobyl, the operating procedures did not permit reactor operation with an ORM of less than 26 rod equivalents without authorisation by the plant’s chief engineer. Furthermore, the same procedures absolutely required a reactor shutdown should the ORM fall to 15 or less rod equivalents. The significance of the ORM as presented to the operators centred on the need to keep a number of control elements in the core adequate for manoeuvring to keep the power distribution balanced throughout, especially in the light of the tendency for xenon instability in such a large and loosely coupled core. In fact, the RBMK reactivity characteristics are such that maintenance of a minimum number of absorbers partially inserted into the core is absolutely necessary to provide protection against power transients; rods that are completely outside the core will contribute little negative reactivity until they have crossed the core boundary area. As has been mentioned earlier, not only did the absorber rods in RBMK units move relatively slowly, but also their design was such that as they entered the core not only would the negative reactivity insertion be very small (rod displacing water at the core boundary), but there would be a positive reactivity insertion at the bottom of the core (water displaced by graphite). For this reason, failure to maintain adequate ORM could fatally impair the effectiveness of the shutdown system. Additionally, control rod configuration has a powerful influence on the void and power coefficients in the RBMK design; failure to maintain adequate ORM can have an extreme effect on the void and power coefficients.
The RBMK operational procedures simply treated the ORM as a way of controlling the power density field and not as an operational safety limit, violation of which could lead to an accident. The magnitude of the ORM was not conveniently available to the operator, nor was it incorporated into the reactor’s protection system. The computer and instrumentation used to determine the ORM were located approximately 50m from the control console. The data acquisition system received information from about 4000 data input points and required 10-15 minutes to cycle through all measurements and calculate the ORM. The system was designed to provide guidance to the operator on steady state control of the power density distribution and was used for this purpose in conjunction with the system for monitoring the spatial power distribution.
THE BLAME GAME
When details of the Chernobyl accident were originally presented to the IAEA in 1986, the USSR report laid the blame for the accident squarely on the shoulders of the operators, arguing that the accident was the result of an improbable combination of procedural violations by the operating crew. The operators, it was argued, had totally disregarded a number of vital operational principles and violated numerous operational procedures in their efforts to complete the test as planned. This account was accepted at the post accident review meeting in Vienna, and formed the basis for the IAEA account in INSAG-1.
Subsequently, the release in 1991 of the root cause report by the State Committee on the Supervision of Safety in Industry and Nuclear Power, (SCSSINP), together with other informal publications by Anatoly Dyatlov (former deputy engineer for operations at Chernobyl), Zhores Medvedev (a former Soviet scientist and author of The Legacy of Chernobyl) and Valery Legasov (the former director of the Kurchatov Institute and head of the Soviet delegation to the IAEA post-accident meeting) showed that this was very far from the truth. It is certainly true to say that the operators placed their reactor in a dangerously unstable condition (in fact in a condition which, in the view of Soviet experts, guaranteed an accident) but it is certainly untrue that in doing so they violated a number of vital operating policies and principles. No such policies and principles had been articulated. Additionally, the operating organisations had not been made aware specifically of the vital safety significance of the ORM, or more generally of the characteristics of the RBMK which made low power operation hazardous.
The SCSSINP drew the following general conclusions.
The design of Chernobyl 4 included major violations of the safety standards and regulations in force at the time that the technical design of the second stage of the Chernobyl plant (comprising units 3 and 4) was approved and authorised. The designers did not identify, analyse, verify and approve these violations [exceptions] in the proper way. No technical and organisational measures were developed to compensate for the violations of the safety standards and regulations.
The regulations General Safety Provisions GSP-73 and Nuclear Safety Rules NSR-04-74 came into force more than ten years before the accident, during which time Chernobyl 4 was designed, constructed and put into operation. During all that time, neither the chief design engineer, nor the general designer, nor the scientific manager took effective measures to bring the design of the RBMK-1000 reactor into line with the safety standards and regulations.
The USSR Ministry of Intermediate Sized Machinery, the USSR Ministry of Power and the Soviet regulatory authorities were just as lax in bringing plants with the RBMK-1000 reactor into line with the safety standards and regulations.
The commission noted that the design was also not brought into line with GSP-82, which entered into force in 1982.
Specific violations of the established safety standards included:
- The strong positive void coefficient and the design of the emergency protection system – these design characteristics violated the requirements of Article 3.2.2 of NSR-04-74 and Article 2.2.3 of GSP-73.
- No emergency or warning signals were provided for some of the most important reactor parameters, “violations of which on 26 April 1986 were considered by the reactor designers to have played a critical role in the initiation and development of the accident.” This was a “clear violation” of Article 3.1.8. of NSR-04-74.
- “Miscalculations by the reactor designers in determining the reactivity effects which needed to be taken into account in the design of the reactor control and protection system meant that the requirements of Article 3.3.5 of NSR-04-74 were inevitably violated.”
- The design of the RBMK emergency protection system would not “quickly and reliably terminate the chain reaction” when certain reactor parameters reached dangerous levels (Article 3.3.26) and would not provide a sufficiently rapid rate of power reduction under any emergency operating conditions (Article 3.3.28).
The state committee argued that the reactor designers “analysed the operating algorithm of the emergency protection system in terms of the efficiency of the plant’s operation in the power supply system, rather than in terms of its ability to ensure nuclear safety, which is the proper function of an emergency protection system.” Their report noted that the operators were misled about the importance of the ORM. The operating procedures did not emphasise the vital importance of the ORM in assuring the efficacy of the reactor protection system – had they done so it would have been tacit admission of the fact that the RBMK design violated fundamental design principles. “In the commission’s opinion, the main point is that having realised the full extent of the danger of reducing the ORM in terms of the ability of the EPS [emergency protection system] to perform its functions, the designers did not inform the operating personnel accordingly of this fact.”
On the subject of the shutdown system, the report was equally trenchant. It pointed out that the fact that insertion of fully withdrawn absorber rods would initially introduce positive reactivity into the lower portion of the core was discovered experimentally in 1983 during the startup of Ignalina 1 and Chernobyl 4. At that time the scientific manager drew attention to the “extremely dangerous nature” of this effect, and specific proposals were made to counter it. These included redesign of the control rods to eliminate the water column beneath the graphite displacers and changes to the operating rules to limit the number of rods that could be completely withdrawn from the core. The Scientific Research and Design Institute for Power Technology also proposed modifications (including increasing the number of short absorber rods). Neither set of proposals was implemented.
In an article in NEI (November 1991, p43), Dyatlov noted wryly: “The creators of the reactor were rather reticent about this characteristic [the positive reactivity effect]. If they had revealed it, of course, operators would have been rather difficult to find.” He subsequently dismissed the reactor’s emergency protection system as “beneath contempt,” a characterisation with which it would be difficult to argue.
The SCSSINP report is an admirably candid document, unusually so in an industry which, worldwide, tends to be rather modest in exposing its less successful moments to public view. Equally admirably, the report does identify specific points in the USSR industry where crucial actions (or inactions) occurred.
No reasonable person would dispute the proposition that the operators at Chernobyl (and at all other RBMK installations) were particularly ill-served by their industry. However there has remained in many of the commentaries on Chernobyl (most notably in INSAG-7) a significant emphasis on ‘operator errors’ of omission and commission. It is argued that the operators’ approach to the safety system test that destroyed the reactor was characterised by a willingness to alter the test procedure on an ad hoc basis and what seemed to be an over-readiness to disable reactor protective systems. It is noted that when the reactor power could not be restored to the intended level of 700MWt, the operating staff did not stop and think, but on the spot they modified the test conditions to match their view at the moment of prevailing conditions, and that the whole sequence of events, from the initial reduction from full power, was informed by a determination by the operating crew to complete the test no matter what. All this may be true, but it is neither fair to the operators, nor particularly useful in understanding the causes of the accident. Operator actions at Chernobyl must be seen in the context of the broader culture that appears to have informed the whole nuclear enterprise in the Soviet Union, a culture which accorded electricity production the top priority. The operators’ observed readiness to alter test procedures and disable safety systems would seem most likely to be an inevitable result of their environment rather than a cause.
It is also worthy of note that a shift change took place at midnight so the crucial sequence of operations leading up to the accident were undertaken by a fresh crew – not the crew that had originally been assigned to conduct the test. To what extent this was a significant contributory factor must remain a matter for debate, but it cannot have helped matters.
It is probably true that no reactor design can survive a really determined effort by its operators to destroy it. But it is also true that reactor designers must ensure that not only that the design is as resilient to operator error as is reasonably practical but that operating principles to accommodate design vulnerabilities are comprehensively articulated and unambiguously communicated, as are the consequences of violating those operating principles. Dyatlov made the perceptive observation:
Whether there were operating blunders or not, it is clear to everyone that reactors capable of causing such violent explosions must never be allowed to go into operation. However good or bad the operators, there were, and there will be, blunders. But the possibility of errors leading to such serious consequences must be ruled out by the design features of the reactor and plant equipment.
In his article, Dyatlov identified another important feature of the Soviet nuclear power programme – the almost inconceivable disconnects between the original designers of the RBMK, the lead design organisation and the operating organisation. He quoted the RBMK chief designer, N A Dollezhal’s warning about the effect of the strong positive void effect on reactor stability: “During operation… this influence is regulated by the insertion of special absorbers into the channels, as strictly specified in the operating instructions.” Dyatlov then noted:
The RBMK reactor in 1986 was exactly such: enrichment 2%, no special absorbers in the core. But there were no relevant provisions in the operational instructions and nor were such operational provisions ever likely to appear since there were no references to the phenomenon in the standard reactor design documentation.
The late Valery Legasov provided more evidence of these disconnects, and a possible reason for their development, from the perspective of a designer:
Because this was a new field of science – nuclear physics, neutron physics – the concept of scientific leadership amounted to designers being given the basic principles for building the apparatus. The scientific leader was responsible for these principles being physically correct and physically safe. The designer put these principles into practice by constantly consulting with physicists to establish whether the laws of physics concerning the building of this apparatus were being broken… But when the design organisations grew up and developed their own computing and physics departments, the existence of this dual power system for one apparatus (in fact it was a triple power system because there were numerous councils, departmental and interdepartmental) created a situation of collective responsibility for the quality of work.
Legasov described a situation where those with the liveliest understanding of the RBMK reactor’s vulnerabilities were furthest removed from the actual, operating, installation. Combining this with a diffusion and dilution of responsibility (‘collective responsibility’), then it is possible to see how such a lamentable state of affairs as described by the state committee could come about.
To ensure that basic design rules are followed requires an effective regulatory function armed with adequate enforcement powers. To maintain safety in the face of the inevitable pressures to meet production goals requires a dedicated operating organisation and a strong and independent safety review function, properly resourced, and with the authority to take prompt action when necessary. Neither of these functions appeared to exist in the USSR at the time of the accident. The very perceptive comment in the SCSSINP report that the “operating algorithm of the emergency protection system” was analysed “in terms of the efficiency of the plant’s operation in the power supply system, rather than in terms of its ability to ensure nuclear safety” could be extended to cover all the safety assessment activities in the Soviet nuclear programme.
INSTITUTIONAL FAILURES
Perhaps the two most egregious of the management or ‘institutional’ failures in the Chernobyl case are the failure to communicate RBMK control vulnerabilities to operating staff and the failure to address in any practical sense the issue of positive reactivity addition from the shut-off system over the three-year period between the discovery of the phenomenon and the Chernobyl accident.
Such failures are much less uncommon than one would hope. In fact the literature of high consequence accidents is replete with examples of organisations failing to acknowledge, or respond in a timely manner, to clear safety challenges. From the Chernobyl period two dramatic examples come to mind: the explosion of the external fuel tank of the space shuttle orbiter Challenger (January 1986); and the loss of the British cross-channel ferry Herald of Free Enterprise (March 1987).
Challenger was destroyed on 28 January 1986 by the explosion of its external fuel tank initiated by a leak of combustion gases past the ‘O’ ring seal of the aft field joint on the starboard solid rocket motor. Erosion of this crucial seal was first experienced on the second shuttle flight in November 1981. A further ten cases of blow-by or erosion occurred in the course of the next 22 shuttle flights. The ‘O’ ring seal was classified as a non-redundant component, failure of which would result in the loss of the shuttle. Despite this, no constraint was applied to shuttle launches, and the documented concerns of technical staff at the solid rocket booster manufacturer were ignored.
A total of 188 passengers and crew died when the Townsend Thoresen car ferry Herald of Free Enterprise capsized on 6 March 1987 as a result of flooding through the bow loading doors that had been left open. The wreck commissioner’s report documented numerous instances of Townsend-owned vessels putting to sea with the loading doors open, and noted that ships’ masters had drawn management’s attention to the hazard in writing and, also in writing, proposed the installation of indicator lights to show loading door status on the bridge. Senior company managers were well aware of the possibility that one of their ships would sail with her loading doors open, and were equally well aware of a sensible and simple device (indicator lights) proposed by responsible masters in 1985. No action was taken.
The reasons for inaction in these two cases were different. In the case of the shuttle a very strong production imperative (keeping to the launch schedule) combined with a lack of clear understanding of the technical safety envelope (mistaken belief that the ‘O’ ring seal was a redundant system and an inflated idea of shuttle reliability). In the case of the Herald it was a complete lack of any sense of responsibility on the part of the board of directors for safe management of their vessels.
In the case of Chernobyl it is clear that the production imperative was a major influence, and it is reasonable to infer that there also existed a lack of understanding of the technical safety envelope, significantly fostered by the failure to communicate design vulnerabilities. In addition, it could be that there existed an inflated idea of the safety and reliability of the RBMK reactor at the operational level, perhaps attributable to an encouraging performance history.
But whatever the varying rationales, all three events have this in common: ‘human errors’ were made by senior people in all three organisations. These errors served to set the stage for the accidents that were to follow.
Author Info:
Based on an extract from the 2nd edition of Reactor Accidents by David Mosey, published by Nuclear Engineering International.