3e2a1b56-dafb-454d-87ad-86adea3e7b86

598
Part Four
Improvement
Source: © Vladimir Repik/Reuters/Corbis
conceived before the days of sophisticated computercontrolled
safety systems. Because of this, the reactor’s
emergency-handling procedures relied heavily on the skill
of the operators. This type of reactor also had a tendency
to run ‘out of control’ when operated at low power. For this
reason, the operating procedures for the reactor strictly prohibited
it being operated below 20 per cent of its maximum
power. It was mainly a combination of circumstance and
human error which caused the failure, however. Ironically,
the events which led up to the disaster were designed to
make the reactor safer. Tests, devised by a specialist team
of engineers, were being carried out to evaluate whether the
emergency core cooling system (ECCS) could be operated
during the ‘free-wheeling’ run-down of the turbine generator,
should an off-site power failure occur. Although this
safety device had been tested before, it had not worked
satisfactorily and new tests of the modified device were to
be carried out with the reactor operating at reduced power
throughout the test period. The tests were scheduled for
the afternoon of Friday, 25 April 1986 and the plant power
reduction began at 1.00 pm. However, just after 2.00 pm,
when the reactor was operating at about half its full power,
the Kiev controller requested that the reactor should continue
supplying the grid with electricity. In fact it was not
released from the grid until 11.10 that night. The reactor
was due to be shut down for its annual maintenance on
the following Tuesday and the Kiev controller’s request
had in effect shrunk the ‘window of opportunity’ available
for the tests.
The following is a chronological account of the hours up
to the disaster, together with an analysis by James Reason,
which was published in the Bulletin of the British Psychological
Society the following year. Significant operator actions
are italicized. These are of two kinds: errors (indicated by
an ‘E’) and procedural violations (marked with a ‘V’).
25 April 1986
1.00 pm Power reduction started with the intention of
achieving 25 per cent power for test conditions.
2.00 pm ECCS disconnected from primary circuit. (This
was part of the test plan.)
2.05 pm Kiev controller asked the unit to continue supplying
grid. The ECCS was not reconnected (V). (This particular
violation is not thought to have contributed materially to the
disaster, but it is indicative of a lax attitude on the part of
the operators toward the observance of safety procedures.)
11.10 pm The unit was released from the grid and continued
power reduction to achieve the 25 per cent power
level planned for the test programme.
26 April 1986
12.28 am Operator seriously undershot the intended power
setting (E). The power dipped to a dangerous one per cent.
(The operator had switched off the ‘auto-pilot’ and had
tried to achieve the desired level by manual control.)
1.00 am After a long struggle, the reactor power was
finally stabilized at 7 per cent – well below the intended
level and well into the low-power danger zone. At this point,
the experiment should have been abandoned, but it was
not (E). This was the most serious mistake (as opposed to
violation): it meant that all subsequent activity would be
conducted within the reactor’s zone of maximum instability.
This was apparently not appreciated by the operators.
1.03 am All eight pumps were started (V). The safety regulations
limited the maximum number of pumps in use at
any one time to six. This showed a profound misunderstanding
of the physics of the reactor. The consequence
was that the increased water flow (and reduced steam
fraction) absorbed more neutrons, causing more control
rods to be withdrawn to sustain even this low level of power.
1.19 am The feedwater flow was increased threefold (V).
The operators appear to have been attempting to cope with
a falling steam-drum pressure and water level. The result
of their actions, however, was to further reduce the amount
of steam passing through the core, causing yet more control
rods to be withdrawn. They also overrode the steamdrum
automatic shut-down (V). The effect of this was to
strip the reactor of one of its automatic safety systems.
1.22 am The shift supervisor requested printout to establish
how many control rods were actually in the core. The
printout indicated only six to eight rods remaining. It was
strictly forbidden to operate the reactor with fewer than
twelve rods. Yet the shift supervisor decided to continue
with the tests (V). This was a fatal decision: the reactor was
thereafter without ‘brakes’.
1.23 am The steam line valves to No 8 turbine generator
were closed (V). The purpose of this was to establish the
conditions necessary for repeated testing, but its consequence
was to disconnect the automatic safety trips. This
was perhaps the most serious violation of all.
1.24 am An attempt was made to ‘scram’ the reactor by
driving in the emergency shut-off rods, but they jammed
within the now-warped tubes.