Failure Analaysis

   Fracture Mechanics

   Failure as a Design      Criterion

 Structural Failures
 ::  Unforeseen Loads & Consequences

 Human System Interaction  Failures
 ::  Flawed Decision Making
- Challenger Space Shuttle
 :: Flawed Safety culture
- Chernobyl Nuclear Power Station
 Failure of Design Management
 ::  Visionary Management Style
 ::  Inaccurate Assessment of Market Needs

On April 28 1986, the world’s worst nuclear power accident occurred at the Chernobyl power station in the Ukraine, some 80 miles north of Kiev. During a non-routine test operation the chain reaction went out of control, causing a sudden increase in temperature in the reactor, leading to shattering of fuel pellets and a subsequent reaction with the cooling water. This produced a pulse of high pressure in the fuel channels which led to their rupture. The test was a late commissioning test designed to check the ability of the cooling water pumps to maintain water flow during a state of low power operation, whilst waiting for diesel stand-by units to start. This condition simulates that of electrical power supply failure, and the pumps are fitted with flywheels which will spin them for about 2 minutes, which covers the generator set start time of about 1 minute.

Two explosions occurred (Damaged Generation Unit). One was a steam explosion; the other resulted from the expansion of fuel vapour. These lifted the reactor pile cap (a heavy steel and concrete structure), allowing air to react with the white-hot graphite moderator blocks to form CO. This gas ignited and a reactor fire resulted. Some 8 tonnes of fuel, which contained plutonium and other highly radioactive fission products were ejected from the reactor, together with part of the radioactive graphite moderator. These materials were scattered around the site and, additionally, caesium and iodine vapours were released by the explosion and during the fire. To help put out the fire, 5 000 tonnes of lead, boron, dolomite, sand and clay were dropped onto it by helicopter.

Some 30 people were killed either immediately, or as a result of radiation dosage during fire fighting efforts. High radiation levels in the surrounding 30 km radius caused the evacuation of 135 000 people. Around 200 000 workers and military personnel were involved in the clean-up operation after the accident (Truck Wash) and received high radiation doses. This number later increased to some 600 000 people who removed topsoil, washed roads etc. Perhaps 15 000 of these so-called ‘liquidators’ died during the decade following the accident – at least some of these deaths being attributable to radiation effects.

The fall-out cloud later spread over parts of the Ukraine, Belarus, Russia, Scandinavia and Europe. Increased incidence of radiation-induced genetic abnormalities and cancers is reported in the surrounding region.

The solidified remnants of the once-liquid reactor core (known as the ‘elephants foot’) were encased in a concrete containment structure – the ‘sarcophagus’, which allows the other units to be operated. There are continuing concerns for the integrity of this structure, as critical parts had to built by remote control without fixings like welding and bolting. Current opinion holds that the sarcophagus is safe from a criticality viewpoint.

This accident has received international attention and, although there are still gaps in knowledge relating to details of some phenomena involved in the accident, the causes and the failure have been clearly identified and measures implemented to avoid a repetition of these events. As is often the case in major disasters, the causes relate to two areas – poor original design of the reactor and its shut-down facilities, coupled with the lack of a safety culture which led to violation of standard operating procedures.


Engineering Factors:
To understand the engineering deficiencies in this reactor design, requires some background in aspects of the RBMK nuclear reactor units. The layout of an RBMK reactor is shown in the figure, and part of the reactor core is shown in the enlargement.

It is a PWR with individual fuel channels, and uses ordinary water as its coolant and graphite as its moderator (the moderator slows down neutrons released during diffraction, which is necessary to maintain fission). It is very different from most power reactor designs as it was also intended to produce plutonium. The control rods are boron carbide and they absorb neutrons to control the rate of fission. There were 2 problems with physical aspects of the design:
  1. The control rod characteristics cause instability in the reactor (a rapid uncontrollable power surge) during low power operation (now known to correspond to a power level of less than about 700 MW), due to a phenomenon known as a positive void coefficient. In a water cooled reactor, steam may accumulate to form pockets, known as voids. If excess steam is produced, creating more voids than normal, operation of the reactor is disturbed because:
    • water is a more efficient coolant than steam
    • water acts a moderator and neutron absorber
    A reactor is said to have a positive void coefficient if excess steam voids lead to increased power generation. Positive void coefficients can lead to rapid power increases because power increases lead to increased steam generation. Most reactor’s have a negative void coefficient because water is used as both moderator and coolant, and steam generation also reduces the moderation (fail safe). In the RBMK case, however, these functions are provided by different materials, and excess steam reduces cooling and reduces neutron absorption, whilst retaining moderation – hence the chain reaction is enhanced.
  2. Control rod design was inadequate. 179 of 211 control rods were inserted into the core from the top of the reactor. They were equipped with graphite ‘riders’ at the lower ends . When the control rods are in their upper position, the graphite rider lies in the fuelled region of the core, replacing water. The water would absorb neutrons, whilst graphite is almost transparent to neutrons. This situation would assist the chain reaction in the event of excess steam voids being present.

    These defects, and possible consequences, were known long before the accident, but lack of safety culture in the responsible organisations meant that no action was taken.
Human Factors:

Human factors caused the accident and also contributed to making it worse than it might have otherwise been.
  1. Non-routine operation of the reactor – this is always likely to cause problems as personnel may not be ware of the consequences of such operation (particularly as this test had been performed on previous occasions). The power plant should have been shut down during this test, i.e. the chain reaction stopped, but instructions from Moscow stated that the reactor should operate at low power levels during the test to avoid being offline for 24 hours after the test due to Xenon poisoning of the fuel rods.

    Xenon is a gas isotope produced in the fuel rods by fission. It acts as a neutron absorber and as a result, changes to another isotope spontaneously. This process gives Xenon equilibrium during operation of the reactor. If the chain reaction is stopped, however, there is an increase in Xenon concentration which then ‘poisons’ the chain reaction (due to absorption of neutrons). The Xenon gas spontaneously decays with a short half-life allowing the reactor to re-start after 24 hours.

    Thus the non-routine operation included actions like:
    • Isolation of the emergency core cooling system – has this been operational it might have reduced the impact of the accident.
    • Operation at low power levels (<< 700 MW).
    • Operation of additional core cooling pumps, which reduced the level of water in the steam separator.
  2. Because of operational requirements, the low power test was performed by the night shift, in the absence of the normal supervisory team. The night staff apparently lacked knowledge of the reactor characteristics.
  3. During the test (at 500 MW), control was transferred from the local to the automatic regulating system. In compliance with the Moscow directive, the operator reduced the power to about 30 MW. This precipitated the sequence of events leading to the crisis.
  4. Station safety procedures were violated in a number of areas during the test
    • Withdrawing more control rods that the specified maximum number (leaving < 26 in the reactor during the test).
    • Automatic trip systems to the steam separator were deactivated.
    • Core feedwater flow rate reduced below normal for the test to stabilise the steam separator water level.
Design Failures:
  1. A design which was unsafe under ‘reasonable’ operating conditions
  2. A lack of safety culture which led to long-term acceptance of the shortcomings of this design
  3. Poor training of operating staff with respect to characteristics of the reactor and consequences of non-routine operation.
  4. Poor observance of safety regulations at the plant.
    1. References:


Structural Failures | Human System Interaction Failures | Failure of Design Management

Failure Analysis  -  Fracture Mechanics  -  Failure As A Design Criterion