uranium-235 nucleus uranium-236 (unstable) splits into 2 lighter atoms, heat, 2 or 3 free neutrons, and gamma radiation
1. How does a nuclear reactor work?
2. Explain the differences between nuclear reactor types.
3. What happened at Three Mile Island and Chernobyl?
4. What roles did human factors and design play in each incident?
• induced _______: free neutron uranium-235 nucleus uranium-236 (unstable) splits into 2 lighter atoms, heat, 2 or 3 free neutrons, and gamma radiation
• _________: slows down neutrons to increase likelihood of further fission
• _______: removes heat energy; maintains fuel temperature
• _______ rods: regulate fission by absorbing neutrons
|
|
- two units on the Susquehanna River, 3 miles south of Middletown, PA - generating capacity: 852 & 906 MWe - run by Metropolitan Edison Company (“Met-Ed”) - built in response to the 1970s energy crisis and petroleum shortages |
_____ Water Reactor (LWR):
• normal _____ acts as moderator and coolant
• reactor heats water in primary system heats water in secondary system steam drives turbine generates electricity
• steam condensed to water by tertiary system, which vents from cooling towers
March 28, 1979, 4:00 a.m.
• maintenance crew cleared buildup of filter resin beads in demineralizer system of Unit 2 with high-pressure air + water
• water leaked through a faulty seal into pneumatic air system control valves for main steamwater feedwater pumps in secondary system “_______” (shut down)
- valve had ______ 11 times before
- no warnings from manufacturer; no changes to design
• turbine and electrical generator shut down
• temperature, pressure in primary system (reactor water) increased; steam vented from pilot-operated relief valve (PORV) holding tank
• reactor “________”: control rods automatically dropped into reactor core (absorb neutrons, slow nuclear reaction)
• three emergency backup feedwater pumps in secondary system started
• so far, this should have been just a mild _______
4:00:09 a.m.
• no water reached emergency backup feedwater pumps (cutoff valves ______ for maintenance 2 days before)
- light signalling that the lines were closed was _______ by maintenance tag
- other light blocked by ________?
• relief valve did not close
- PORV status indicates signal sent (rather than indicating valve was actually closed)
- radioactive reactor water escaped to drain tank, creating a LOCA (loss of coolant accident)
4:02 a.m.
• emergency injection water (EIW) pumps started automatically, adding water to primary system
- pressurizer gauges showed water rising, but pressure falling--an apparent paradox
- operators were trained to never let the reactor “go solid” (fill with water) due to overcooling
- operators ______ ___ EIW, thinking too much coolant was available: this kept the problem growing
• water rushes in--and out through stuck relief valve, overflowing the holding tank, into auxiliary building
- 30,000+ litres of radioactive water discharged through building; no ______ triggered
• gauges showed water level continuing to rise (it was actually _______), due to turbulence of water rushing out of the PORV
4:08 a.m.
• supervisor noticed cutoff valves for emergency backup feedwater pumps in secondary system were off
- opened cutoff valves, ________ a major disaster
- secondary cooling system was now functioning ________
5:20 a.m.
• reactor coolant water steam pumps _____ violently due to cavitation
- operators shut two pumps down; other pumps shut down 20 minutes later
- operators believed natural circulation would continue water movement
6:15 a.m.
• decay heat from nuclear core boiled off coolant water
- nuclear core _______; zirconium cladding and uranium dioxide fuel started to ____
- intense radiation field caused H2O to split apart
- H2 bubble formed; prevented cooling (but not enough O2 for explosion)
- control rods released ___________ gases
6:20 a.m.
• operator from next shift noticed PORV discharge temperature was high; shut the backup block valve
6:45 a.m.
• radiation alarms sounded (radioactivity was ___× normal)
• Site Emergency declared; General Emergency declared 15 minutes later
• debate ensued over reliability of temperature readings, and whether or not core was _______
• normal core temperature = 600 °F (316 °C), actual was >____ °F (2204 °C)
- instruments to measure core temp not standard equipment
- as part of experimental study of core performance, TMI-2 had _____________ installed 30 cm above core
- thermocouples connected to control-room computer: if temperature above 600 °F range, display read: _______
7:50 p.m.
• advice from plant designers Babcock & Wilcox finally reached control room
• primary cooling system pumps turned back on; core temperature under _______
Aftermath:
• small amounts of radioactive gases and iodine-131 were released into the environment
• most studies have found no long-term health effects, but some have found elevated incidence cancers in those living around the reactor
• Unit 2 was permanently closed; cleanup cost was about $1 billion
• NRC (Rogovin Report, 1980): incident due to inadequacies of design, equipment, and operator training
- recommended greater application of human factors engineering, including better instrumentation display and improved control room design
- “the nuclear industry has paid remarkably little attention to one of the best tools available for integrating the reactor operator into the system: the relatively new discipline of ‘human factors’” (p.122)
• President’s Commission (Kemeny Report, 1979): incident would have been minor if not for “_____ failures” in maintenance, operator training, communication, management, and NRC oversight
• Met-Ed pleaded guilty to criminal charges; paid $45,000 fine
• class action lawsuit resulted in out-of-court settlement for $25 million in 1981; millions more paid by Met-Ed and its insurers in settlements
Human factors:
• operator over-reliance on Emergency Procedures _______ (which did not cover this case)
- _____-based procedures were used: operators have to identify a particular event to find actions to fix it
- _______-based procedures now used: procedural actions are linked to specific plant symptoms
• Site Emergency not declared, as ________ by NRC (Nuclear Regulatory Commission), until 3 hours after incident
• maintenance __________ for auxiliary feedwater pumps (indicating they were closed) had been thrown away
• _____ intervention was primary cause of the incident; human error principally due to control room design
- control panel was 27 m long with over 1,100 dials, gauges, switches; more than 600 warning lights
- relief valve safety shutoff located on ____ of control panel
- computer printer hopelessly overwhelmed; error message about relief valve printed out _ hours later
- control panel instruments conflicted
- 100+ alarm lights triggered in 2 minutes
- turning off audible alarm disabled some visual ____________ (e.g., for radioactive water leak)
Sheridan (1981):
- reviewed display consoles in nuclear reactors
- numerous features in display designs might easily lead to error under time-stressed circumstances:
1. left side of a pair of displays driven by _____ side of a pair of controls
2. panel meters unreadable more than a few feet away, but controls for meters were __ feet away
3. critical displays located on ____ of a panel; less important displays occupied front panel
4. identical side-by-side displays: one scaled a factor of __ different from the other, but not marked as such
5. controls jutted out so operators inadvertently activated them with their ______
6. _________ labels
7. label on alarm annunciators differed from corresponding nomenclature in procedures ______
Meshkati (1996)
• upwards of 65% of U.S. commercial nuclear systems failures involve human error
• nuclear power plants should be examined on three levels:
1. technological
2. _____
3. organizational
• specifically, there should be an overhaul in:
- ______
- construction
- ________
- operation
- regulatory _________
|
|
- four reactors along banks of Pripyat River, 135 km north of Kyiv, Ukraine - generating capacity: 1,000 MWe each - built to reduce USSR’s dependence on foreign energy supplies |
Reactor types:
• Light Water Reactors (LWR):
- include reactors like TMI
- must be shut down for refueling
- normal _____ acts as coolant and moderator
- ________ ____ coefficient of reactivity:
▸ loss of coolant creates steam pockets (“voids”)
▸ steam is less efficient coolant than water; steam does not act as a moderator
▸ loss of coolant power out ________ (reaction stops)
- however, this design requires use of high-quality enriched uranium
• RBMK (“High Power Channel Reactor”):
- design allows refueling without reactor shutdown
- intended for _______-grade plutonium and power production (more economical)
- Soviet Union unable to produce sufficient enriched uranium, so water could not be used as moderator
- has ________ moderator; water coolant acts as “poison”: water also absorbs neutrons, but slows reaction
- ________ ____ coefficient of reactivity:
▸ loss of coolant creates steam voids, leading to decreased cooling
▸ graphite moderator continues reaction, causing more voids
▸ less water is available to absorb neutrons power increases (reactor out of control)
- also, RBMK ________ at low power
- has no containment vessel of steel-reinforced concrete (due to cost and difficulty of manufacturing)
Basis for the Test:
• power from plant supplies external electricity--but also drives pumps that circulate coolant
• What if reactor is shut down; not producing power?
• Will a “coasting” turbine provide enough power to pump coolant until diesel generator ______ system is started?
• test of ______ _______ of Unit 4
• Unit 4 had been rushed into service before testing was completed; three previous tests failed
• test was not approved by upper ministry
Initial Preparations:
April 25, 1986, 1:06 a.m.
• test scheduled prior to May Day holiday weekend when performance targets/production quotas were reviewed
• following week: annual maintenance shutdown
• power output gradually decreased (goal: 25% power)
13:05
• reactor power reduced to 1600 MWt or 50%
2:00 p.m.
• Emergency Core Cooling System (ECCS) __________ (would interrupt test)
2:05 p.m.
• regional power station in Kyiv failed
• Kyiv electricity grid controller requested power demand be met; factories were desperate to meet production quotas and win bonuses by the May Day deadline
• ECCS not reconnected (procedural _________)
• experiment delayed from day to night shift; operators who had been briefed on the test went off shift
11:10 p.m.
• Unit 4 released from power grid
• further reduction in power begun
Pretest Preparations:
April 26, 12:28 a.m.
• power level at ___ MWt (safe level: about 700 MWt)
• control transferred to automatic regulating system (handles automatic _______ ____)
• power fell to 30 MWt
- Senior Reactor Control Engineer Leonid Toptunov neglected to program system “autopilot”
- delay at low power caused buildup of xenon-135, a fission byproduct that decreases reactivity (at high power, it is burned away)
12:32 a.m.
• some steps in instructions for the test were crossed out
• Toptunov called operators at reactor 3, asking for help
• changes had not been officially stamped for approval, so was advised to follow crossed out instructions
• Deputy Chief Engineer Dyatlov--recently promoted and eager to impress--ordered increase in power
• despite operators’ objections, some control rods removed to boost power
• fewer than 26 remained in core (should never be <30)
• power rose and stabilized at 200 MWt
1:03 a.m.
• test continued
• two additional standby main circulating pumps activated increased water flow to core (part of pre-test)
• this overcooling caused drop in steam pressure cooling system began to ________ (procedural violation)
• increased water absorbed more neutrons ______ reaction
• steam pressure dropped
1:19 a.m.
• feedwater flow tripled to try to increase steam pressure
• operators ________ reactor shutdown (procedural violation)
• excess water cooled the core too much
• more manual rods removed to boost reactor power, temperature
1:22:45 a.m.
• system indicated abnormal, but apparently ______ situation
• test continued (procedural violation)
The Test:
1:23:04 a.m.
• steam valves to turbine generator closed; diesel generators started
• operators overrode reactor trip safety mechanisms--to keep reactor going if experiment at first ______ (procedural violation)
1:23:10 a.m.
• automatic control rods removed; only 6 left in
1:23:31 a.m.
• as electrical power fell, main coolant flow and feedwater flow reduced steam output increased reactor output increased (due to ________ ____ coefficient)
1:23:40 a.m.
• reactor power ______
• emergency button AZ-5 dropped 205 control rods into core
• rods displaced water, increasing reactivity
• graphite rod tips further concentrated reactivity at core bottom
1:23:44 a.m.
• reactor power increased exponentially peaked at ___× design limits
• reactor pellets shattered, reacted with coolant water
1:24 a.m.
• two __________ occurred
- first was steam explosion
- second was from expansion of fuel vapour
Short-term consequences:
• two reactor staff were killed, 28 firefighters died shortly afterward from acute radiation syndrome
• at least _ ____ of nuclear fuel evaporated and released into atmosphere
• 2,000 tonne metal plate sealing the reactor _____ ___
• ___ ____ of radioactive graphite from reactor core burned; it took 9 days to put out the fire in the core
• radioactive uranium, plutonium, cesium-137, strontium-90, iodine-131 spread into atmosphere
• 200-1,000× radiation of Hiroshima + Nagasaki released
• high doses of radiation expelled across Ukraine, Belarus, Eastern Europe
• effects felt from Finland to South Africa
• 260,000+ km2 land contaminated
• food supplies as far away as Sicily and England ______ due to contamination
• concrete sarcophagus built to seal off the damaged reactor in 1986
Long-term consequences:
• Zone of Alienation/Exclusion Zone has a radius of 30 km around Chernobyl
• increased childhood incidence of respiratory diseases, digestive problems, diabetes, endocrinal pathologies in Belarus, Russia, and Ukraine
• over 9,000 cases of thyroid cancer (vs. baseline of 6,000)
• estimates of mortality: 4,000 to 34,000 to 90,000
• legal aspects: five workers and managers were found guilty of violating safety regulations
• multiple safety improvements were made to the design of RBMK reactors
• New Safe Confinement shelter completed in 2017; cost €1.5 billion
• cost of the disaster estimated to be US$200-US$400 billion, making it the most expensive disaster in history
• may have been the main cause of the ________ of the Soviet Union (Gorbachev, 2006)
Main contributing factors (International Nuclear Safety Advisory Group: INSAG-1, 1986; INSAG-7, 1992):
1. Reactor ______
- positive void coefficient of reactivity
- control rod design: boron carbide rods had graphite tips, which initially increased reactor power as they were inserted (“positive scram”)
2. ___-_______ operation of reactor
- running circulating pumps at inflated levels
- disengaging automatic trip when turbines went offline
3. _________ of operating regulations
- too many control rods removed, too far
- power went below specified levels
- emergency cooling system disengaged
4. Lack of a ______ _______: values, attitudes, beliefs, perceptions of risk, and practices that employees and organizations share in relation to safety
- mismanagement
- operators lacked fundamental knowledge of reactor
“The root cause of the Chernobyl accident, it is concluded, is to be found in the so-called human element.” (International Atomic Energy Agency [IAEA], 1986, p.76)
“The Chernobyl accident illustrated the critical contribution of the human factor in nuclear safety.” (IAEA, 1988, p.43)
