Print this page
Monday, 14 March 2011 20:48

Disregarding Ergonomic Design Principles: Chernobyl

Rate this item
(2 votes)

The causes of the 1986 Chernobyl disaster have been variously attributed to the operating personnel, the plant management, the design of the reactor and the lack of adequate safety information in the Soviet nuclear industry. This article considers a number of design faults, operational shortcomings and human errors that combined in the accident. It examines the sequence of events leading up to the accident, design problems in the reactor and cooling rods, and the course of the accident itself. It considers the ergonomics aspects, and expresses the view that the main cause of the accident was inadequate user-machine interaction. Finally, it stresses the continuing inadequacies, and emphasizes that unless the ergonomics lessons are fully learned, a similar disaster could still occur.

The full story of the Chernobyl disaster is yet to be disclosed. To speak candidly, the truth is still veiled by self-serving reticence, half-truths, secrecy and even falsehood. A comprehensive study of the causes of the accident appears to be a very difficult task. The main problem faced by the investigator is the need to reconstruct the accident and the role of the human factors in it on the basis of the tiny bits of information that have been made available for study. The Chernobyl disaster is more than a severe technological accident, part of the reasons for the disaster also lie with the administration and the bureaucracy. However, the chief aim of this article is to consider the design faults, the operational shortcomings and the human errors that combined in the Chernobyl accident.

Who is to blame?

The chief designer for the pressure tube large power boiling water reactors (RBMK) used at the Chernobyl nuclear power plant (NPP), in 1989, presented his view on the causes of the Chernobyl accident. He attributed the disaster to the fact that the personnel failed to observe the correct procedures, or “production discipline”. He pointed out that the lawyers investigating the accident had arrived at the same conclusion. According to his view, “the fault lies with the personnel rather than some design or manufacturing failings.” The research supervisor for the RBMK development supported this view. The possibility of ergonomic inadequacy as a causative factor was not considered.

The operators themselves expressed a different opinion. The shift supervisor of the fourth unit, A.F. Akimov, when dying in a hospital as a result of receiving a dose of radiation of more than 1,500 rads (R) in a short period of time during the accident, kept telling his parents that his actions had been correct and he could not understand what had gone wrong. His persistence reflected absolute trust in a reactor that was supposedly completely safe. Akimov also said that he had nothing to blame his crew for. The operators were sure that their actions were in accord with regulations, and the latter did not mention the eventuality of an explosion at all. (Remarkably, the possibility of the reactor’s becoming dangerous under certain conditions was introduced into the safety regulations only after the Chernobyl accident.) However, in light of design problems revealed subsequently, it is significant that the operators could not understand why inserting rods into the core caused such a terrible explosion instead of instantly stopping the nuclear reaction as designed. In other words, in this case they acted correctly according to the maintenance instructions and to their mental model of the reactor system, but the design of the system failed to correspond to that model.

Six persons, representing only the plant management, were convicted, in view of the human losses, on the grounds of having violated safety regulations for potentially explosive facilities. The chairman presiding over the court said some words to the effect of proceeding with the investigations as regards “those who failed to take measures to improve the plant design”. He also mentioned the responsibility of department officials, local authorities and medical services. But, in fact, it was clear that the case was closed. Nobody else was held responsible for the greatest disaster in the history of nuclear technology.

However, it is necessary to investigate all causative factors that combined in the disaster to learn important lessons for safe future operation of NPPs.

Secrecy: The information monopoly in research and industry

The failure of the user-machine relationship that resulted in “Chernobyl-86” can be attributed in some measure to the policy of secrecy—the enforcement of an information monopoly—that governed technological communication in the Soviet nuclear energy establishment. A small group of scientists and researchers were given an exhaustive right to define the basic principles and procedures in nuclear power, a monopoly reliably protected by the policy of secrecy. As a result, reassurances by Soviet scientists as regards the absolute safety of NPPs remained unchallenged for 35 years, and secrecy veiled the incompetence of the civil nuclear leaders. Incidentally, it became known recently that this secrecy was extended to information relating to the Three Mile Island accident as well; the operating personnel of Soviet NPPs were not fully informed about this accident—only selected items of information, which did not contradict the official view on NPP safety, were made known. A report on the human engineering aspects of the Three Mile Island accident, presented by the author of this paper in 1985, was not distributed to those involved with safety and reliability of NPPs.

No Soviet nuclear accidents were ever made public except for the accidents at the Armenian and Chernobyl (1982) nuclear power plants, which were casually mentioned in the newspaper Pravda. By concealing the true state of affairs (thus failing to make use of lessons based on the accident analyses) the leaders of the nuclear power industry were setting it straight on the path to Chernobyl-86, a path that was further smoothed by the fact that a simplified idea of the operator activities had been implanted and the risk of operating NPPs was underestimated.

As a member of the State Expert Committee on the Consequences of the Chernobyl accident stated in 1990: “To err no more, we have to admit all our errors and analyse them. It is essential to determine which errors were due to our inexperience and which ones were actually a deliberate attempt to hide the truth.”

The Chernobyl Accident of 1986

Faulty planning of the test

On 25 April 1986, the fourth unit of the Chernobyl NPP (Chernobyl 4) was being prepared for routine maintenance. The plan was to shut the unit down and perform an experiment involving inoperative safety systems totally deprived of power from normal sources. This test should have been carried out before the initial Chernobyl 4 startup. However, the State Committee was in such a hurry to start up the unit that they decided to postpone indefinitely some “insignificant” tests. The Acceptance Certificate was signed at the end of 1982. Hence, the deputy chief engineer was acting according to the earlier plan, which presupposed a wholly inactive unit; his planning and timing of the test proceeded according to this implicit assumption. This test was in no way carried out on his own initiative.

The programme of the test was approved by the chief engineer. The power during the test was supposed to be generated from the rundown energy of the turbine rotor (during its inertia-induced rotation). When still rotating, the rotor provides electric power generation which could be used in an emergency. Total loss of power at a nuclear plant causes all mechanisms to stop, including the pumps which provide for the coolant circulation in the core, which in turn results in core meltdown—a grave accident. The above experiment was aimed at testing the possibility of using some other available means—the inertial rotation of the turbine—to produce power. It is not forbidden to perform such tests at operating plants provided that an adequate procedure has been developed and additional safety precautions have been worked out. The programme must ensure that a back-up power supply for the whole test period is provided. In other words, the loss of power is only implied but never actualized. The test may be performed only after the reactor is shut down, that is, when the “scram” button is pushed and the absorbing rods are inserted in the core. Prior to this, the reactor must be in a stable controlled condition with the reactivity margin specified in the operating procedure, with at least 28 to 30 absorbing rods inserted in the core.

The programme approved by the chief engineer of the Chernobyl plant satisfied none of the above requirements. Moreover, it called for the shutting off of the emergency core cooling system (ECCS), thus jeopardizing the safety of the plant for the whole test period (about four hours). When developing the programme, the initiators took into account the possibility of triggering the ECCS, an eventuality which would have prevented them from completing the rundown test. The bleed-off method was not specified in the programme since the turbine no longer needed steam. Clearly, the people involved were completely ignorant of reactor physics. The nuclear power leaders obviously included similarly unqualified people as well, which would account for the fact that when the above programme was submitted for approval to the responsible authorities in January 1986, it was never commented on by them in any way. The dulled feeling of danger also made its contribution. Owing to the policy of secrecy surrounding nuclear technology the opinion had formed that nuclear power plants were safe and reliable, and that their operation was accident-free. Lack of official response to the programme did not, however, alert the director of the Chernobyl plant to the possibility of danger. He decided to proceed with the test using the uncertified programme, even though it was not permitted.

Change in the test programme

While performing the test, the personnel violated the programme itself, thus creating further possibilities for an accident. The Chernobyl personnel committed six gross errors and violations. According to the programme the ECCS was made inoperative, this being one of the gravest and most fatal errors. The feedwater control valves had been cut off and locked beforehand so that it would be impossible even to open them manually. The emergency cooling was deliberately put out of action in order to prevent possible thermal shock resulting from cold water entering the hot core. This decision was based on the firm belief that the reactor would hold out. The “faith” in the reactor was strengthened by the comparatively trouble-free ten years’ operation of the plant. Even a serious warning, the partial core meltdown at the first Chernobyl unit in September 1982, was ignored.

According to the test programme the rotor rundown was to be carried out at a power level of 700 to 1000 MWth (megawatts of thermal power). Such a rundown should have been performed as the reactor was being shut down, but the other, disastrous, way was chosen: to proceed with the test with the reactor still operating. This was done to ensure the “purity” of the experiment.

In certain operating conditions, it becomes necessary to change or turn off a local control for clusters of absorbing rods. When turning off one of these local systems (the means of doing this are specified in the procedure for low-power operation), the senior reactor control engineer was slow to correct the imbalance in the control system. As a result, the power fell below 30 MWth which led to fission-product reactor poisoning (with xenon and iodine). In such an event, it is next to impossible to restore normal conditions without interrupting the test and waiting a day until the poisoning is overcome. The deputy chief engineer for operations did not want to interrupt the test and, by means of shouting at them, forced the control-room operators to begin raising the power level (which had been stabilized at 200 MWth). The reactor poisoning continued, but further power increase was impermissible owing to the small operating reactivity margin of only 30 rods for a large power pressure-tube reactor (RBMK). The reactor became practically uncontrollable and potentially explosive because, in trying to overcome the poisoning, the operators withdrew several rods needed to maintain the reactivity safety margin, thus making the scram system ineffective. Nevertheless, it was decided to proceed with the test. Operator behaviour was evidently motivated mainly by the desire to complete the test as soon as possible.

Problems due to the inadequate design of the reactor and absorbing rods

To give a better understanding of the causes of the accident, it is necessary to point out the major design deficiencies of the absorbing rods of the control and scram system. The core height is 7 m, while the absorbing length of the rods amounts to 5 m with 1 m hollow parts above and below it. The bottom ends of the absorbing rods, which go under the core when fully inserted, are filled with graphite. Given such a design, the control rods enter the core followed by one-metre hollow parts and, finally, come the absorbing parts.

At Chernobyl 4 , there were a total of 211 absorbing rods, 205 of which were fully withdrawn. Simultaneous reinsertion of so many rods initially results in reactivity overshoot (a peak in fission activity), since at first the graphite ends and hollow parts enter the core. In a stable controlled reactor such a burst is nothing to worry about, but in the event of a combination of adverse conditions, such an addition may prove fatal since it leads to prompt neutron reactor runaway. The immediate cause of initial reactivity growth was the initiation of water boiling in the core. This initial reactivity growth reflected one particular drawback: a positive steam void coefficient, which resulted from the core design. This design deficiency is one of the faults which caused operator errors.

Grave design faults in the reactor and the absorbing rods actually predetermined the Chernobyl accident. In 1975, after the accident at the Leningrad plant, and later on, specialists warned about the possibility of another accident in view of deficiencies in core design. Six months before the Chernobyl disaster, a safety inspector at the Kursk plant sent a letter to Moscow in which he pointed out to the chief researcher and chief designer certain design inadequacies of the reactor and the control and protection system rods. The State Supervising Committee for Nuclear Power, however, called his argument groundless.

The course of the accident itself

The course of the events was as follows. With the onset of the reactor coolant pump cavitation, which led to reduced flow rate in the core, the coolant boiled in the pressure tubes. Just then, the shift supervisor pushed the button of the scram system. In response, all the control rods (which had been withdrawn) and the scram rods dropped into the core. However, first to enter the core were the graphite and hollow ends of the rods, which cause reactivity growth; and they entered the core just at the beginning of intensive steam generation. The rise of the core temperature also produced the same effect. Thus there were combined three conditions unfavourable for the core. Immediate reactor runaway began. This was due primarily to gross design deficiencies of the RBMK. It should be recalled here that the ECCS had been made inoperative, locked and sealed.

The subsequent events are well known. The reactor was damaged. The major part of the fuel, graphite and other in-core components were blown out. Radiation levels in the vicinity of the damaged unit amounted to 1,000 to 15,000 R/h, although there were some more distant or sheltered areas where radiation levels were considerably lower.

At first the personnel failed to realize what had happened and just kept on saying, “It is impossible! Everything was done properly.”

Ergonomics considerations in connection with the Soviet report on the accident

The report presented by the Soviet delegation at the International Atomic Energy Association (IAEA) meeting in summer 1986 evidently gave truthful information on the Chernobyl explosion, but a doubt keeps on returning as to whether the emphasis was put in the right places and whether the design inadequacies were not treated much too gently. The report stated that the behaviour of the personnel was caused by the desire to complete the test as soon as possible. Judging from the facts that the personnel violated the procedure for preparing and carrying out tests, violated the test programme itself, and were careless when performing the reactor control, it would seem that the operators were not fully aware of the processes taking place in the reactor and had lost all feeling of danger. According to the report:

The reactor designers failed to provide safety systems designed to prevent an accident in the case of deliberate shut-off of the engineered safety means combined with violations of the operating procedures since they regarded such a combination as unlikely. Hence the initial cause of the accident was a very unlikely violation of the operating procedure and conditions by the plant personnel.

It has become known that in the initial text of the report the words “plant personnel” were followed by the phrase “which showed the design faults of the reactor and the control and protection system rods”.

The designers considered the interference of “clever fools” in plant control unlikely, and therefore failed to develop the corresponding engineered safety mechanisms. Given the phrase in the report stating that the designers considered the actual combination of events unlikely, some questions arise: Had the designers considered all possible situations associated with human activity at the plant? If the answer is positive, then how were they taken into account in the plant design? Unfortunately, the answer to the first question is negative, leaving areas of user-machine interaction undetermined. As a result, onsite emergency training and theoretical and practical training were carried out mainly within a primitive control algorithm.

Ergonomics was not used when designing computer-assisted control systems and control rooms for nuclear plants. As a particularly serious example, an essential parameter indicative of the core state, that is, the number of the control and protection system rods in the core, was displayed on the control board of Chernobyl 4 in a manner inappropriate for perception and comprehension. This inadequacy was overcome only by operator experience in interpreting displays.

Project miscalculations and ignoring human factors had created a delayed-action bomb. It should be emphasized that the design fault of the core and the control system served as a fatal basis for further erroneous actions by operators, and thus the main cause of the accident was the inadequate design of user-machine interaction. Investigators of the disaster called for “respect to human engineering and man-machine interaction, it being the lesson Chernobyl taught us.” Unfortunately, it is difficult to abandon old approaches and stereotyped thinking.

As early as 1976, academician P.L. Kapitza seemed to foresee a disaster for reasons that might have been relevant to preventing a Chernobyl, but his concerns were made known only in 1989. In February 1976, US News and World Report, a weekly news magazine, published a report on the fire at the Browns Ferry nuclear facility in California. Kapitza was so concerned about this accident that he mentioned it in his own report, “Global problems and energy”, delivered in Stockholm in May 1976. Kapitza said in particular:

The accident highlighted the inadequacy of the mathematical methods used to calculate the probability of such events, since these methods do not take into account the probability due to human errors. To solve this problem, it is necessary to take measures to prevent any nuclear accident from taking on a disastrous course.

Kapitza tried to publish his paper in the magazine Nauka i Zhizn (Science and Life), but the paper was rejected on the grounds that it was not advisable “to frighten the public”. The Swedish magazine Ambio had asked Kapitza for his paper but in the long run did not publish it either.

The Academy of Sciences assured Kapitza that there could be no such accidents in the USSR and as an ultimate “proof” gave him the just published Safety Rules for NPPs. These rules contained, for example, such items as “8.1. The actions of the personnel in case of a nuclear accident are determined by the procedure for dealing with the consequences of the accident”!

After Chernobyl

As a direct or indirect consequence of the Chernobyl accident, measures are being developed and put into effect to ensure safe operation of current NPPs and to improve the design and construction of future ones. In particular, measures have been taken to make the scram system more fast-operating and to exclude any possibility of its being deliberately shut off by the personnel. The design of the absorbing rods has been modified and they have been made more numerous.

Furthermore, the pre-Chernobyl procedure for abnormal conditions instructed operators to keep the reactor operating, while according to the current one the reactor must be shut down. New reactors that, basically speaking, are in fact inherently safe are being developed. There have appeared new areas of research which were either ignored or non-existent before Chernobyl, including probabilistic safety analysis and experimental safety bench tests.

However, according to the former USSR Minister of Nuclear Power and Industry, V. Konovalov, the number of failures, shutdowns and incidents at nuclear power plants is still high. Studies show that this is due mainly to the poor quality of the delivered components, to human error and to inadequate solutions by design and engineering bodies. The quality of construction and installation work leaves much to be desired as well.

Various modifications and design changes have become common practice. As a result, and in combination with inadequate training, qualifications of the operating personnel are low. The personnel have to improve their knowledge and skills in the course of their work, based on their experience in plant operation.

Ergonomics lessons are still to be learned

Even the most effective, sophisticated safety control system will fail to provide for plant reliability if human factors are not taken into account. Work is being prepared for the vocational training of personnel in the All-Union Scientific and Research Institute of NPPs, and there are plans to considerably enlarge this effort. It should be admitted, however, that human engineering still is not an integral part of plant design, construction, testing and operation.

The former USSR Ministry of Nuclear Power replied in 1988 to an official inquiry that in the period 1990-2000 there was no need for specialists in human engineering with secondary and higher education as there were no corresponding requests for such personnel from nuclear plants and enterprises.

To solve many of the problems mentioned in this article it is necessary to carry out combined research and development involving physicists, designers, industrial engineers, operating personnel, specialists in human engineering, psychology and other fields. Organizing such joint work entails great difficulties, one particular difficulty being the remaining monopoly of some scientists and groups of scientists on “truth” in the field of nuclear energy and the monopoly of the operating personnel on the information concerning NPP operation. Without available comprehensive information, it is impossible to give a human engineering diagnosis of a NPP and, if necessary, propose ways to eliminate its shortcomings as well as to develop a system of measures to prevent accidents.

In the NPPs of the former Soviet Union the current means for diagnosis, control and computerization are far from accepted international standards; plant control methods are needlessly complicated and confusing; there are no advanced programmes of personnel training; there is poor support of plant operation by designers and highly outdated formats for operating manuals.

Conclusions

In September 1990, after further investigations, two former Chernobyl employees were freed from prison before the end of their terms. Some time later all the imprisoned operating personnel were freed before the appointed time. Many people involved with the reliability and safety of NPPs now believe that the personnel had acted correctly, even though these correct actions resulted in the explosion. The Chernobyl personnel cannot be held responsible for the unexpected magnitude of the accident.

In an attempt to identify those who were responsible for the disaster, the court mainly relied on the opinion of technical specialists who, in this case, were the designers of Chernobyl nuclear power plant. As a result of this one more important Chernobyl lesson is learned: As long as the main legal document that is used to identify responsibility for disasters at such complicated establishments as NPP is something like maintenance instructions produced and changed exclusively by designers of these establishments, it is too technically difficult to find the real reasons for disasters, as well as to take all the necessary precautions to avoid them.

Further, a question still remains as to whether operating personnel should strictly follow the maintenance instructions in the case of disaster or whether they should act according to their knowledge, experience or intuition, which may even contradict the instructions or be unconsciously associated with the threat of severe punishment.

We must state, regrettably, that the question “Who is guilty of the Chernobyl accident?” has not been cleared up. Those responsible should be sought among politicians, physicists, administrators and operators, as well as among development engineers. Convicting mere “switchmen” as in the Chernobyl case, or having clergymen sanctify NPPs with holy water, such as was done with the incident-plagued unit in Smolensk in 1991, cannot be the correct measures to ensure safe and reliable operation of NPPs.

Those considering the Chernobyl disaster merely an unfortunate nuisance of a sort which will never happen again, have to realize that one basic human characteristic is that people do make mistakes—not only operating personnel but also scientists and engineers. Ignoring ergonomic principles about user-machine interactions in any technical or industrial field will result in more frequent and more severe errors.

It is therefore necessary to design technical facilities such as NPPs in such a way that possible errors are discovered before a severe accident can happen. Many ergonomic principles have been derived trying to prevent errors in the first place, for instance in the design of indicators and controls. However, still today these principles are violated in many technical facilities all over the world.

The operating personnel of complex facilities need to be highly qualified, not only for the routine operations but also in the procedures necessary in the case of a deviation from normal status. A sound understanding of the physics and the technologies involved will help the personnel to react better under critical conditions. Such qualifications can only be attained through intensive training.

The constant improvements of user-machine interfaces in all kinds of technical applications, often as a result of minor or major accidents, show that the problem of human errors and thus of user-machine interaction is far from being solved. Continuous ergonomic research and the consequent application of the obtained results aimed at making user-machine interaction more reliable is necessary, especially with technologies that bear a highly destructive power, such as nuclear power. Chernobyl is a severe warning of what can happen if people—scientists and engineers, as well as administrators and politicians—disregard the necessity of including ergonomics in the process of designing and operating complex technical facilities.

Hans Blix, Director General of the IAEA, has stressed this problem with an important comparison. It has been said that the problem of war is much too serious to be left solely to generals. Blix added “that the problems of nuclear power are much too serious to leave them solely to nuclear experts”.

 

Back

Read 6843 times Last modified on Thursday, 13 October 2011 20:29