December 31, 2017
December 31, 2017
Lately I became interested in nuclear reactors. Well, nuclear reactor disasters to be exact. This led me to read about the nuclear reactor incidents happened in the last 60 years or so and slowly a pattern started to emerge.
A lot of the accidents may seem like they have a human hand in them but if you look at them closely you will find errors caused by the system and human errors are just a natural extension of the system and were preventable most of the time. At least, the consequences could have been much less.
I am not a nuclear reactor expert and this article is not about the pros and cons of nuclear energy; nor is it about better nuclear reactor design. It is, however, about systems thinking, the importance of understanding a system, and the errors that a system causes to implement a continual improvement culture.
I chose 3 nuclear disasters from 3 different countries to show that culture does not play a role when it comes to ignoring errors coming from a system.
Before I delve into any of that though, I would like to take a very brief look at how nuclear reactors work. This information will clarify some of the more technical details and help us understand the events that unfolded much better.
A nuclear power plant is a power generator. All power generators work the same way. The process is pretty simple.
The thing that makes a difference is how you boil the water. This is where nuclear plants separate from the conventional power plants.
You may have heard some of the terminology that I will be using. The water is heated in a nuclear plant by using nuclear fuel rods. These rods are metal tubes that have many small palettes inside them made of uranium oxide. Uranium is very special to us because it is an atom we can split.
In a nuclear plant, we have hundreds or thousands of these rods put together, depending on the reactor’s size and power. The region where the rods are placed is called the reactor core.
When things break apart they tend to release the energy that was holding them together. It doesn’t matter whether that is an atom or a stretched rubber band. If you stretch a rubber band and then cut it you will see that it rushes to either side that was holding the rubber band. You effectively created two smaller rubber bands.
Now, when that is an atom, and you split it, it starts to smash things around it warming things up. To split an atom, you need a small particle called a neutron. When the neutron hits the very center of a uranium atom, it gets absorbed and causes the atom to become unstable and split.
As we now know, this action releases energy. In addition, it releases two or three more neutrons. These neutrons fly off to the surroundings causing more trouble. This is called nuclear fission.
At this point it is still not enough to sustain a nuclear reaction. The neutrons are going too fast and at that speed the uranium atom does not absorb the neutrons that easily. We need to slow down the neutrons.
That is where water comes in. Water is pivotal to the whole process because it slows down the neutrons enough so they have a bigger chance of being absorbed by the neutron atom. This is why the reactors are filled with water.
With water, neutrons are being absorbed by other uranium atoms and splitting, releasing more neutrons only to be absorbed by more atoms and then they split too. This goes on and on and if you can sustain that process, then you have heat.
There is one more critical element to the whole process: Control rods.
In order to get a steady output of energy from the nuclear reactor, every fission reaction should trigger another fission reaction and ensure the availability of spare neutrons released to trigger the chain reactions. By controlling the number of available spare neutrons at any given time, the rate of nuclear fission chain reactions can be controlled. This is achieved by using control rods.
The main job of the control rods is to absorb any excess neutrons in the water to prevent any further fission reactions. (For the curious, usually such rods are made of borane or cadmium.) To increase the rate of fission reactors, these rods can be removed from the water, or they can be inserted at various levels to achieve more control.
So, to recap, we heat the water by nuclear fission turning this water into steam. This steam turns the turbines generating electricity. We then pump in fresh water to the reactor since the water levels have decreased and turned into steam, to keep the process going.
Hope you are with me so far. There are two types of nuclear reactors mentioned in this series.
There are two types of nuclear reactors generally used in the world: The Boiling Water Reactor (BWR) and Pressurized Water Reactor (PWR).
In the BWR, the water around the rods is heated and the resulting steam is carried by pipes to the turbine. Unused steam is recycled back into the core.
In the PWR, the water around the rods is heated too however, it is kept under pressure to make it warmer. This pressure also prevents the water from boiling. The hot water is then pumped to a steam generator. The steam is used to turn the turbine and generate electricity. Unused steam is recycled and used again to heat the water.
Boil water, create steam, turn the turbines and make electricity. What can go wrong, right?
On March 27th 1979, the workers at the Three Mile Island (TMI) power station (PWR) near Harrisburg in Pennsylvania, USA, were compelled to blow compressed air into a water pipe, intending to let the water’s force clean a filter. Unbeknownst to them, while the action worked, it also caused an inadvertent trickle of water to leak into the feed water pumps’ control system.
Eleven hours later, on March 28th, 1979, at 4am, a minor malfunction in the secondary, non-nuclear water cooling unit prevented proper heat dissipation and caused the primary coolant temperature to rise. TMI’s reactor shut itself down, halting the chain reaction but decay heat (the heat from radioactive sources) continued to raise the core temperature.
This, in itself was not a problem, as nuclear reactors have multiple, independent and redundant safety systems in place for these occasions. By an unlucky coincidence, however, the three auxiliary water coolant pumps could not pump any water because their valves were closed for routine maintenance.
Decay heat in the core created a pressure build-up, which prompted the pilot-operated valve to open and stabilize the pressure level. Then the mechanical fault from 11 hours ago came into play, preventing the valve that stabilized the pressure in the core from closing up. Reactor 2’s operators incorrectly assumed that the valve had closed, because their control panels indicated that a “close” signal had been sent to it. As a result, they failed to notice that coolant was escaping from the system for several hours.
With coolant rapidly escaping, the control computer injected emergency water into the system to compensate. At this point, the operators believed that there was actually too much water in the cooling system even though water was leaking out. They responded by reducing the flow of replacement water, unintentionally starving the reactor of water.
Diminishing water levels exposed the top of the fuel elements inside the core, causing them to be over heated and melt, which released radioactive particles into the remaining water.
During all this time, the reactor operators struggled to figure out what was wrong. It was only when the shift changed at 6am, fresh eyes realized what was going on and started to take corrective measures.
16 hours since the disaster began, things were under control but by that time about half of the core and 90% of the fuel’s safety cladding had melted. The event was saved from being catastrophically worse by an enormous shield surrounding the core, containing its molten radioactive remains.
The thorough clean-up operation was completed in 1993 and costed around $1 billion ($1.7b in 2018).
At the time, there were no training schools for nuclear reactors. The Navy was supplying reactor operators the same way the Air Force was supplying airline pilots to the air transportation industry. A young man who had been rigorously trained in the Navy to run a submarine reactor with few years of underwater experience could retire early and find a nice job in a nuclear power reactor. He was considered to be at the top of the game, as he was military trained.
This also saved money for the power company as they did not have to train an operator from scratch. Veterans from the submariner or nuclear aircraft carrier service were always welcomed and why not? This policy worked perfectly well for the airline industry so why not for the nuclear power stations?
The reactors used in the first years of the attack submarines were tiny. When the sub was running at full speed, they were producing 12 megawatts (that is 12 million watts). Small reactors have small problems, so even though the engineers were experienced in running the reactors, the complexities of an extremely complex billion-watt power reactor were unknown to them.
The submarine reactor was run by two men sitting at a dashboard as complex as the dashboard of a twin-engine airplane.
In contrast, the power plant console is a different game altogether. It takes several men to run it, all standing up. It is the size of a basketball gymnasium. There are about 1,100 dials, gauges and indicator lights; some 600 alarm panels as well as hundreds of recorders, switches and circuit breakers.
This is just the front panel.
Then there is the back panel with more indicators and dials and lights, because the front panel does not have enough space for them. There was not much reasoning in the positioning of these indicators either. One had to remember what showed what.
If anything went wrong in the system, it was brought to the attention of the staff by an alarm sounding off and blinking lights. At any one time, there could be 50 alarm tiles lit up from minor problems and needing attention. A printer on the side keeps printing out the alarm conditions on a continuous roll of paper.
The amount of detailed information coming out of the nuclear plant control deck is not comparable to the submarine’s.
A nagging problem with nuclear reactors is the decay heat of fission. What this means is that each fission releases an enormous amount of energy, but not all of it is released all at once. A big portion of the energy is released immediately, but then a smaller portion is released gradually. The issue is that it is quite easy to instantly shut the fission process down and stop the reactor but there is a period where the reactor is still generating heat at a greatly reduced and falling percentage. This is called “coastdown”.
If the power before the shutdown is not too great then there is no problem even if all of the reactor cooling systems are not working. The fuel will still be hot but reactors are built to withstand overheating. This is also the reason why the pumps need to pump fresh water into the reactor to make sure that it does not get too hot.
An attack submarine rector built in the 1960s made 12 megawatts when running at full speed. Immediately after an emergency shutdown, that reactor is still producing 6.5% of the 12 megawatts, or 780 kilowatts. That is not enough power to melt anything.
A typical reactor, like the one used in the Three Mile Island, on the other hand, would be producing 3,800 megawatts of heat to make energy. Upon an emergency shutdown, this reactor is still producing 247 megawatts of heat and in the confines of a reactor vessel, that is enough power to melt solid rock. After a day of sitting in shutdown mode, this reactor is still making 15.2 megawatts which is more than enough to run the submarine at full speed. After a week, the reactor cools down to 7.6 megawatts.
The nuclear reactors and the operators are never seen as a system. Otherwise, an operator would have been trained according to the new environment even if the operator was a star operator in the Navy. Budgetary constraints led to critical systems not being installed. A systems approach would undoubtedly have helped come up with a better “system”.
The only way around this problem with nuclear fission is to ensure a cooling system, particularly in that first hour after shutdown, using redundant, multiple devices. In the Three Mile Island case, some of the critical and redundant systems were not wired correctly and they were not checked as well. Quality was not built in from the beginning.
On top of everything else, not implementing a “mistake-proof” (poka-yoke) approach to the control panels made everything worse. The operators, when panicked, read the wrong gauges and thus the indicators lead them to make the wrong decisions.
We were lucky as it could have been much worse and a big catastrophe was only saved due to the reactor’s shield. The brave men and women at the Three Mile Island reactor did all they could; however, they were crippled by faults arising from the system. (for the curious, to find out more about the faults coming from the system where humans are blamed, see Red Bead Experiment )
In the years that followed, everything went back to normal in the world of nuclear power. It was as if the worst had happened. We were lucky and escaped the worst and all was quiet and still.
Then a few years later, things went wrong in another nuclear reactor at the other end of the world in a small and ancient town. Only this time this reactor did not have a shield to contain the radioactive remains and all hell broke loose.
This town was called Chernobyl.
Recommended Reading List: