By Cecilia Eiroa-Lledo, Maria Kolomiets, Masha Levon, Nikita Karpov, Elliot Serbin, Yulia Katsenko, August 31, 2020
Nuclear power has been one of the cleanest and most efficient ways to produce electricity. Yet three major accidents in different parts of the world—at Three Mile Island in the United States in 1979; at Chernobyl in what was, in 1986, the Ukraine Republic of the Soviet Union; and at Fukushima, Japan in 2011—continue to create public doubt about the safety of nuclear power. Each involved mechanical failure and/or human error, but there were deeper, more fundamental and more troubling causes. We outline the management, regulatory, and design factors that contributed to these catastrophic events with the hope that a better understanding of underlying causes will help the nuclear industry avoid future accidents and governments ensure independence of the regulatory authority. Only then can the public be convinced that the industry has learned from past errors and created the safety culture required for sustainable nuclear power.
Three Mile Island: mechanical failure, operator error and management deficiencies. The Three Mile Island (TMI) nuclear power plant accident began with a mechanical failure and a series of human operator errors at its Unit 1 Pressurized Water Reactor. The incident began March 28, 1979 with a failure in the feedwater pump of the secondary cooling system of the reactor, preventing cold water from reaching the steam generators, which prompted an automatic reactor shutdown. As temperature and pressure increased in the primary cooling system, the “pilot-operated relief valve” (PORV) opened to release the excess pressure. The PORV was designed to close automatically when the pressure dropped to a proper level, but it did not close, allowing all vapor to escape. The control panel, however, indicated that the valve had closed so the operators did not realize the plant was undergoing a loss-of-coolant accident, which caused the zirconium alloy fuel element cladding to react with overheated steam, generating hydrogen gas inside the reactor vessel. Because the reactor was shutting down, the operators turned off the coolant pump, causing emergency cooling water to be automatically pumped into the reactor vessel. The operators had no instrument to indicate the water level inside the primary system so they stopped the emergency cooling water circulation to avoid a possible over-pressurization of the reactor vessel. The PORV continued to leak, dropping the water level in the reactor core and causing the core to overheat, which melted about one third of the fuel and released a “small amount” of radiation that was not deemed a serious health hazard. The reactor vessel maintained its integrity.
Beyond the plants mechanical problems and operator errors, The President’s Commission on the Accident at Three Mile Island found that deficiencies in the management of the TMI plant and the US nuclear industry contributed to the accident. Operators were insufficiently trained, operating procedures were “very confusing,” especially under emergency conditions, and “lessons from previous accidents did not result in new, clear instructions” for the operators. Other incidents in the United States had foreshadowed the mechanical failure at TMI, but a serious lack of communication and a failure to acquire and adequately analyze information about safety problems prevented TMI from anticipating this accident.
When TMI plant construction began in 1968, the Atomic Energy Commission (AEC) was responsible for the safety and regulation of nuclear power and also charged with promoting the growth of the nuclear industry, a clear conflict of interest. In 1974, Congress assigned the regulatory duties to the new Nuclear Regulatory Commission (NRC). But the President’s Commission found that the regulatory framework in place before the TMI accident was flawed; “problems with the ‘system’ that manufactures, operates, and regulates nuclear power plants,” affected the accident. An insufficient safety environment in the US nuclear industry and organizational failures—in operator training, crisis procedures, and knowledge of previous incidents—were contributing factors. The regulatory framework falsely equated the following of narrowly prescribed and complex regulations with safety and focused on large accidents, ignoring significant dangers posed by minor equipment failures.
Improvements since the accident have included the nuclear industry’s establishment of the Institute of Nuclear Power Operations (INPO) in 1979 and the creation of an international operational experience database in which reactor incidents are entered for regulatory purposes. Had this database been available before the Three Mile Island accident, the operators might have known about earlier PORV failures and simply closed the valve and avoided the accident.
Despite the lack of severe health consequences, the TMI accident resulted in a massive evacuation of neighboring communities. It caused significant public concern and brought about major reforms in the NRC and in emergency response planning, reactor operation training, and regulatory oversight. But the accident also contributed to the start of a long-standing decline in the use of nuclear power in the United States.
Chernobyl: operator error and design and safety culture problems. The Chernobyl nuclear power station in the Soviet Ukraine housed four RBMK-1000 graphite-moderated, water-cooled reactors. Unit 4 was scheduled for a safety test during a routine shut-down for maintenance; the test aimed to check a key safety feature in the event of an electrical blackout that stopped the reactor’s cooling system pumps. Emergency diesel generators would take between 40 seconds and three minutes to bring the pumps back up—a sufficiently long time to possibly begin a core meltdown. The reactor designers had devised a mechanism that used the momentum of the electricity-generating turbines to drive the pumps during this critical time. Previous attempts to run such tests had failed, and by 1986, a test was more than two years overdue. (The following account is based on Adam Higginbotham’s research into Soviet archives for his book, Midnight in Chernobyl.)
The fourth attempt at the safety test was scheduled for the afternoon of April 25, but the test and its accompanying shutdown were temporarily delayed to accommodate the region’s power needs. The test was shifted to occur after midnight, when an unprepared operating crew would be in charge (although some from the earlier shift stayed to watch the test). As the reactor power level was decreased in preparation for the electrical test, the deputy chief engineer insisted the power be taken well below the lowest recommended level, incorrectly assuming that lower power would be safer. However, at these lower power levels, this type of reactor can become dangerously unstable and difficult to control. This mistake was compounded by a reactor operator forgetting to enter a fail-safe lower power level into the computer controls. Neutron-scavenging Xenon-135 gas began to build up in the core, plunging it to dangerously lower power. The operators should have shut down the reactor immediately, but they did not.
At this point, the deputy chief engineer ordered the operator to withdraw control rods and thereby to increase power. This action almost managed to reverse the accidental shutdown the plant was entering, and the deputy chief engineer decided to proceed with the test since the operators were able to temporarily stabilize the reactor at a low power level. As the test began, the control panel showed no signs of unusual conditions in the core, but steam was starting to build and because of a flaw in the reactor design (called a positive void coefficient) the reactivity increased. When the operator pressed the “SCRAM” button, the control rods began to descend into to the core. This would normally stop the nuclear reaction and shut down the reactor. However, another critical design flaw, namely making the control rod tips out of graphite, resulted in the opposite effect and the reactor started to generate more power, leading to an uncontrollable reaction. Nothing could be done to stop the temperature increase, which caused rupture of the zirconium alloy cladding, dispersal of the cladding and uranium oxide fuel into the surrounding water, creating more steam.
Water circulation through the reactor stopped completely, the remaining water turned to steam. A neutron pulse surged through the reactor increasing its thermal power to 12 billion watts. Steam pressure inside the reactor surged exponentially, lifting the 2,000-metric ton concrete-and-steel upper biological shield off its mounting. The temperature inside the reactor rose to 4,650 degrees Celsius. At 1:24 a.m. the reactor building was torn apart by a tremendous explosion equivalent to 60 metric tons of TNT. The biological shield was flipped into the air. The core of the reactor was completely destroyed. The uranium fuel, pieces of the control rods, zirconium channels, and graphite blocks were pulverized into tiny fragments and lifted into the air, sending massive radioactivity into the surrounding area.
Serious operator errors contributed to the accident. In fact, all early investigations and reports by Soviet authorities blamed the accident solely on operator errors. Even the Soviet report to the IAEA in August 1986 by the respected academician Valeri Legasov attributed the accident to operator errors. However, a number of Soviet scientists realized even before the accident that the RBMK-1000 reactor had serious design flaws. It was not until 1992, when the report of a Working Group of Soviet Experts was presented in Annex II of INSAG-7 (International Nuclear Safety Advisory Group on an update of the Chernobyl Accident), that the additional serious contributors to the accident—namely reactor design deficiencies, a lack of appropriate nuclear safety culture, and a belief in the infallibility of the Soviet nuclear elite—were admitted.
As reported by the Soviet State Commission (Annex I, INSAG-7), the RBMK-1000 reactors suffered from profound defects in reactor design, which lead to an increase instability of the reactor conditions in case of an accident. The effects of these design deficiencies were made more prominent due to the size of the reactor core. Moreover, the RBMK was designed without containment because of its colossal size. The designers opted for safety features that did not include a containment—and that turned out to be completely inadequate.
Additional reports indicate that three years before the accident, designers had warned the management of the Chernobyl nuclear power plant about its problems with control rods. However, the belief in Soviet “accident-free” nuclear power was so great that no one responded to the letter. When Gorbachev was awakened at 5:00 am on April 26, he asked how such an accident could have happened. The president of the Soviet Academy of Sciences, Anatoli Aleksandrov, had told him the RBMK-1000 was so safe it could be installed in Red Square—that it was, in fact, no more dangerous than a samovar. Because of over-confidence in the design of the RBMK reactor, the physical processes taking place in the reactor were neither fully calculated nor understood. No reliable safety systems existed, and operating personnel were able to override operating procedures. A culture of secrecy and lack of effective oversight by the nuclear regulatory authority of the Soviet nuclear program also contributed to the accident.
As a result of the Chernobyl accident, nuclear regulators addressed and minimized design flaws in the remaining RBMK reactors in operation; the reactor’s safety system was improved, and design and operation documentation was corrected. No additional RBMK reactors were built as Russia transitioned to safer, modern light water reactors. The concept of “safety culture” was extended beyond operations to include all stages in the life of a nuclear power plant, and management, legal and government regulations were adopted to create a national climate in which attention is paid to nuclear safety on a daily basis. New legislation in the Soviet Union, and later Russia, established the liability of persons who deliberately concealed or did not bring to the public the consequences of environmental disasters or man-made accidents. Information relating to the environmental safety of sites was no longer permitted to be classified as secret.
Fukushima: management and regulators collude in a “manmade” accident. The Fukushima-Daiichi nuclear power plant consisted of six light water boiling water reactors. It was designed by General Electric Corporation and constructed and operated by the Tokyo Electric Power Company (TEPCO). The accident on March 11, 2011 was caused when a major earthquake sent a 15-meter high tsunami toward the east coast of northern Japan. Units 1, 2 and 3 were in operation. Units 4, 5 and 6 were undergoing periodic inspections. The three operating reactors shut down automatically upon sensing the seismic temblor. The earthquake resulted in a total loss of electricity coming from outside the reactor site. Although the reactors shut down as designed, heat continued to be generated by the radioactive decay of fission products in the core, requiring continued cooling of the reactor. Emergency diesel generators were expected to provide power to the emergency core cooling systems in the event of such a reactor blackout, but the tsunami exceeded the protective seawall for the plant and flooded the building basements that contained emergency power sources, including the diesel generator sets, the electrical distribution system, and backup batteries. This resulted in a loss of electrical power to most units—and, most important, to their cooling systems. The resultant loss-of-coolant accidents led to three nuclear meltdowns, three hydrogen explosions, and a significant release of radioactive contamination from Units 1, 2 and 3.
Operator errors played only a small role in the Fukushima disaster. Much of the blame must be shouldered by the plant operator and the Japanese nuclear regulatory agency. TEPCO repeatedly ignored estimates, including from experts within the company, that the plant’s 5.1-meter seawall was insufficient, given historical tsunami data. In a scathing report, an independent commission established by the Japanese National Diet found that the causes of the accident had been foreseeable, and that TEPCO had failed to meet basic safety requirements like risk assessments, preparation for containing collateral damage, and development of evacuation plans. The commission stated that “the accident was the result of collusion between the government, the regulators, and TEPCO, and the lack of governance by said parties. They effectively betrayed the nation’s right to be safe from nuclear accidents. Therefore, we conclude that the accident was clearly ‘manmade.’” The International Atomic Energy Agency faulted lax oversight by the Ministry of Economy, Trade and Industry, stating the ministry faced an inherent conflict of interest as the government agency in charge of both regulating and promoting the nuclear power industry.
The organization of the emergency response at Fukushima was also criticized. The commission found that there were no response measures in place for severe accidents. All actions had to be approved beforehand by people who were not present at the reactor; in some cases even the prime minister had to approve critical actions. The commission found “the government, the regulators, and TEPCO management lacked the preparation and the mindset to efficiently operate an emergency response to an accident of this scope.” Confusion reigned as some 154,000 residents were evacuated from surrounding communities. The commission concluded that “the residents’ confusion over the evacuation stemmed from the regulators’ negligence and failure over the years to implement adequate measures against a nuclear disaster, as well as a lack of action by previous governments and regulators focused on crisis management.”
The Japanese government has made significant efforts to improve the nuclear industry’s safety culture and ensure the independence of the Japanese nuclear regulatory agency. In July 2013, the Japanese government established new regulatory standards for nuclear power plants. As of July 2018, five plants with nine reactors, out of the 54 in operation at the time of the accident, met the new standards.
Mechanical failures and operator errors contributed to each of the three major nuclear accidents we examined. But a closer look reveals that the root causes of the accidents were profound deficiencies in the management and organizational structures of nuclear industries and governmental agencies, a lack of independent regulatory institutions, and inadequate lessons-learned programs. None of the three countries had an independent regulatory agency at the time the reactors were licensed. As a result of the TMI accident, the US Nuclear Regulatory Commission was greatly strengthened and an effective industry group created. The Soviet Union did not learn the lessons of TMI. Japan did not learn the lessons of TMI or Chernobyl, in spite of the establishment of the World Association of Nuclear Operators after Chernobyl. One objective of WANO was to end the illusion that nuclear power plants could work solely within the confines of their companies or countries. Chernobyl made it clear that an event at one plant affected every plant and that nuclear safety was everyone’s business. Yet Japan did not learn that lesson until after Fukushima.
Fortunately, many countries have revised their nuclear power development programs and taken measures to strengthen safety requirements—including independent regulators, stricter safety standards, and replacement of obsolete reactors with modern ones, and increased safety measures at the design and construction stages of reactors. Personnel training systems have become an integral part of safety systems, and safety-culture principles are now fundamental. As part of “lessons learned” efforts, the response plan for radiation incidents and emergencies has been updated. The International Nuclear and Radiological Event Scale (INES), a tool for promptly communicating to the public the safety significance of reported nuclear and radiological incidents and accidents, has also been updated, and the IAEA has created a unified system to collect information on incidents and emergencies at nuclear facilities.
The Bulletin elevates expert voices above the noise. But as an independent, nonprofit media organization, our operations depend on the support of readers like you. Help us continue to deliver quality journalism that holds leaders accountable. Your support of our work at any level is important. In return, we promise our coverage will be understandable, influential, vigilant, solution-oriented, and fair-minded. Together we can make a difference.
View Comments
Good summaries, for all three locations!
It is important to recognize-- even though the Soviet Union never admitted it-- that the choice of the RBMK design was politically based: Because these reactors can be refueled online, they can operate with fuel exposures on the order of a few weeks, a necessary condition for Pu production for weapons. With RBMKs in multiple locations, the USSR had several sources for producing such materiel, thus protecting them against an attack on any one site. The Soviet nuclear hierarchy undoubtedly was aware of the kink in the RBMK reactivity curve, i.e., the positive coefficient at low power levels; they accepted it in order to allow the construction of multiple RBMKs...