human-factor design and nuc-2 4096x2315@1x









What Root Cause Analysis’ names human-factor plays a decisive role.   A role made decisive as Root Cause of the majority (over 50 %) of all of the incidents registered in the productive processes.   To deepen Root Cause Analysis' relevance and features, we’ll intentionally deviate afar from our familiar Food and Beverage productive process.   We’ll examine a case showing the relevance of the human-factor and the strict interrelation existing between the apparently normal sequence of Events in a night work shift at a power plant and the most modern Events’ tree-like structure.  


Where

Chernobyl, USSR, in the control room of the nuclear power plant, an example below.

   Control room of a 1 gigawatt electric power nuclear reactor RBMK, similar to no. 4 at Chernobyl, USSR, 28 April 1986


Who






  • Engineer Alexander Akimov, responsible of the night shift of the reactor’s Operators; 
  • Engineer Anatoli Dyatlov, deputy chief engineer of the plant.


What

Action in a RBMK-1000 (Reaktor Bolshoy Moshchnosti Kanalniy, High Power Channel-Type Reactor) graphite-moderated reactor, cooled by boiling water.   Design visible below, reproduced in total 26 reactors, 11 of them presently operating:

     Schematic of the symmetric 2 x 500 MW RBMK reactors, totalling 1 GW of electric power, 3.2 GW thermal power. In evidence (“11”) the circulation pumps assuring reactor's cooling (image Stefan Riepl/CC-BY-SA-2.0/2011)


rbmk-1000 building med hr

According to engineering calculations, the mechanical inertia of the plant’s electric turbines would have allowed them to generate enough electricity to power the circulating water pumps to cool the core.   Delay ranging 30 to 50 seconds, vital to have time to start the emergency diesel generators thinked to re-establish a stable cooling in these emergency conditions.   This type of test had been run during several previous shut-down periods, along a couple of years, but the results because of one reason or another, revealed themselves permanently inconclusive.   And that’s why it has been decided to repeat it, so to verify the correcteness of the engineering calculations, answering the question: 

Would be provided an adequate amount of cooling water, even in the case of a complete loss of power to the electric generating complex ?


 Building a 3.2 GW thermal  RBMK reactor (image Narod.ru/2014)


The question may look at a first sight an “academic” one.  Not one meriting to risk so much.   It is on the opposite an important one because in the real world, a complete loss of power to the electric generating complex is an eventuality not only as a consequence of:

  • earthquake;
  • earthquake followed by tsunami (Fukushima, 2011 docet !);
  • terroristic attack;
  • military attack.


nuclear incidents analysis 4096x5040@1x

When

The test is planned for the night of April 25, 1986.  A time when the plant was to be shut down for maintenance.  In these conditions, the test procedure imagined its power output not needed for the electrical grid.  Who thinked the test ignores that at low reactor power, the inlet temperature may become dangerously high.   Human-factor acted like a condition, selecting following Events prone to favour an incident. 



Condition  

Who thinked the test

Who thinked the test were specialists in electric generators, but not in nuclear reactors. The specialists of nuclear reactors, before that night, had few contacts with the electric generators’ specialists.   The fact that the test was not collegially studied by specialists in electric generator and nuclear reactors acted later like a condition for the incident, the effect.   Human-factor acted like a condition, selecting following Events prone to favour an incident. 



Condition - Classified informations 

Contrary to what could seems obvious, the staff involved in the operation of the reactor and in the test, was not fully aware of previous experiences in other similar Plants nor of deeply knowing all of the intricacies of the complex process to handle.   Why not ?    Classified informations, only knew by:

  • the staff of each one Plant with a direct personal experience of lived cases, 
  • the bureau which designed the systems,
  • a regulatory authority which endorsed the systems’ design, safety and operation.  

Informations classified due to the fact that reactor's original design is a military one devoted to Plutonium production.   A 3200 MW thermal reactor like this, can produce 3200 grams of Plutonium per day.   In two days of operation, it makes available the amount of Plutonium in the pit of a 21 kton (88 TJ) implosion-type A-bomb.  

    Blueprint of the Chernobyl symmetric 2 x 500 MW RBMK reactors, totalling 1 GW of electric power, 3.2 GW thermal power



    (image credit RIA Novosti/A. Kryazev/2015)


Condition - Undetermined initial conditions








                 Alexander Akimov







                    Anatoli Dyatlov

But, the initial conditions for the test resulted different than what planned on the paper, putting the entire power plant into an unusual context:  

  1. the electrical grid needed the power longer than expected, it was only after midnight, then April 26th, 1986, at 1:23:04, then at when the plant was finally allowed to start the test.   The delayed start of the test resulted in a “power history” characterised by high concentration of fission product poisons, like i.e. the today (infamous) isotope Caesium-137.  Meaning that the test itself is forcedly started in conditions riskier than those originally planned;
  2. a new shift of staff had just taken over.   Worse, the new shift not familiar with the test because the off-going shift's engineers did not instructed fully their collegues about the initial conditions they’d have encountered.  Human-factor acted like a condition, selecting following Events prone to favour an incident. 

The sum of the conditions at the test onset resulted different than any situation considered during the design of the nuclear reactor control system. 


Condition - Over management

The man in charge of the test, Anatoli Dyatlov, deputy chief engineer of the plant, involved in the test preparations and in setting the initial conditions, had a reputation as an irritable taskmaster.  Records show that he was particularly impatient on that fatal night: constantly and impatiently pushing Alexandre Akimov to proceed, also front of the concerns showed by the group of Operators.   This behaviour by Anatoli Dyatlov could be explained by the political system.  Providing incentives to maximize production and other career-related economic awards.  Failures, on the opposite, criticized or punished by reassignment.  Since two years this particular test was being delayed.   Human-factor acted like a condition, a negative rule of selection of following Events prone to favour an incident.


Condition - Design

RBMK reactor's design implies: 

  • nominal temperature of the cooling water at the inlet of the reactor (265–270) °C;
  • outlet temperature 284 °C;
  • pressure in the drum separating liquid by steam 6.9 megapascal (69 bar);  
  • the pressure and the inlet temperature determine the height at which the boiling begins in the reactor; 
  • if the coolant temperature is not sufficiently below its boiling point at the system pressure, the boiling starts at the bottom of the reactor instead of its higher parts;
  • if the coolant temperature is too close to its boiling point, cavitation can occur in the pumps and their operation can become erratic or even stop entirely;
  • reactor vessel contained in a single containment bulding.  In the rest of the World always two concentric containment buildings, to prevent losses of radioactive isotopes in the atmosphere.   A second should not have impeded the explosion but should have reduced greatly the immediate human losses and prevented the worldwide outfeed of radioactive ashes.   How many containment buildings shielding a core by the Environment, is a subject in the domain of responsibility of the Designers;  
  • the reactivity of the RBMK reactor, and hence its power output, rises is coolant is lost from the fuel channels.  Clue to a RBMK design's dangerous flaw.


Time-ordered sequence of Events

arrow

For this test, the reactor should have been stabilised at about 1000 MW thermal power, before to shut down.  Due to an operational error the power fell to about 30 MW thermal.  The positive void coefficient became dominant:

  1. the operators tried to raise the thermal power to (700 - 1 000) MW by switching off the automatic regulators and freeing all the control rods manually;
  2. at about 01:00 hr on 26 April, 1986 the reactor was stabilised at about 200 MW thermal;
  3.  a standard operating order requested minimum 30 control rods to retain reactor control, but in the test only 6-8 control rods were used. This meant that in the case of a power surge, would have be necessary to wait ~20 seconds to lower the control rods and shut the reactor down.  A risky delay, but it was decided to continue the test;
  4. 01:23:04 am: the test began;
  5. four of the main circulating pumps were active; 
  6. of the eight total circulating pumps, six are normally active during regular operation;
  7. the steam to the turbines was shut off, beginning a run-down of the turbine generator;
  8. the back-up diesel generators started and sequentially picked up loads; 
  9. the generators were to have completely picked up the main circulating pumps' power needs by 01:23:43 hours;
  10. in those 39 seconds since the start of the test, the power for the main circulating pumps was to be supplied by the turbine generator as it coasted down;
  11. as the momentum of the turbine generator decreased, however, so did the power it produced for the pumps;
  12. the water flow rate decreased, leading to increased formation of steam voids (bubbles) in the core.   Steam absorbs neutrons much less readily than water. Increasing the intensity of vaporization implies more neutrons able to split Uranium atoms, increasing the reactor’s power output;
  13. at 01:23:40 hours Alexander Akimov, probably alarmed by the dangerous increase of core temperature, pushed the reactor shut down push button visible in the figure below;
  14. the reactor jumped to a thermal power of ~33 GW (33 billion watts), eleven times the normal operational output !
  15. first steam explosion, destructing the reactor’s casing, tearing off and lifting the 2000 ton metal plate, to which the entire reactor assembly is fastened;
  16. second more powerful explosion of the core, starting a fire of radioactive graphite; 
  17. a first group of 14 firemen arrived on the scene of the accident at 1:28 am;
  18. from 01:23:43 til 02:23:43 am unprotected workers received fatal doses of radioactivity;
  19. dosimeters, being yet buried into rubbles, provided to the team of reactor’s Operators erroneously low measurements of radioactivity, inducing them to erroneously assume that the reactor was intact;
  20. at 04:30:00 am the evidence of pieces of graphite and reactor fuel lying around the building, seen by the firemen was still ignored by the reactor’s Operators; 
  21. none of them wore any protective gear and most, including Alexander Akimov, died from radiation exposure within three weeks.











 Pellets of nuclear fuel. Nuclear reactors use uranium fuel rods to create energy through fission. Fission is the process of splitting the nuclei of Uranium atoms to release neutrons that in turn split more atoms, releasing more neutrons. Criticality means that a reactor is controlling a sustained fission chain reaction where each fission event releases a sufficient number of neutrons to maintain an ongoing series of reactions.  In the balanced state of criticality, fuel rods inside a nuclear reactor are producing and losing a constant number of neutrons, and the nuclear energy system is stable



Human-factor  -  The Actor 

Alexander Akimov did not knew that pushing the reactor shut down button could lead to a dangerous insertion of positive reactivity.  To imagine his situation, it might be helpful to think to a brake pedal that, without the driver’s knowledge, transformed itself into an …accelerator !     The forensic investigation, itself a Root Cause Analysis because looking for the causes of the incident, carried on in 1986 with Akimov yet died because of radiations, traced back to the action on a push button the Root Cause for a disaster which killed 60 immediately and well over 2000 others in the aftermath. 


scram  at chernobyl 4096x3079@1x

  Reactor emergency shut down push button. In evidence the plastic guards set to prevent accidental actions and the seal to broke to gain access the push button. Root Cause of the Chernobyl catastrophe was considered the fact to have pushed this button. The test which created the alarming scenario is a condition. Distinction motivated by the fact the reactor emergency shut down push button, let the coolant temperature increase.  Increase enough to create steam voids which let the reactor jump to a thermal power of ~33 GW (~33 billion watt), eleven times its plate operational output. Root Cause is the last condition, in a long row of preconditions, triggering the Effect



Other branches








There were several times during the period before the test, when the engineers thinked to act differently than what we know, so doing averting the catastrophe.   Reason was they did not like the way that the nuclear reactor was responding to their control inputs.   As an example, if they had taken appropriate action (to suspend the test) they would:

  1. have averted the catastrophe, saving their own life, in some of the cases (“branches”) resulting by the specific action, but resulting punished by Dyatlov for delaying the test and the subsequent maintenance period;
  2. not have been rewarded for their different decisions and actions in other cases (namely, other “branches”).   Meaning that other superimposed branches took origin by conditions however implying core’s overheating, explosion, melt-down and catastrophic effects.



 Events’ structure in the modern tree-like view.  The same effect we know it happened, should have happened also in the future of other joint set of conditions, themselves Root Causes.  The figure represents just a few of the multitude of branchings terminating in that effect.  Visibly, Root Causes are Conditions.  In today’s mainstream view, a different term is attributed on base of what really is the “measure” of the branch.  Say, its section or amount of superimposed individual components. Viewing the cause-effect process til its extremely fine-details, no Time nor Space exist (no vertical Time axe). Developing are superpositions of wave packets of the Quantum Field











Both effects above, corresponding to successful (1.) and unsuccessful (2.) outcomes of the appropriate decision not to proceed with the test and not to press the reactor shut down push button when temperature was yet too high, simultaneously existed.   Existed in superposition, a kind of existence far from our common sense.   A kind of existence which can only be fully defined in mathematical terms in an abstract space (Hilbert) where all possible outcomes of an action exist before the action.    But the records available today, in the future of some of the branches, tell us that during that early morning of April 26th, 1986 the nuclear power plant engineers had a unique reason to discontinue the test.   A marked sense of confusion, arising by the procedural indications visibly conflicting with the conditions they encountered.   They are a multitude the conditions which built up the system state in the moment when the Root Cause acted.  Refer to the figure below:   


 Historical tree-like structure around the point “q”  corresponding to the content of the 3-D slice (or leaf, or sheet) including reactor no. 4 at Chernobyl, on Apr. 26, 1986 at 01:23:40 hours am. The place where acted the Root Cause.  Here Alexander Akimov, alarmed by the dangerous increase of core temperature, acted on the reactor shut down push button. In some of the future branches thus triggering an abrupt 11-fold increase of the nuclear reactor power to a thermal power of ~33 billion watt.  In other future branches, just shutting down the reactor.  In a multitude of other branches, determining intermediate outcomes. As an example, increasing to 3.5 billion watt the thermal power, well into reactor’s design limits. 

  • Yellow-coloured   subset of all of the initial conditions including the RBMK-reactor design and approval; 
  • Red-coloured   unsuccessful subset of all of the outcomes. Set of all of the branches where a negative effect arose by the Root Cause;
  • Green-coloured   successful subset of all of the outcomes. Set of all of the branches where a positive effect arose by the Root Cause.










Visible a historical tree-like structure around the point “q” corresponding to the content of the slice (or leaf, or sheet) including Chernobyl, on Apr. 28, 1986 at 01:23:40 hours where the Root Cause acted.   At that time, place and branch Alexander Akimov, alarmed by the dangerous increase of core temperature, acted on the reactor shut down SCRAM push button.  Thus, triggering (Root Cause) an abrupt 11-fold increase of the nuclear reactor power to the impressive thermal power of ~ 33 gigawatt.

chernobylcaesium-600

    Cesium-137 distribution over Europe caused by Chernobyl incident hints to the “unsuccessful subset” of all of the outcomes. Animation courtesy Met Office. Contains public sector information licensed under the Open Government Licence v1.0





  • Yellow-coloured,  the subset of all of the initial conditions where the RBMK-reactor exists. They represent physical properties, tentatively time-ordered as:
    1. Unknown initial conditions in the remote Past of q;
    2. 40 years before the incident, a Design bureau proposes the RBMK design. Since the start an extremely powerful, cheap but dangerous design whose details were classified;
    3. Kurchatov Institute of Atomic Energy approves that particular design and rules of operation;
    4. RBMK-design cloned 26 times in different places, including Chernobyl.
    5. outfeeding by the yellow-coloured set of initial conditions, as time passes more an more branchings, namely interferences happening in correspondance to human choices and random phenomena, until the early morning of Apr. 26, 1986.  
  • Root Cause,  the couple of segments whose vertex lies at the point q is the change.  A change triggering a future catastrophe, indicated by the set of outcomes present into a red-coloured circle. At the vertex, what really happens is an interference between a multitude of past branches including conditions prone to provoke a catastrophe.  Risk-factors, as seen from an Insurer’s point of view;
  • Red-coloured,  unsuccessful subset of all of the outcomes. Set of all of the branches where a negative effect arose by the Root Cause. 
  • Green-coloured,  successful subset of all of the outcomes. Set of all of the branches where a positive effect arose by the Root Cause;
  • Past of q, out of yellow-coloured set (RBMK reactor design-related), represent the multitude of branches (or, slices, or leaves, or sheets) causally disjoint with respect to the subset causally-connected to q;
  • Future of q, out of the red- and green-coloured sets, represent branches causally-related to the disaster-fated yello-coloured initial conditions. Causally-related but  corresponding to intermediate outcomes implying no more than an incident, but not a catastrophe.  As an example, triggering an increase from 3.0 to 3.5 billion watt of thermal power, well into reactor’s design limits.  Operative states commonly happening in all nuclear power stations.
Chernobyl RCA case study

 The Soviet Committee who studied the long-term Effects, assessed in 45000 the total number of Europeans who should have later died (mainly, cancer or leukaemia) because of the Events triggered by a Root Cause.  IAEA, representing tens of other countries adopting civil nuclear power generation technologies, countered the amount trying to reduce it eleven times to … just 4000 deaths (images credit Christiaan and Kseniya Welzel/2014)


“The mere knowledge of the Past, some branches of the entire tree-like evolution in the state space, does not encompasses the Future states”

The tree-like structure graphics seen and commented above is a bold demonstration of a fact.   The mere knowledge of the Past, some branches of the entire tree-like evolution in the state space, does not encompasses the Future states.   If we return here to the Actuarial Science of the Lloyd’s® and their Risk Assessment's logic, we understand how many excellent reasons they have when collecting data.   Reasons to add recent data about newly happened incidents and accidents to the historical populations used until now to assess the Risk.




Conflictive interests 


establishing Incident’s Root Causes

rca helps prevent economic  4096x2569@1x
















Back of an incident, whatever its scale, an electronic card fault in an industrial equipment stopping a productive process or  the massive scale of Chernobyl-like disaster, there is always a multitude of causes.   In the case of RBMK-reactor the incident was not clearly triggered (a synonimous of caused) by any natural event, i.e. an hurricane, earthquake or tsunami.    No doubt the causes were several human-choices.    Part of the incidents has economic effects and those incidents with far reaching negative economic effects, are the typical scenario where to expect a row of intentional and scientifically studied falsifications.   Falsifications by Who knows to have took the decisions which later acted as a collective auto-goal.   Falsifications finalised to hide to the still unaware Third Parties “What decisions by Whom” caused the incident and its consequences.   The image before, referred to Chernobyl Case, presents the sum of “120 billions of good reasons” for the Falsifiers of that particular Case.    When these things happen, truth, professionality and sense of duty become just words.  As an example, RBMK reactor's Design is something that nor Alexander Akimov nor his boss Anatoli Dyatlov, deputy chief engineer of the Plant, could have influenced.   Design is part of the branching “before” the special node (an interference) defining the onset of the action named Root Cause.  Were Designers, those who served that radioactive dish to Alexander Akimov and his staff.    Valeri Legasov, the first deputy Director of the Kurchatov Institute of Atomic Energy which approved that particular design, suicided.  In defense of those Designers, there is to remember they applied choices implicit in pre-existing policies.   Policies decided by statal administrative managers backed by politicians.  Polices defining the maximum total cost of production for each one kWh of electric energy introduced in the power grid. 


 Control rods in one of the reactors at  Bruce Site, Ontario, Canada.  With its capacity of 6.2 gigawatt electric power, the World’s most powerful nuclear power plant.  6.2 gigawatt safely distributed through total eight reactors. Also, an overall different design, truly Civil, of each one reactor with respect to the RBMK which is simply a Military one, born in the ‘40s to provide each two days the 6.4 kg of Plutonium necessary to constitute the highly fissile material of a single “pit” in an atomic bomb.  As an example, the control rods are here visibly horizontal, rather than the RBMK-vertical.  Presenting this way the disadvatange with respect to the RBMK to require a shut down of the entire reactor to discharge spent fuel and charge new.  But also much safer than the RBMK, when considering that all control rods are equally exposed to the cooling fluid.  Not only in the bottom, like the RBMK design (image credit Bruce Power/2014)

1986: “Guilty” is the Dead Man













To establish a Root Cause die to human-factor or design-related, obviously attribute also quite precisely the responsibility for the effects of an incident.  In August 1986, four months after the incident, the blame was fixed on the less politically connected (and, most important, yet died !) power plant Engineers:

  • attributing the role of main Root Cause to Akimov, when actioning the reactor's emergency shut down push button;
  • Anatoli Dyatlov, deputy chief engineer of the plant, was sentenced to ten years of jail and died a few years later.


1992: “Guilty” is the Design

It was necessary to wait other 6 years until IAEA, finally recognised in 1992 the macroscopic Design-flaws affecting the entire family of reactors RBMK.  Thus escalating them from priorly attributed role of Conditions to the new decisive of Root Causes.   The total cost of the incident, keeping apart the thousands of human-losses, radiation-related wounds and contamination-related illnesses, summed up to 80 billion rubles, today equivalent to over 120 billion US-dollars



Links to other Case Studies:





                                                                                                                                                                                                                                                                                                                                                                                                                                                         
Webutation
                                                                                                                       © 2013-2015 Graphene.  All rights reserved                                                         DMCA.com Protection Status                    

                                     
                                              
TRUSTe Privacy Policy Privacy Policy
Site protected by 6Scan