Chernobyl: The Safety Test

How a routine turbine test exposed a reactor design flaw and destroyed Unit 4

By VastBlue Editorial · 2026-03-26 · 19 min read

Series: What Really Happened · Episode 6

The Test That Could Not Wait

On the night of 25 April 1986, the operators of Reactor No. 4 at the Chernobyl Nuclear Power Plant, near the city of Pripyat in northern Ukraine, were preparing to conduct a safety test. The test was not unusual in concept. It was designed to answer a straightforward engineering question: if the reactor lost external power and the emergency diesel generators needed time to spin up — roughly 45 to 75 seconds — could the residual rotational energy of the steam turbine, as it coasted down, generate enough electricity to keep the reactor's coolant pumps running during the gap? It was, in essence, a bridging-power test. The reactor had been designed to withstand a station blackout, but no one had ever confirmed that the turbine run-down could actually cover the interval. The test had been attempted three times before, in 1982, 1984, and 1985. Each time, the results were unsatisfactory. Each time, the turbine voltage decayed too quickly. Each time, the test was rescheduled.

By April 1986, the test had become something of an institutional irritant. The plant's chief engineer wanted it completed before the reactor was shut down for scheduled maintenance. The test programme had been written by an electrical engineer, not a nuclear physicist. It had been approved at the plant level, but it had not been reviewed by the nuclear regulator, the State Committee for the Supervision of Safe Conduct of Work in the Atomic Power Industry, nor by the reactor's designer, the Scientific Research and Design Institute of Energy Technology — known by its Russian acronym, NIKIET. The procedure called for the reactor to be operated at reduced power — between 700 and 1,000 megawatts thermal — with key safety systems disabled to prevent them from interfering with the measurements. Nobody in the approval chain appears to have fully considered what it meant to operate an RBMK-1000 reactor at low power with its emergency core cooling system disconnected.

The test was originally scheduled for the afternoon of 25 April, during the day shift. The reactor had been running at full power — approximately 3,200 megawatts thermal — and was to be gradually reduced. By 13:00, the reactor had been brought down to roughly half power. Then a call came from the Kyiv electricity grid controller: the Pivdennoukrainsk power station had gone offline unexpectedly, and the grid needed Chernobyl's output. Could the power reduction be delayed? It could. The test was postponed. The reactor was held at approximately 1,600 megawatts thermal for the next nine hours.

This delay would prove critical, though not for the reason most people assume. The common narrative is that the night shift was unfamiliar with the test procedure. This is partly true — the handover was imperfect, and the night crew had less experience with the specific test parameters. But the real consequence of the delay was physical, not organisational. During those nine hours at half power, the reactor had been building up xenon-135, a powerful neutron absorber and a natural byproduct of nuclear fission. Xenon-135 is sometimes called a "reactor poison" because it captures neutrons that would otherwise sustain the chain reaction. At full power, the xenon is burned off as fast as it is produced. At reduced power, it accumulates. The reactor was slowly filling with a substance that made it harder and harder to sustain a nuclear reaction. The operators were walking into a xenon pit — and the RBMK reactor design made that a far more dangerous situation than it would have been in almost any other reactor type in the world.

The Reactor That Could Not Be Trusted

To understand what happened at Chernobyl, it is necessary to understand what an RBMK reactor is, and what makes it fundamentally different from the pressurised water reactors that dominate the Western nuclear fleet. The RBMK — Reaktor Bolshoy Moshchnosti Kanalnyy, or High-Power Channel-type Reactor — was a Soviet design, unique to the USSR and its allies. It was a graphite-moderated, water-cooled, channel-type reactor. That combination of materials is the source of its fatal flaw.

In any nuclear reactor, the chain reaction is sustained by neutrons. Uranium-235 atoms split when struck by a neutron of the right energy, releasing heat, more neutrons, and fission products. Those neutrons must be slowed down — moderated — to the right energy to sustain the reaction. In a pressurised water reactor, the water serves both as coolant and moderator. If the water boils away or is lost, the moderation stops and the chain reaction slows. The reactor has a natural braking mechanism built into its physics. This property is called a negative void coefficient — less coolant means less reactivity.

The RBMK was different. In the RBMK, the moderator was not the water — it was the graphite. The graphite blocks surrounding each fuel channel provided the neutron moderation. The water flowing through the channels served only as a coolant. This separation of functions created a profoundly dangerous characteristic. If the water in the channels boiled — forming steam voids — the neutron-absorbing properties of the water were lost, but the graphite moderator remained, continuing to slow neutrons to the energy needed for fission. The result was a positive void coefficient: less coolant did not slow the reaction — it accelerated it. The reactor had a built-in tendency to run away when it lost cooling, exactly the opposite of what safety demanded.

The designers at NIKIET knew about the positive void coefficient. It had been identified during the design phase in the 1960s. Internal documents show it was discussed, debated, and ultimately accepted as a manageable characteristic. The reasoning was pragmatic: the RBMK design had significant advantages for the Soviet nuclear programme. It could be built using existing industrial infrastructure — no massive pressure vessels requiring specialised steel forging were needed. It could be refuelled while running, increasing capacity factors. It could be scaled to enormous outputs. And it could produce weapons-grade plutonium as a byproduct of power generation, a consideration that was never officially stated but was widely understood within the Soviet nuclear establishment. The positive void coefficient was treated as an engineering trade-off, to be managed by operating procedures and administrative controls rather than eliminated by design.

But there was another design flaw, less discussed and arguably more immediately lethal. The RBMK's control rods — the boron carbide rods that operators inserted into the reactor to absorb neutrons and slow the chain reaction — had graphite tips. Each control rod had a section of graphite extending below the boron absorber material. When a control rod was inserted into the reactor from its fully withdrawn position, the graphite tip entered the channel first, before the absorber section reached the active zone. Graphite is a moderator. In the lower part of the core, where the graphite tip displaced water as it entered, it briefly increased reactivity before the absorber section arrived to reduce it. This meant that in certain conditions — specifically, when many control rods were fully withdrawn and then inserted simultaneously — the initial effect of the safety action was to make the reactor more powerful, not less. The emergency shutdown system contained, within its mechanism, a brief but violent acceleration of the very reaction it was designed to stop.

The emergency shutdown system contained, within its mechanism, a brief but violent acceleration of the very reaction it was designed to stop.

Engineering analysis of the RBMK control rod design

This flaw was known within a small circle of reactor physicists. It had been observed in calculations and in operational data from other RBMK units. A partial fix was available — the graphite displacers could have been redesigned or the rods modified to insert from a partially inserted position rather than from full withdrawal. Neither modification was implemented across the RBMK fleet before April 1986. The information about the control rod behaviour was classified or restricted. The operators at Chernobyl did not know that pressing the emergency shutdown button could, under certain conditions, cause the reactor to spike before it shut down. They trusted the AZ-5 button — the emergency protection system — the way a pilot trusts the ejection seat. They had no reason to believe it could make things worse.

01:23:40 — The Forty Seconds

At 23:10 on 25 April, the operators began reducing power for the test. The plan called for stabilising the reactor at 700-1,000 megawatts thermal. But the operator responsible for the power reduction — likely due to a failure to switch the automatic control system to the correct mode — allowed the power to drop far below the intended level. At approximately 00:28 on 26 April, the thermal power fell to roughly 30 megawatts. The reactor was nearly shut down.

At this power level, the xenon-135 that had been accumulating for hours was overwhelming the reactor. The operators should have shut down completely and waited approximately 24 hours for the xenon to decay. The operating procedures required it. The physics demanded it. But the test had been delayed for hours already. It had been postponed for years. The institutional pressure to complete it was palpable. Anatoly Dyatlov, the deputy chief engineer supervising the test, is widely reported to have insisted that the test continue. The operators began withdrawing control rods to increase power — pulling out rod after rod to overcome the xenon poisoning.

Over the next hour, by withdrawing nearly all available control rods, the operators managed to stabilise the reactor at approximately 200 megawatts thermal — well below the 700-megawatt minimum specified in the test procedure and dangerously below the level at which the RBMK could be operated safely. At this power level, the positive void coefficient was at its most dangerous. The reactor was barely sustaining a chain reaction, held in a precarious balance by the counteracting forces of xenon absorption and the near-total withdrawal of control rods. The operating reactivity margin — the number of equivalent control rods available to shut down the reactor — had fallen to between six and eight. The minimum allowed by regulations was fifteen. The reactor was, in the language of nuclear physics, deeply subcritical in terms of its safety margin. Any small perturbation — a pump trip, a change in coolant flow, a pressure fluctuation — could tip the balance.

At 01:23:04, the test began. The operators closed the steam valves to one of the two turbines, simulating a loss of power, and began recording how long the turbine's rotational inertia could sustain electrical output. With the steam supply cut, coolant flow through the reactor began to change. The reduced flow meant less cooling. Less cooling meant more boiling. More boiling meant more steam voids in the fuel channels. And in an RBMK reactor at low power with a positive void coefficient and almost no control rods available, more steam voids meant more reactivity.

The power began to rise. It rose slowly at first, then with gathering speed. At 01:23:40, the shift supervisor — or possibly Dyatlov himself, accounts vary — ordered the AZ-5 button pressed. This was the emergency shutdown. All control rods began driving into the reactor simultaneously from their fully withdrawn positions. The graphite tips entered first.

What happened next took between three and four seconds. The graphite displacers at the tips of the control rods, entering the lower part of the core, displaced water and added reactivity to a reactor that was already accelerating. The power spike was instantaneous and catastrophic. The INSAG-7 report, published by the International Atomic Energy Agency in 1992, estimated that the power surged to approximately 30,000 megawatts thermal — roughly ten times the reactor's rated capacity — in a fraction of a second. Other analyses have suggested the spike may have been even higher, perhaps 100 times rated power, though the instruments were destroyed before they could record the peak. The fuel pellets fragmented. The zirconium cladding ruptured. Superheated steam and molten fuel interacted in a steam explosion of enormous force.

The first explosion — likely a steam explosion caused by the rapid vaporisation of coolant water — blew the 1,000-tonne upper biological shield off the reactor, severing all 1,661 fuel channels and every control rod channel simultaneously. A second explosion followed within seconds. Whether the second blast was a second steam explosion, a hydrogen explosion from the reaction of steam with zirconium cladding and graphite, or — as some researchers have argued — a low-yield nuclear excursion, remains debated. What is not debated is the result. The core of Reactor No. 4 was destroyed. The building housing it was torn open. Over 1,200 tonnes of graphite moderator, much of it now burning, was exposed to the open air. Fragments of nuclear fuel and graphite were scattered across the plant site. The fire that followed burned for ten days.

The power surged to approximately 30,000 megawatts thermal — roughly ten times the reactor's rated capacity — in a fraction of a second. The fuel pellets fragmented. The building was torn open. The core of Reactor No. 4 was destroyed.

Based on INSAG-7, International Atomic Energy Agency, 1992

The Human Cost and the Soviet Response

Two plant workers — Valery Khodemchuk and Vladimir Shashenok — died within hours of the explosion. Khodemchuk's body was never recovered; he is believed to have been in the main circulation pump room when the explosion occurred. Over the following hours, firefighters from the plant's own brigade and from the nearby city of Pripyat arrived to fight the fires burning on the roof of the turbine hall and the remains of the reactor building. They worked without adequate dosimetry, without protective equipment rated for the radiation levels they encountered, and without being told what had actually happened. Many of them received lethal doses of radiation within minutes. Of the 134 plant workers and emergency responders diagnosed with acute radiation syndrome in the weeks following the explosion, 28 died within four months. Their deaths were agonising — the destruction of bone marrow, gastrointestinal lining, and skin by ionising radiation is among the most terrible ways a human being can die.

The Soviet response to the disaster was shaped by the same institutional culture that had contributed to causing it. For approximately 36 hours after the explosion, the city of Pripyat — population 49,000, located just three kilometres from the plant — was not evacuated. Residents went about their daily lives. Children played outside. A wedding took place. The radioactive plume from the burning reactor drifted over the city. When the evacuation finally came, on the afternoon of 27 April, residents were told they would be away for three days. They were told to bring only essential documents. Many left pets, belongings, and lives they would never return to. The city of Pripyat remains abandoned to this day.

The wider evacuation followed in stages. An exclusion zone of 30 kilometres around the plant was eventually established. Approximately 350,000 people were permanently relocated from contaminated areas in Ukraine, Belarus, and Russia. The radioactive plume — containing iodine-131, caesium-137, strontium-90, and plutonium isotopes — spread across much of Europe. Elevated radiation levels were first detected not by Soviet monitoring stations but by Swedish nuclear plant workers, whose own radiation alarms were triggered on 28 April, two days after the explosion. It was this detection, and the international pressure that followed, that finally forced the Soviet government to acknowledge publicly that an accident had occurred.

The immediate containment effort — the construction of what became known as the "sarcophagus" over the destroyed reactor — was a feat of extraordinary engineering under appalling conditions. Between May and November 1986, an estimated 600,000 workers, known as liquidators, were deployed to the site. They worked in shifts measured in seconds and minutes, limited by the radiation dose each person could receive. Miners tunnelled beneath the reactor to install a concrete slab preventing the molten core material from reaching the water table. Military reservists shovelled graphite debris off the roof of the adjacent Reactor No. 3 by hand, in 90-second shifts, because the radiation destroyed the electronics of every robotic system deployed. Helicopter crews dropped thousands of tonnes of boron, sand, clay, and lead onto the exposed reactor core. The total collective radiation dose received by the liquidators remains one of the largest planned human exposures to ionising radiation in history.

The Investigation: From Operator Error to Design Flaw

The official Soviet investigation, completed in August 1986, placed the blame squarely on the operators. The report presented to the International Atomic Energy Agency by Valery Legasov — the leading Soviet nuclear chemist who co-chaired the investigation — described a sequence of operator violations: disabling safety systems, operating below the minimum allowed power level, continuing the test when conditions required a shutdown. The narrative was clear and politically convenient. The operators had broken the rules. The reactor was blameless. The Soviet nuclear programme was sound.

Legasov himself appears to have known this narrative was incomplete. In the two years between the disaster and his death by suicide on 27 April 1988 — the second anniversary of the explosion — Legasov became increasingly vocal about the systemic failures of the Soviet nuclear industry. He recorded a series of audio tapes in which he described the culture of secrecy, the suppression of safety-relevant information, and the institutional resistance to acknowledging design flaws. He had argued at the IAEA presentation for a more complete account of the reactor's design deficiencies. He was overruled. His later advocacy for reform made him powerful enemies within the Soviet nuclear establishment. He was twice denied the Hero of Socialist Labour award. His suicide was widely interpreted as an act of protest, and the tapes he left behind became a key primary source for subsequent investigations.

The reconsideration of the Chernobyl narrative began almost immediately within the international nuclear community, but it took until 1992 for the IAEA to publish INSAG-7, the revised analysis that fundamentally changed the official account. INSAG-7 acknowledged what many physicists had suspected from the beginning: the RBMK reactor's positive void coefficient and the graphite-tipped control rod design were the primary causes of the disaster. The operators had violated procedures, certainly. But the procedures themselves were inadequate. The safety systems they disabled were inadequate. And the reactor itself contained design characteristics that made a catastrophic power excursion possible under conditions that the operators had no reason to believe were uniquely dangerous — because nobody had told them.

The operators had violated procedures, certainly. But the reactor itself contained design characteristics that made a catastrophic power excursion possible under conditions that the operators had no reason to believe were uniquely dangerous — because nobody had told them.

Analysis based on INSAG-7 findings, IAEA, 1992

INSAG-7 identified several critical points. First, the positive void coefficient at low power was far larger than the operators understood. At 200 megawatts, the coefficient was strongly positive — any increase in steam formation would produce a disproportionate increase in reactivity. Second, the graphite-tipped control rods meant that the emergency shutdown system, AZ-5, could — and did — cause a transient reactivity insertion at the worst possible moment. Third, the operating procedures did not adequately communicate the danger of low-power operation. Fourth, the regulatory framework had failed to require that these design characteristics be disclosed to the people operating the reactor. The investigation did not exonerate the operators. It reframed them. They were not rogue actors who destroyed a safe reactor. They were inadequately informed operators, working in a culture of secrecy, who triggered a flaw that had been designed into the machine.

What Changed

The Chernobyl disaster transformed the global nuclear industry in ways that are still being felt four decades later. The most immediate changes were to the RBMK reactors themselves. After 1986, the remaining RBMK units — and there were many, across the Soviet Union — underwent significant modifications. The positive void coefficient was reduced by increasing the enrichment of the uranium fuel from 2.0% to 2.4% and later to 2.8%, which shifted the neutron physics toward a less dangerous operating regime. The graphite-tipped control rods were replaced with rods that had a shorter graphite section and could not produce the initial positive reactivity insertion. The minimum operating reactivity margin was increased. Additional fast-acting emergency shutdown rods were installed. The operating procedures were rewritten to explicitly describe the dangers of low-power operation. These modifications did not make the RBMK inherently safe by Western standards, but they eliminated the specific combination of conditions that had destroyed Unit 4.

• Fuel enrichment increased from 2.0% to 2.4%, then 2.8%, reducing the positive void coefficient
• Graphite-tipped control rods replaced with redesigned rods eliminating the positive scram effect
• Minimum operating reactivity margin raised from 15 to 30 equivalent rods
• Additional fast-acting emergency shutdown rods installed
• Operating procedures rewritten to prohibit operation below 700 MW thermal with reduced rod count
• Emergency core cooling system interlocks redesigned to prevent manual override during testing

Beyond the RBMK fleet, Chernobyl drove the creation of entirely new international safety structures. The World Association of Nuclear Operators, or WANO, was founded in 1989 specifically in response to the disaster. WANO established a framework for international peer review of nuclear plant operations — something that had not existed before. The principle behind WANO was simple and radical: a nuclear accident anywhere is a nuclear accident everywhere. National borders do not contain radioactive plumes, and national pride should not prevent the sharing of safety-critical information. Every operating nuclear plant in the world is now a member.

The IAEA strengthened its Convention on Nuclear Safety, adopted in 1994 and entered into force in 1996. The convention established binding obligations for signatory states to maintain high safety standards, to submit to international review, and to ensure that safety information was openly shared. The concept of "safety culture" — now ubiquitous in nuclear regulation — was formally defined and codified in the post-Chernobyl era. INSAG-4, published in 1991, defined safety culture as "that assembly of characteristics and attitudes in organizations and individuals which establishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance." The definition was deliberately broad. It was designed to address the specific failure mode that Chernobyl had revealed: an institutional culture in which safety was subordinate to production targets, in which inconvenient information was suppressed, and in which the people closest to the danger were the last to be informed.

The political consequences were equally profound. Chernobyl is widely credited with accelerating the end of the Soviet Union. Mikhail Gorbachev himself later stated that the disaster was "perhaps the real cause of the collapse of the Soviet Union." The explosion shattered the myth of Soviet technological competence. The delayed evacuation, the attempted cover-up, and the eventual admission of failure under international pressure undermined the legitimacy of the state in ways that were difficult to reverse. In several European countries, public opposition to nuclear power intensified sharply after Chernobyl. Italy closed all of its nuclear plants by 1990. Sweden committed to a phase-out. Germany's eventual decision to abandon nuclear power, finalised after Fukushima in 2011, had its political roots in the post-Chernobyl anti-nuclear movement. The global nuclear industry, which in 1986 had projected massive expansion, entered a period of stagnation from which it has only recently begun to emerge.

The Lesson That Keeps Repeating

Chernobyl is often presented as a uniquely Soviet disaster — a product of authoritarian secrecy, bureaucratic rigidity, and a political system that could not tolerate the admission of error. There is truth in this. The specific institutional failures that led to the disaster — the classification of safety-critical design information, the suppression of near-miss reports from other RBMK plants, the refusal to modify a known design flaw because doing so would imply the design had been flawed in the first place — were products of the Soviet system. But the underlying failure mode is not uniquely Soviet. It is universal.

The pattern is familiar to anyone who studies complex system failures. A design trade-off is made early, when the consequences are theoretical. The trade-off becomes embedded in the system — in hardware, in procedures, in institutional knowledge, in careers. Evidence accumulates that the trade-off may be more dangerous than originally assessed. But acknowledging the danger would require acknowledging the original error. It would require expensive modifications. It would disrupt production. It would embarrass the people who made the original decision. And so the evidence is reclassified, or reinterpreted, or simply not communicated to the people who need it most. The system becomes a machine for suppressing the information that could save it.

This pattern did not die at Chernobyl. It appeared again at Fukushima, where TEPCO and Japanese regulators suppressed evidence of tsunami risk that contradicted the design basis of the Daiichi plant. It appeared at the Boeing 737 MAX, where a known failure mode in the MCAS flight control system was not adequately communicated to pilots. It appears in every organisation where the cost of admitting a problem exceeds the perceived cost of ignoring it — until the day the bill comes due.

The sarcophagus that was hastily constructed over the destroyed reactor in 1986 began deteriorating almost immediately. In 2016, a new containment structure — the New Safe Confinement, an arched steel structure 108 metres tall, 162 metres long, and weighing over 36,000 tonnes — was slid into place over the old sarcophagus. It is the largest movable land-based structure ever built. It is designed to last 100 years, during which the radioactive material inside must be retrieved, processed, and safely stored. The exclusion zone around the plant will remain uninhabitable for centuries. The reactor fuel that melted through the bottom of the vessel — a lava-like substance known as corium, or colloquially as "the Elephant's Foot" — remains intensely radioactive and will be dangerous for thousands of years.

The operators who ran the test that night did not set out to destroy a reactor. They set out to complete a safety test — to answer a legitimate engineering question about emergency power supply. They were working in a system that had decided, at every level above them, that certain information was too dangerous or too embarrassing to share. They pressed a button they believed would save the reactor and, because of a design flaw they had never been told about, it destroyed it instead. Chernobyl was not a failure of individual competence. It was a failure of the system that was supposed to make individual competence sufficient. The lesson is not that operators should be more careful. The lesson is that systems must be designed so that the information needed to operate them safely is never, under any institutional pressure, withheld from the people who need it.

The lesson is not that operators should be more careful. The lesson is that systems must be designed so that the information needed to operate them safely is never, under any institutional pressure, withheld from the people who need it.

Sources

1. INSAG-7 — The Chernobyl Accident: Updating of INSAG-1 — https://www.iaea.org/publications/3786/the-chernobyl-accident-updating-of-insag-1
2. UNSCEAR 2008 Report — Sources and Effects of Ionizing Radiation — https://www.unscear.org/unscear/en/publications/2008_1.html
3. Chernobyl Forum Expert Group Report — https://www.iaea.org/publications/7382/chernobyl-s-legacy-health-environmental-and-socio-economic-impacts
4. Medvedev, Z. — The Legacy of Chernobyl — https://wwnorton.com/books/9780393308143
5. Plokhy, S. — Chernobyl: The History of a Nuclear Catastrophe — https://www.basicbooks.com/titles/serhii-plokhy/chernobyl/9781541617070/
6. INSAG-4 — Safety Culture — https://www.iaea.org/publications/3753/safety-culture
7. World Association of Nuclear Operators — History — https://www.wano.info/about-us/our-history