Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Three Mile Island Memories

Soulskill posted more than 5 years ago | from the if-it-ain't-broke,-send-it-through-congress dept.

Power 309

theodp writes "Thirty years after the partial nuclear core meltdown at Three Mile Island, Robert Cringely describes the terrible TMI user interface, blaming a confluence of bad design decisions — some made by Congress — for making the accident vastly worse. While computers could be used to monitor the reactor, US law prohibited using computers to directly control nuclear power plants — men would do that. So, when the (one) computer noticed a problem, it would set off audible and visual alarms, and send a problem description to a line printer. Simple, except the computer noticed 700 things wrong in the first few minutes of the TMI accident, causing the one audible alarm to ring continuously until it was shut off as useless. The one visual alarm blinked for days, indicating nothing useful. And the print queue was quickly flooded with 700 error reports followed by thousands of updates and corrections, making it almost instantly hours behind. The operators had to guess at what the problem was."

cancel ×

309 comments

Sorry! There are no comments related to the filter you selected.

Job's got it right.... (1, Insightful)

ColdWetDog (752185) | more than 5 years ago | (#27458593)

TMI wasn't caused by a computer failure but the accident was made vastly worse by an error of computer design. Specifically, TMI-2 had a terrible user interface.

See, See. UI is important!!!!

(Stares complacently at his Mac)

Re:Job's got it right.... (4, Insightful)

arth1 (260657) | more than 5 years ago | (#27458885)

I don't blame the UI at all. I bleme the belief that the goal of an UI is to lower the required understanding (and thus salary) of the operators.
How the UI worked is irrelevant. Operators who understood what they were doing would have checked what needed to be checked, and taken the precautions the situation warranted, no matter what kind of warnings were lost because of a bad UI.

Alas, the way for an electric company CEO to get big bonuses isn't by spending more money on smart people, but cutting costs which makes the short-term investors happy. So they spend $50k on an idiot-proof interface, and hire an idiot. The problem is that Nature is a whole lot better of churning out interface-proof idiots than programmers are at making idiot-proof interfaces.

It's high time that Western society started valuing knowledge and understanding again, and not just ability to study for requirement tests. Reinstate the journeyman/master system and accredited guilds, and ditch college diplomas as the worthless piece of gilded paper they are.

Re:Job's got it right.... (5, Insightful)

Anpheus (908711) | more than 5 years ago | (#27458985)

If your user interface lags behind by two hours and the UI is the only way to find out about the extremely complicated and intricate details coming out of a myriad of sensors that are inaccessible to people for safety reasons... I suppose you might be entirely wrong.

In this case, yes, the user interface was necessary for the operators to do their job. Are you going to tell me that submarine operators should rely on their "gut feeling" rather than a measurement of external pressure or depth to determine whether the submarine is safe? These are jobs that can't be done by even the most skilled operator because the information is completely walled off from them for the safety and integrity of the facility.

As far as I can tell, you're advocating that we should hire psychics to determine the safety of the nuclear plant and pay them exorbitantly because spending a single dime on a good interface is wasted money. Sometimes, a $50,000 idiot proof interface is exactly what's called for, rather than intentionally using outdated technology and hoping a printer will provide information fast enough to prevent imminent disaster.

Re:Job's got it right.... (4, Insightful)

timeOday (582209) | more than 5 years ago | (#27459537)

I don't blame the UI at all. I bleme the belief that the goal of an UI is to lower the required understanding (and thus salary) of the operators.

I think you got it backwards. They didn't want to withold information from humans or remove control from them, so they didn't automate enough and the humans in the loop got swamped with more than they could handle.

Re:Job's got it right.... (1)

neBelcnU (663059) | more than 5 years ago | (#27459601)

The UI's unimportant? Did I read that right?

Try a wrench with a razor-blade handle. (Nice for tight places, hard on the user.)

Actually, nature can only create one idiot per year per production-unit (arbitrarily called "a family"). Organizations (arbitrarilty called "corporations) could invest many orders-of-magnitude more labor in the same calendar period into a UI.*

Sure, the utility company's cheapness-bonus is bad. Loss of training is bad. Lowering wages are bad. But you're committing the same fallacy you criticize Cringley for*, oversimplification.

*Apologies to the Gammar N...uh..."grammarians"** for that sentence, I hope you use it to full benefit.

**Godwinians, the same for the footnote above.

(All memes covered? Check! Flame on!)

Re:Job's got it right.... (1)

juenger1701 (877138) | more than 5 years ago | (#27459061)

triple click

'nough said

Re:Job's got it right.... (1)

grasshoppa (657393) | more than 5 years ago | (#27459105)

I'm not sure anybody would argue that UI is not important. The frustration stems from the fact that the UI is as important as it is, and is done as poorly as it often is.

I can't tell you the number of times I've had to figure out some arcane system just to change a minor setting. Hours have been spent tracking down a minor check box, because the UI was designed horribly.

I, for one, welcome our new regulator overlords. (1, Interesting)

marco.antonio.costa (937534) | more than 5 years ago | (#27458605)

Obama's 'new regulatory framework for the 20th century' crowd: Choke on that please.

Re:I, for one, welcome our new regulator overlords (1)

maxume (22995) | more than 5 years ago | (#27459189)

What are you spouting about?

The possibility of bad regulation doesn't really impugn the very concept of regulation.

Re:I, for one, welcome our new regulator overlords (1)

timeOday (582209) | more than 5 years ago | (#27459547)

So you are advocating unregulated, free-for-all nuclear power? Ha ha, great idea. No doubt the free market will find a nice cheap place to put the nuclear waste, too.

So the problem @TMI was TMI. (2, Interesting)

tomhudson (43916) | more than 5 years ago | (#27458667)

700 things wrong in the first few minutes of the TMI accident, causing the one audible alarm to ring continuously until it was shut off as useless. The one visual alarm blinked for days, indicating nothing useful. And the print queue was quickly flooded with 700 error reports followed by thousands of updates and corrections, making it almost instantly hours behind. The operators had to guess at what the problem was."

So the problem with Three Mile Island (TMI) was Too Much Information (TMI). But I didn't read the article, as that would have been TMI.

Re:So the problem @TMI was TMI. (1)

Mashiki (184564) | more than 5 years ago | (#27459543)

So the problem with Three Mile Island (TMI) was Too Much Information (TMI). But I didn't read the article, as that would have been TMI.

Sounds much closer to a breach of the KISS protocol.

Make sure you read the comments. (1)

synth7 (311220) | more than 5 years ago | (#27458669)

If you read Cringely's article, make sure you also read through the comments, as there are several really insightful threads (and Bob says as much in his replies) posted by readers. Specifically the comments that talk about the fact that while the TMI design and control room layout was extremely bad, it was really an incompetent operations staff (or one operator) who did have the skills/training to kick the non-technical managers out of the room and use their expertise to get the situation under control.

Re:Make sure you read the comments. (1)

synth7 (311220) | more than 5 years ago | (#27458693)

...DIDN'T have the skills...

Ugh. Screw up one little contraction and the whole comment goes haywire.

Re:Make sure you read the comments. (1)

arth1 (260657) | more than 5 years ago | (#27458967)

the non-technical managers

Why do we allow such abominations to exist?

Re:Make sure you read the comments. (1)

camperdave (969942) | more than 5 years ago | (#27459059)

Why do we allow such abominations to exist?

Well, someone has to manage all the non-technical stuff. I certainly do not want to be caught in a stall with not a square to spare; or go to the cafeteria to find they are all out of soup crackers, or worse yet, coffee.

Re:Make sure you read the comments. (1)

maxume (22995) | more than 5 years ago | (#27459161)

Those are secretarial tasks. The person taking care of those things doesn't need authority over anyone.

Re:Make sure you read the comments. (1)

Denihil (1208200) | more than 5 years ago | (#27459261)

woooosh.

Re:Make sure you read the comments. (1)

camperdave (969942) | more than 5 years ago | (#27459371)

Dude, the 1950s are calling you. Secretaries don't fetch coffee.

Re:Make sure you read the comments. (1)

maxume (22995) | more than 5 years ago | (#27459393)

The janitor? An intern?

Re:Make sure you read the comments. (1)

interstellar_donkey (200782) | more than 5 years ago | (#27459361)

For a moment there I thought you were talking to power plant operators, reminding them to read the error messages being displayed. And thinking "Yeah, if only they had some user driven 'system failure' moderation, they wouldn't be in as much trouble.

Ugh. (1)

Virak (897071) | more than 5 years ago | (#27458673)

And because of this insignificant little incident that killed nobody, and had little to no effect on the health of people near it, nuclear power, a safe, clean, mature power generation technology, was (and continues to be) drastically set back. It's stuff like this that makes me worried that humanity as a whole will be just too incredibly stupid to make it through this century without killing ourselves in one of many ways.

Re:Ugh. (1)

Da Cheez (1069822) | more than 5 years ago | (#27458755)

It's stuff like this that makes me worried that humanity as a whole will be just too incredibly stupid to make it through this century without killing ourselves in one of many ways.

As Three Mile Island shows, we'll avoid killing ourselves this century since we'll be too worried about danger and prevent progress (i.e., holding back nuclear power plant technology). We just won't make any progress. We're smart enough to survive, but too dumb to get any smarter in the immediate future.

Re:Ugh. (1)

LWATCDR (28044) | more than 5 years ago | (#27458845)

True and it made a so so movie a smash hit and convinced millions of people that a work of fiction was a documentary.

Re:Ugh. (2, Interesting)

Jonner (189691) | more than 5 years ago | (#27458899)

If you read the article, you'd realize it was a very significant wake up call. Death was narrowly avoided because the reactor containment vessel was over-engineered compared to the typical design. The tragedy is that the lesson the public learned was that nuclear power was too dangerous to use at all, when the reality was that it was poorly designed and mismanaged.

Re:Ugh. (1)

Aqualung812 (959532) | more than 5 years ago | (#27459499)

Death was narrowly avoided because the reactor containment vessel was over-engineered

Sounds like it was engineered just right. Bean-counters often use "over-engineered" when something is built to withstand the rare but serious malfunctions. Instead, they'd rather things be built to be "good enough" to run fine most of the time. Problem is, a minor issue can become a critical one if you don't build your devices to withstand the rare but serious issues.

For example, a failover server setup is 100% overbuilt...until the primary fails.

Re:Ugh. (4, Informative)

Pinckney (1098477) | more than 5 years ago | (#27459605)

Sounds like it was engineered just right. Bean-counters often use "over-engineered" when something is built to withstand the rare but serious malfunctions. Instead, they'd rather things be built to be "good enough" to run fine most of the time. Problem is, a minor issue can become a critical one if you don't build your devices to withstand the rare but serious issues. For example, a failover server setup is 100% overbuilt...until the primary fails.

But it wasn't engineered this way to secure it against a partial meltdown. It was above average for reactor containment vessels actually in use at that time, and the average containment vessel would have failed. The only reason it was able to withstand it was that it happened to be on the final approach path of a former airforce base, and had originally been engineered to withstand a bomber crashing into it.

Re:Ugh. (1)

crackspackle (759472) | more than 5 years ago | (#27459007)

If like me your old enough to recall the movie "The China Syndrome", that was made an released just days before the Three Mile Accident occurred. At the time, that together with the accident was all people talked about. Yes, there were some people already protesting nuclear power but that managed to turn your everyday joe against it too. Never underestimate the power of a Hollywood melodrama to sway people.

Re:Ugh. (1)

AlHunt (982887) | more than 5 years ago | (#27459115)

>managed to turn your everyday joe against it too.

Nah, "Everyday Joe" here, and I'm a 100% supporter of nuclear power, even though I was 17 miles away from TMI throughout the whole incident. Knowing then what we now know, I'd have probably edged a little further away.

I'm sure TMI pushed a few fence-sitters over the edge. Not enough to make a vast difference, though, in my view. Feel free to break ground in my back yard for a new plant as early as Monday morning. I'll go move my car so the trucks can get through.

Re:Ugh. (1)

MoonBuggy (611105) | more than 5 years ago | (#27459477)

You're on Slashdot, commenting on an article about nuclear safety. That puts you way way above the level of 'everyday Joe' in this context.

Re:Ugh. (1)

hairyfeet (841228) | more than 5 years ago | (#27459707)

The problem IMHO is twofold: One, without recycling the spent nuclear fuel you end up with some SERIOUSLY hot nuclear waste, and Two, thanks to NIMBY nobody wants that extremely hot nuclear waste(and rightly so). Now correct me if I'm wrong, but don't everyone else reprocess nuclear fuel until it isn't nearly as hot as the crap we end up with? If we reprocessed so we could show that the states won't end up with ton after ton of toxic waste that they will never be able to get rid of I'd bet nuclear power would be more popular.

As someone who lives not too far from the 2 nuclear reactors in our state(AR1&2) and enjoys cheap power I'd say that you could solve a lot of the NIMBY problem if you allowed recycling of spent fuel. Because as it is I'd don't even want to know where we are storing that super hot crap in my home state. And who in their right mind would want something that hot stored in THEIR back yard?

Re:Ugh. (1)

aengblom (123492) | more than 5 years ago | (#27459171)

Honestly, I thought Cringely's decision to try and tie TMI to the current financial crisis was a bit of a stretch, but it applies perfectly here. TMI officials took a huge risk [coulda wiped out a bunch of the Northeast] and only avoided catastrophe because of luck (the reactor had a strong than normal containment vessel.)

Wall Street basically did the same the mortgage boom -- they just lost the bet. Now we're all paying.

Where both failed was properly planning for what happened when something really went wrong. Wall Street was prepared for the failure for X% of people to stop paying mortgages because the values of homes "always" went up. I.E. A foreclosure just meant selling a house that was more valuable than when it was bought. This worked great, until home values fell and the taxpayers now get to fill that hole.

At TMI operators were ready for one thing to go wrong and to fix it, but they weren't ready for when something really went wrong because their IT systems couldn't process the results of a real crisis.

I get it that most engineers seem to be pro nuke, but forgive the public if they're a bit skeptical. Guess what, doctors always seem ready to operate, your stock broker always wants you in the market and your lawyer is willing to sue at the drop of a hat. People tend to have confidence in their own competencies.

The job of the nuclear industry is to prove that their equipment will be safe -- even when operated poorly by greedy executives who might be willing to take the risk of huge amounts of wealth vs. a 1 in 10,000 year chance of a failure. That's a reasonable risk for the head of a nuke, but a terrible risk for a country with 100 reactors. (I.E. you will have a breach in the next 100 years.)

It's not that all such employees will have such an attitude, but that at somepoint, someone will.

 

Tech is more than the machine (1)

westlake (615356) | more than 5 years ago | (#27459253)

And because of this insignificant little incident that killed nobody...a safe, clean, mature power generation technology, was (and continues to be) drastically set back.

Technology is more than the machine.

If you don't know what is going on and you are clearly not in control your system has failed - catastrophically.

The TMI cleanup started in August 1979 and officially ended in December 1993, having cost around US$975 million. From 1985 to 1990 almost 100 tons of radioactive fuel were removed from the site. However, the contaminated cooling water that leaked into the containment building had seeped into the building's concrete, leaving the radioactive residue impossible to remove. TMI-2 had been online only three months but now had a ruined reactor vessel and a containment building that was unsafe to walk in -- it has since been permanently closed. Three Mile Island Unit 2 was too badly damaged and contaminated to resume operations. The reactor was gradually deactivated and mothballed in a lengthy process completed in 1993. Three Mile Island accident [wikipedia.org]

A ten year - billion-dollar - clean-up can't be described as insignificant.

Shippingport emphasized engineering, management, financial strength.

Projects realistically scaled to the needs, experience and resources of their sponsors.

Those lessons had been forgotten. "The Meltdown" was symptomatic of problems throughout the industry.

Re:Tech is more than the machine (1)

timeOday (582209) | more than 5 years ago | (#27459573)

A ten year - billion-dollar - clean-up can't be described as insignificant.

Coincidentally, a billion dollars is almost exactly the value of the oil burned by the US every single day, at $50/barrel.

Re:Ugh. (0)

stephanruby (542433) | more than 5 years ago | (#27459441)

And because of this insignificant little incident that killed nobody, and had little to no effect on the health of people near it,

A couple of days ago on NPR (I think it was), I heard of someone speaking of this book People Died at Three Mile Island [huffingtonpost.com] .

Three-Mile Island (3, Insightful)

blind biker (1066130) | more than 5 years ago | (#27458747)

Never has the gravity of an accident (of any kind) been so exaggerated. Before or after.

Re:Three-Mile Island (1)

cowdung (702933) | more than 5 years ago | (#27458787)

Agreed. TMI is actually an example of safety success! Everything failed.. but the containment vessel kept us safe.

So figure out what the other things are so you don't have to use your last line of defense (which could fail like in Chernobyl).

I think people don't like nuclear mainly because of nuclear weapons. They don't understand that reactors are a fundamentally different technology.

Re:Three-Mile Island (1)

drinkypoo (153816) | more than 5 years ago | (#27458811)

I think people don't like nuclear because they don't understand how vastly much safer and cleaner it is than where the bulk of our power comes from today. Whether it's different from a bomb is pretty irrelevant. Some care about environmental damage and some care about personal danger; nobody cares precisely where it comes from.

Re:Three-Mile Island (1)

LWATCDR (28044) | more than 5 years ago | (#27458859)

Well that and there is a lot of money to be made in stopping it.
Coal companies hate it.
And hundreds or thousands of "activists" had made a good living protesting it.

Re:Three-Mile Island (1)

TheTurtlesMoves (1442727) | more than 5 years ago | (#27459057)

Well even people a lot of people that are happy with nuclear power still don't want it their back yard.

Yep its safe. You can you build at least 30 miles away from where i live ;)

Re:Three-Mile Island (1)

DrBuzzo (913503) | more than 5 years ago | (#27459305)

Given all the pollution from the coal burners, I'd be happy to have a nuclear plant in my back yard. I'd have no objections at all. Well, I guess there might be one: I'd want it far enough away that I wouldn't be kept awake at night by the hum of the turbines. Also, on a weekend, it might be annoying to hear the employees coming to work for the weekend shift in the morning when I'm trying to sleep.

I guess as long as it was a good few hundred feet from the house I'd be cool with it.

Re:Three-Mile Island (1)

interstellar_donkey (200782) | more than 5 years ago | (#27459511)

If it was small enough and easy to maintain, I'd probably pay to build a micro nuclear power plant in my back yard. It'd have the added advantage of heating the pool from runoff water.

Re:Three-Mile Island (1)

Plunky (929104) | more than 5 years ago | (#27459683)

David Hahn [wikipedia.org] , is that you?

Re:Three-Mile Island (2, Interesting)

King_TJ (85913) | more than 5 years ago | (#27458833)

Yep ... and as I think I posted once before in another Slashdot topic, I actually work with a guy who used to be an engineer at the firm that was ordered to make some piping for the Three Mile Island reactor, on a "rush" basis, when the problems first started there.

He claims he spoke with people at the reactor site, asking them "How could something like this happen in the first place?" and was taken off to the side, and told that it would take a very specific sequence of adjustments to a number of valves to cause what happened. He replied, "Well, that doesn't sound very probable that could happen by accident?" He was then told that, "Yes, although it COULD theoretically happen, it seems HIGHLY improbable. It's also worth considering that the China Syndrome movie was just released in theaters shortly before this happened."

So in short, seems very possible it was caused by someone wishing to sabatoge the project as much as anything.

Re:Three-Mile Island (1)

j-stroy (640921) | more than 5 years ago | (#27458873)

The solid containment structure was over-spec to keep things out (crashing b-52s) not to keep things in.

The safety outcome was circumstantial, and a lucky lesson.

Fundamentally radioactive transuranic waste [wikipedia.org] with a half life of 220,000 years is why I don't like nuclear power.

Re:Three-Mile Island (1)

blind biker (1066130) | more than 5 years ago | (#27458979)

Fundamentally radioactive transuranic waste with a half life of 220,000 years is why I don't like nuclear power.

And the solution to the long-lived nuclear waste is to build breeder reactors [wikipedia.org] .

India and Japan are going to kick everyone's butt in this area. If the rest of the world doesn't embrace this technology, India and Japan (and perhaps Russia and China) will have the cheapest energy in the world.

Molten sodium and water heat exchanger (1)

j-stroy (640921) | more than 5 years ago | (#27459235)

Fast breeders have too many inherent risks. A primary one being: the corrosive molten sodium as a primary coolant must transfer the heat to water (the secondary coolant) via a heat exchanger. "Sodium reacts exothermically with water ... large pieces will explode." Sodium [wikipedia.org] "As of 2006, all large-scale FBR power stations have been liquid metal fast reactors (LMFBR) cooled by liquid sodium." - Breeder reactors [wikipedia.org]

Re:Molten sodium and water heat exchanger (1)

Cyberax (705495) | more than 5 years ago | (#27459637)

It's possible to build gas-cooled (helium) breeder reactors or molten salt reactors.

It's an engineering problem and it can be solved.

Re:Three-Mile Island (1)

Anpheus (908711) | more than 5 years ago | (#27459023)

The stuff we pull out of the ground has a half life of millions of years and if accidentally inhaled or consumed, just as deadly.

The earth is chock full of radioactive goodness, and you're terrified of the fact that we're harnessing it? I don't get it.

If you consider radioactive material safe when it's in a mine, why is it suddenly no longer safe when we put radioactive waste into a mine shaft?

Time for rehabilitation camp for you... (1)

rts008 (812749) | more than 5 years ago | (#27459243)

Just step away from the facts and assume the position. You are going to be rehabilitated so you can increase your herd stampede skills, and improve your fear mongering tactics. We will make you into a more compliant citizen...just another brick in the wall.

On a side note, when the plant was operating, the fishing near the cooling water outlet pipe in the river was great!

Re:Three-Mile Island (1)

j-stroy (640921) | more than 5 years ago | (#27459325)

All the more reason to leave it in diffuse concentrations under the ground in the first place.

Mine shafts and pits disturb surface and sub-surface water flows, so aside from run-off and legacy pumping issues in defunct mines (if the pump stops ever, groundwater gets contaminated) and radioactive dust blowing from tailings piles, we are left with concentrated and transformed nuclear fuel which we then have to keep safe somewhere for all time lest our descendants die horribly painful deaths from exposure to insanely miniscule quantities of radioactive material.

Not a good gamble, and not our bet to place.

Re:Three-Mile Island (1)

jonbryce (703250) | more than 5 years ago | (#27458983)

People don't like nuclear mainly because of the problems of disposing the waste, and of decommissioning the plants when they reach the end of their lives.

Re:Three-Mile Island (1)

Zancarius (414244) | more than 5 years ago | (#27459423)

Never has the gravity of an accident (of any kind) been so exaggerated. Before or after.

Yes, exactly. Three Mile Island was used for years by the environmentalists to "prove" that nuclear power was unsafe, and effectively consisted of a bomb just waiting to go off. If they wanted a disaster, they should examine Chernobyl.

Granted, we learned much about what worked--and what didn't--but I should think that Three Mile Island ought to be praised as successful! It averted creating a much worse disaster with consequences we would still be feeling today.

Re:Three-Mile Island (0)

good soldier svejk (571730) | more than 5 years ago | (#27459749)

Really? [alternet.org]

Like the old saying goes... (1)

camperdave (969942) | more than 5 years ago | (#27458759)

Like the old saying goes... Never send a man to do a machine's job.

Bad Computers! (1)

PPH (736903) | more than 5 years ago | (#27458821)

While computers could be used to monitor the reactor, US law prohibited using computers to directly control nuclear power plants -- men would do that.

Given the state of automated control back in those days, that's not really a bad policy. Even today, aircraft autopilots (triply redundant) are not reliable enough so that Boeing requires that pilots must be able to disconnect them and fly manually.

Granted, UIs have improved immensely since mid 1960's technology. The 700 alarm problem is easily mitigated with modern SCADA systems that can distill such volumes of data and pinpoint a few possible root causes. But I don't think you want you'd want to automate the whole thing and leave it in the hands of the same, poorly trained operators they had in 1979.

Re:Bad Computers! (1)

TheTurtlesMoves (1442727) | more than 5 years ago | (#27459107)

Even today, aircraft autopilots (triply redundant) are not reliable enough so that Boeing requires that pilots must be able to disconnect them and fly manually.

Rubbish. Pilots are there because people feel safer. And if the fly-by wire systems etc fail, your plane crashes, pilot or no pilot. So you have 2 modes of failure. If the pilot is insisting on flying into the ground and/or software bugs.

Commercial pilots are trained to work like a machine. I would be just as happy if they weren't there.

Re:Bad Computers! (1)

DCstewieG (824956) | more than 5 years ago | (#27459519)

Not really knowing anything about the modern capabilities of auto-pilot systems, I'm curious what you think would have happened with the Hudson River incident if there had been no human pilot around.

Re:Bad Computers! (1)

NewbieProgrammerMan (558327) | more than 5 years ago | (#27459523)

Commercial pilots are trained to work like a machine. I would be just as happy if they weren't there.

I wouldn't, at least not right now. Any machine^H^H^H^H^Hsoftware doing a job is going to be limited by the imagination of the spec writers and developers, and (for trainable systems) by the situations the trainers thought to put the system through.

I wonder if anybody's built any machines that would have done as well as this guy? [wikipedia.org] Yeah, there's shitty pilots out there, but I'm still a big fan of having a biological "backup" available to override the machines, because (again, right now) they're still better at handling unforeseen situations.

Re:Bad Computers! (1)

RudeIota (1131331) | more than 5 years ago | (#27459647)

Commercial pilots are trained to work like a machine. I would be just as happy if they weren't there.

... if you happen to know anyone who can design an autopilot system that can account for nearly as many external/environmental variables as a human being -- I would too.

Re:Bad Computers! (1)

timeOday (582209) | more than 5 years ago | (#27459649)

I tend to agree but look at the recent splash-landing on the Hudson. Computers beat humans' stick-and-rudder skills hands down, but the decision to glide over to the Hudson (instead of ...what? crash-landing in a crowded city, I guess?) saved everybody. You could try to make the statistical argument that other crashes caused by human error outweigh this, but I don't know what the numbers are.

Anyways, airline pilots will be the last to go, after military recon pilots, bombers, cargo, and finally fighters, then civilian cargo flights. After a few decades and billions of miles flow autonomously in those roles, then we can talk about airliners without pilots.

Re:Bad Computers! (1)

marco.antonio.costa (937534) | more than 5 years ago | (#27459213)

If you RTFA you would see the point the author makes of how simple nuclear reactors are in comparison to other much more complex automated processes AT THE TIME. Chemical plants, in his example.

Now you just can't compare automating flight to a nuclear plant. A plane autopilot is orders of magnitudes more complex.

I think the question is: do you really DON'T want to automate everything and run the risk of leaving any decision making to a poorly trained or just hungover operator?

Re:Bad Computers! (1)

PPH (736903) | more than 5 years ago | (#27459721)

Now you just can't compare automating flight to a nuclear plant. A plane autopilot is orders of magnitudes more complex.

Simpler. Been there, done that. Since the early days of 'two crew' flight decks and the requisite automation (757, 767, 747-400). I've also worked around (but not on) nuclear plants and their designers. The physics of a nuke may be simple, but the number of subsystems, alarms and whatnot in a plant is pretty substantial.

And when you put computers in charge ... (1)

Ihlosi (895663) | more than 5 years ago | (#27458823)

... of safety-critical systems, they do things like shut off the engines on a plane in mid-flight due to a sensor malfunction. Damned if you do, damned if you don't.

Jimmy Carter (2, Interesting)

bgeer (543504) | more than 5 years ago | (#27458839)

Our President at the time, Jimmy Carter, was also a micro-manager and a former nuclear engineer:

U.S. Navy reactor operators, the sort who served under Jimmy Carter in the 1950s,

Is not and never was a nuclear engineer, much less did he command a nuclear sub. He served as an enlisted man on several diesel-electric subs and started, but did not complete, a Naval class in nuclear engineering. He resigned from the Navy (as a lieutenant) before any nuclear subs were commissioned.

The FEMA guys were just plain stupid.

NO U

So, the computer notices things are wrong ... (1)

Ihlosi (895663) | more than 5 years ago | (#27458863)

Simple, except the computer noticed 700 things wrong in the first few minutes of the TMI accident, causing the one audible alarm to ring continuously until it was shut off as useless.

... and the humans chose to ignore it? How is that the computers fault?

If the alarm goes off in a nuclear plant, operating procedure should say: Check briefly if the computer is acting up, and then shut the whole frickin' plant down. Why wasn't it done? Let me guess: It costs a whole bunch of money. So, the accident happened due to greed.

Re:So, the computer notices things are wrong ... (1)

WaXHeLL (452463) | more than 5 years ago | (#27458935)

It's not entirely simple to shut a nuclear plant down... You can't just hit a few keystrokes and the thing turns off.

And with only one visual alarm, and one audible alarm, you have no clue what is happening.

Re:So, the computer notices things are wrong ... (2, Interesting)

NewbieProgrammerMan (558327) | more than 5 years ago | (#27459081)

Don't let Cringely convince you that he actually knows anything about nuclear power plants--those guys had a whole room full of alarms, gauges, meters, etc., giving them a lot of info about the whole plant.

Shutting down the reactor could probably have been done by the operator within a couple of seconds by flipping a switch. IIRC, though, the automatic safety system shut it down at the beginning of the incident because it detected a situation that warranted it.

Re:So, the computer notices things are wrong ... (1)

TheTurtlesMoves (1442727) | more than 5 years ago | (#27459121)

The emergency shutdown is that simple. It can take a while to get it back on line again however (days, weeks or even longer depending on how many of the emergency shutdown systems are fired) and cost a pretty penny.

Re:So, the computer notices things are wrong ... (1)

DrBuzzo (913503) | more than 5 years ago | (#27459225)

It's not entirely simple to shut a nuclear plant down... You can't just hit a few keystrokes and the thing turns off.

And with only one visual alarm, and one audible alarm, you have no clue what is happening.

Actually it's much easier than a few keystrokes. Of course, this was before PC's were so common in a control room anyway, but it's as simple as this: Drop the control rods and the reaction stops.

No complex procedure needed. No keystrokes. It's called "SCRAM" and it can be done very simply in an emergency.

Also, there's not just one big alarm. It doesn't work that way. The problem in TMI was they had plenty of gauges and meters but none told them the information they needed to know: The verified state of the pressure relief valve and the amount of coolant in the reactor core loop.

Re:So, the computer notices things are wrong ... (1)

dunkelfalke (91624) | more than 5 years ago | (#27459525)

same shit happened in chernobyl - lack of useful information (and of course knowingly stupid design).

Re:So, the computer notices things are wrong ... (2, Informative)

jonbryce (703250) | more than 5 years ago | (#27459011)

A nuclear plant isn't like a gas plant where you can turn off the tap.

If you have a nuclear reaction that is going out of control, then you have to get it in control. Shutting the plant down would mean you don't have the ability to use things like the control rods to do this.

Re:So, the computer notices things are wrong ... (1)

daniel_newby (1335811) | more than 5 years ago | (#27459479)

If you have a nuclear reaction that is going out of control, then you have to get it in control. Shutting the plant down would mean you don't have the ability to use things like the control rods to do this.

No, the control rods are constantly forced into the core by passive systems (hydraulic pressure, gravity, springs), and only stay withdrawn because of active systems. If the active systems lose power, a few seconds later the control rods will be fully inserted. Many reactors also have pre-pressurized tanks of neutron absorbing fluid connected to the core, a sort of liquid control rod. Provided one of the redundant valves can be opened, that will also quench the nuclear chain reaction. (And I wouldn't be surprised to learn that the valves have a ratchet that makes them stick open until some poor bastard visits them in person with a special tool.)

It's also worth pointing out that many safety systems have no self-protection features like circuit breakers, or even off switches where a well-meaning idiot might turn them off just because fire is shooting out. If a back-up cooling pump develops a short circuit or a bad bearing, it will continue to run until it destroys itself. The idea is that the protection equipment will cheerfully use itself up to protect the main plant.

Re:So, the computer notices things are wrong ... (1)

NewbieProgrammerMan (558327) | more than 5 years ago | (#27459031)

Simple, except the computer noticed 700 things wrong in the first few minutes of the TMI accident, causing the one audible alarm to ring continuously until it was shut off as useless.

... and the humans chose to ignore it? How is that the computers fault?

Yeah I don't quite get that bit either. And they *did* have an entire room full of monitoring equipment, not just a solitary line printer, so I'm not sure the computer's involvement is as big as Cringlely's making it out to be.

If the alarm goes off in a nuclear plant, operating procedure should say: Check briefly if the computer is acting up, and then shut the whole frickin' plant down. Why wasn't it done? Let me guess: It costs a whole bunch of money. So, the accident happened due to greed.

Well, no--the reactor was shut down automatically by the control systems at the outset of the incident. If I recall correctly, they were at near full power when some event caused a main turbine trip and then a reactor shutdown. Because of the sudden removal of steam load, and because the reactor continues to produce a lot of heat even after shutdown, the resulting temperature/pressure rise in the primary coolant system caused a relief valve to open.

This relief valve stuck open (and apparently nobody recognized this for quite some time), so eventually a steam bubble formed in the reactor vessel. As the pressure dropped, the coolant pumps began cavitating, so the operators shut them down to keep them from being damaged, and this removed the last major heat sink for the reactor. Then hot reactor still producing energy + no heat removal == meltdown.

It seems to me to have just been operators not recognizing the state of their plant, either because they weren't familiar enough with it, or because they didn't have the right information available to them. Greed probably had nothing to do with the actual incident itself, unless you count the effect on the operators of non-engineering-knowledgeable management showing up to micromanage the situation (and I haven't ever read anything that made me think that would really have mattered all that much).

Re:So, the computer notices things are wrong ... (1)

NewbieProgrammerMan (558327) | more than 5 years ago | (#27459157)

Ah, there's a better description of the incident here [wikipedia.org] , just so people don't have to take my crappy recollection at face value. :P

Re:So, the computer notices things are wrong ... (1)

DrBuzzo (913503) | more than 5 years ago | (#27459207)

If the alarm goes off in a nuclear plant, operating procedure should say: Check briefly if the computer is acting up, and then shut the whole frickin' plant down. Why wasn't it done? Let me guess: It costs a whole bunch of money. So, the accident happened due to greed.

You have absolutely no idea what you're talking about. "Oh yeah, must be that damn money hungry greed of those damn fat cats who ruin everything."

The plant WAS SHUT DOWN, Jesus get a clue, genius. The term for an impromptu or emergency shutdown is SCRAM. The control rods drop, fission stops, the reactor is shut down. That's exactly what happened.

After shutting down the reactor, the fuel rods still are hot, having the residual heat from the reaction. Add to this the heat from the rapid decay of short-lived fission byproducts and the rods are quite hot for a while afterward. Not a big deal though, just some moderate cooling, like some water to transfer the heat and it's fine. The problem was that a valve problem let the water out. So, despite the reactor being off, it had almost no cooling.

The result was no cooling means the fuel elements got too hot and the cladding broke down. The reactor vessel is designed with this possibility in mind. It contained the fuel just fine. It ruined the reactor core, but the reactor was shut down.

Re:So, the computer notices things are wrong ... (1)

marco.antonio.costa (937534) | more than 5 years ago | (#27459227)

Yea yea, greed causes everything bad. You and the other selfless people living in their mom's basements should be given the wheels of the world.

Bleh (4, Interesting)

NewbieProgrammerMan (558327) | more than 5 years ago | (#27458877)

U.S. Navy reactor operators, the sort who served under Jimmy Carter in the 1950s, were selected primarily for their temperament. ... their Navy job--as at TMI--was to follow the manual. All knowledge was inside the book. So knowing the book was everything. Unfortunately knowing the book isn't the same as knowing the reactor. So knowing the book was everything. Unfortunately knowing the book isn't the same as knowing the reactor.

No. Just fucking no. There's a significant (and necessary) emphasis on following procedures and getting the books out for any planned change to the plant to make sure you're doing things right. But Cringely makes it sound like nuclear operators are just slightly trained mouth-breathers that only know how to look things up in the book and do what it tells them. I can't speak for the civilian training, but the Navy does NOT do things that way.

When something goes wrong, they depend on you having enough internalized knowledge about the plant, its controls, and its indicator systems to work out what's going on and (if necessary) do something about it. Once you've got stuff at least marginally under control, *then* you get the books out to check the applicable procedures to make sure you haven't forgotten something, and to figure out how to recover from whatever happened without causing any more problems.

The Navy puts a lot of effort put into making sure their operators know how and why things work the way they do. They would never have got to the 21st century with the track record they have if all they did was train people to look at the book.

Re:Bleh (1)

notarockstar1979 (1521239) | more than 5 years ago | (#27458981)

I know when I went through Power School, then went to NNTP, they made me learn a ridiculous amount of crap that I never thought I'd use. Turns out I never used most of it. Looking back I am grateful they taught me all that they did (although I don't remember most of it now) because it could have saved my life and the lives of those around me.

Absolutely true (1)

Kupfernigk (1190345) | more than 5 years ago | (#27459247)

No mod points but your comment is insightful. I have worked with 3 ex nuclear sub people, one an engineer officer in the USN, one ditto in the RN, and one seaman officer. They were all trained to the Nth degree to do all the right things automatically, but had enough theory to be able to analyse and develop solutions to novel problems. Ships do not run, and wars are not won, by blind adherence to operating procedures.

Lessons from cryptography (1)

nroets (1463881) | more than 5 years ago | (#27458969)

Those days Congress passed a law banning computers from controlling the plant. Now days people think PBMRs are safer. Clearly a better solution is to allow engineers free reign, but require much more stringent reviews of proposed designs. Like the RSA cryptography challenges.

This time, it's not Congress' fault (1)

mkcmkc (197982) | more than 5 years ago | (#27459003)

This is just plain bad design, and not Congress' fault.

If this alarming system--with the same crappy design--had been "directly connected" to the controls, god knows what would have happened.

Re:This time, it's not Congress' fault (1)

DrBuzzo (913503) | more than 5 years ago | (#27459293)

This is just plain bad design, and not Congress' fault.

If this alarming system--with the same crappy design--had been "directly connected" to the controls, god knows what would have happened.

No. No. No. The "Alarm system" was connected to the controls, it forced a shutdown. Look, the way this system works is that it is based on the assumption that any error should, when in doubt, trigger a shutdown. it's known as automatic SCRAM. The system is based on a negative condition assumption. In other words, all systems must afirm operation or by default it shuts down.

An automated shutdown was initiated at TMI. That's not the problem. It is what happened after that. The operators falsely assumed that there was coolant in the core of the reactor, when in fact a mechanical problem had caused a valve to open and was letting it out. Had they known this, they would have either closed the valve or added more water or both. They didn't because there was no indicator for this.

The problem was not related to the reactor not shutting down when it should have - it was shut down.


Here's what it comes down to. There was a valve that had an indicator light to show whether it was open or closed. Only the light didn't actually say whether the valve was physically open or closed. It indicated whether the valve was *set* to open or closed. The valve was set to closed so the light said it was closed. The reality is that eventhough it was set to closed, it didn't close on command because of a mechanical issue. There was no command verification.

The second problem: The reactor did not have an indicator for the water level. It was supposed to, but they omitted it at the last minute in the design. It had a water pressure sensor that the operators read. They would infer the water level by the pressure. But this pressure sensor only worked when submerged. If the sensor was bare, out of the water, it returned a false value.

The operators were never informed of this. They were unaware that the pressure sensor could not be trusted if it might have been uncovered or that the valve light was not confirmed but just a command indicator.

Regulation and Bean Counting (3, Insightful)

burnin1965 (535071) | more than 5 years ago | (#27459015)

Chemical plants were better designed than nuclear power plants in part because Congress did not legislate how the chemical industry designed their plants. But more importantly most chemical firms of that era had CEO's with engineering degrees. They had respect for the technology and the risk of misusing it. But that doesn't make the chemical industry blameless. With the off-shoring of manufacturing a lot of chemical production is now being done in places where there is little respect for the dangers of technology. The chemical industry's TMI was Bhopal. There will be more Bhopal's coming because those companies are now being managed by bean counters, not engineers.

I wasn't there so I can't say Cringely is wrong about the government regulation of nuclear power, however, I have worked in the semiconductor industry which utilizes some of the deadliest chemicals known to man and their are mandated regulations from various government agencies, EPA, OSHA, etc., that result in the controls, interlocks, and containment systems used to make the industry safe. I'm also pretty sure that the issue in Bhopal was more a lack of regulation than a lack of respect for the dangers. There should have been powerful laws and inspectors to shut down the plant before it killed thousands.

Where we both do agree is on the belief that we can expect more Bhopal and economic melt down events due to bean counter management. Over the past 20 years I've noticed a managerial shift towards a focus on cutting costs and less of a focus on the technology and science behind the manufactured products. In the past two years I've engaged in heated debates with peers and managers over the purpose and focus of engineering resources. Its seems that decision makers are forgetting that the core of a technology based manufacturing corporation is the technology not the cutting of fixed costs by reducing head count, wages, service contracts, etc. Accounting and business management are tools to support the core skills, they are not the core themselves. When accounting and business management undermines the ability of a technology based business to develop and manufacture the core technology of their business you can expect a gradual degradation of the business until it is no longer viable.

Just Plain Incompetance (1)

ObsessiveMathsFreak (773371) | more than 5 years ago | (#27459025)

"Computers! Error! Component Failure! Congress! Unpredicatble! etc, etc, etc. Excuses, excuses.

How hard can it be to monitor the temperature of a nuclear reactor? Apparently, this task is somehow beyond the competence of nuclear plant supervisors for some obscure reason. Blaming regulation is beside the point. A first year undergraduate engineering student would be able to build a reliable temperature monitor.

Re:Just Plain Incompetance (1)

NuclearError (1256172) | more than 5 years ago | (#27459193)

A first year undergraduate engineering student would be able to build a reliable temperature monitor.

Right. Because there are so many combinations of materials that can withstand temperatures in the thousands of degrees F and the intense neutron flux in a commercial reactor core for any prolonged period. Core status is measured by the temperature of the water entering and leaving the core - the core power can be calculated by how much the water heats up. Safety limits are usually given in terms of power, because the behavior has to be calculated.

Untrue (1)

Kupfernigk (1190345) | more than 5 years ago | (#27459309)

I'm sorry, you have not the slightest idea what you are talking about. I can assure you that a first year student in engineering would not have the least idea where to start in monitoring temperatures - you need multiple locations - inside a reactor.

You sir - how good are you on thermocouple alloys that don't mind neutrons and containments which can withstand not only neutrons but variable corrosive conditions at high temperatures? It's not just a matter of sticking a stainless steel jacketed thermocouple into an exhaust manifold.

If I had a dollar for every poster on Slashdot who has thought some area of engineering was simple due to simple ignorance on -almost always a his - part, I'd have....quite a lot of dollars.

Wolverine (0, Offtopic)

penguin_zoo (958185) | more than 5 years ago | (#27459041)

It was Wolverine

US Naval Academy Curricula (1)

tjstork (137384) | more than 5 years ago | (#27459047)

Uh, I think the guy is needlessly cynical. I know a lot of Navy guys that run our nukes and, they do know them inside and out.

"Worst Nuclear Accident in US History" (4, Insightful)

DrBuzzo (913503) | more than 5 years ago | (#27459153)

This has been called the worst accident in US history. A complete failure of control, whereby the operators were lacking the most important information and had zero situational awareness. The result being a loss of coolant causing the core of the reactor to essentially remain uncooled and exposed, resulting in complete breakdown of the fuel cladding and partial melting of the fuel with loss of fuel integrity.

The result: One severely damaged reactor vessel, zero deaths, zero injuries, zero homes or businesses destroyed, zero acres of land rendered uninhabitable or severely damaged, zero property claims to the surrounding communities.


And yet, this is remembered as demonstrating how *unsafe* nuclear energy is.

If only "disasters" involving coal mines, hydroelectric dams, oil and gas storage facilities and other energy sources could be so merciful.

Anyone remember Centralia?! (3, Insightful)

WidescreenFreak (830043) | more than 5 years ago | (#27459643)

God, I wish I had mod points for you.

I live about 15 miles away from TMI and I have for 20 years. I've never felt unsafe or felt like I was in danger. People seems to enjoy comparing TMI to being a potential Chernobyl, but there's simply no way that the two can even be compared.

On the other hand, head up to Centralia, PA where the whole town has been demolished because of a fire that has been running through the ignition of a natural, coal vein. A fire ignited some coal, and now the whole town has been abandoned, homes have been razed, there are very few buildings to speak of, there are dangerous leaks of carbon monoxide and other lethal gases, the ground has swelled and cracked from the heat, and this fire is expected to last 250 years.

Now ... how much nuclear power is involved with Centralia? Ummmm.... NONE! A natural resource (accidentally ignited by humans) has destroyed a town completely. Personally, I put Centralia on a higher level of "disaster" than I do TMI.

I always viewed both as procedural failures (1)

Suzuran (163234) | more than 5 years ago | (#27459357)

In both cases (Chernobyl and TMI) procedure was violated or nonexistent for what the operators were trying to do. In Chernobyl's case, operational procedure was violated in several instances to conduct a test for which no procedure existed. In TMIs case, procedure was violated in tagging out pumps leading to a problem in which there was no procedure for diagnosis.

Neither plant would have been "inherently" unsafe or dangerous if operated within their design envelopes under established procedure. Once the humans violated procedure, their actions made their equipment unsafe.

Re:I always viewed both as procedural failures (1)

dunkelfalke (91624) | more than 5 years ago | (#27459553)

RBMK was inherently unsafe - a SCRAM operation may never ever produce a reactor explosion and this is what happened. also, the reactor was operated within the original design envelope (i read the original manual). after the explosion the manual was heavily rewritten.

Re:I always viewed both as procedural failures (1)

calidoscope (312571) | more than 5 years ago | (#27459673)

A point about SCRAM on the RBMK - the initial insertion of the SCRAM caused an increase in reactivity - a very bad thing when the reactor had a positive void coefficient and a low delayed neutron fraction at the end of core life.

MOD PARENT UP!! (1)

Brett Buck (811747) | more than 5 years ago | (#27459793)

Exactly right, this reactor type is inherently dangerous, and moreover, you can't overcome something inherently dangerous with procedure.

Home Sweet Home (0)

ryanduff (948159) | more than 5 years ago | (#27459497)

I can look out my window and see the cooling towers. I'm about as close as you can get since I live on the river about 1.3 miles to the still active Reactor 1.

I figure if something happens, I'd rather go instantly than be walking around with a third arm for the rest of my life!

Wait... (-1, Redundant)

slimjim8094 (941042) | more than 5 years ago | (#27459505)

So there was a problem where the Text Mode Interface showed Too Much Information at Three Mile Island??

The TMI showed TMI at TMI

Government, what a shock (1)

Anenome (1250374) | more than 5 years ago | (#27459811)

I'm not surprised at all that the Three Mile Island breakdown was ultimately caused by government. Legislation tends to have unforeseen effects like this. I'm sure the builders would've loved to put in computer control and this tragedy would've never happened. When, when will we learn, when?

Government, get out of the way.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>